Machine Name: Object
Difficulty: Hard
OS: Windows
Rating: 5.0/5.0
Summary
Object is a hard Windows machine (Retired) in hackthebox. It gives us hands-on experience working with Active Directory Environment with firewall enabled. Initial recon gives us access to a Jenkins server which was used to get the initial access to the machine. Further, we found that the machine is a Domain Controller with multiple users. To get the administrative privilege on the machine, we need to perform lateral movements across the domain users by abusing ForceChangePassword, GenricWrite and WriteOwner functionalities.
Overall, this machine is recommended for anyone planning for OSCP or getting hands-on experience in Active Directory Environment.
Scanning and Enumerations
After connecting with the HackTheBox server and starting the Machine, we get an IP of 10.10.11.132. And information about the Operating system of the machine, which is Windows. We start with performing a “nmap” scan with -sV and -sC flags
The scan results show us that there are two open ports, 80 and 8080, both running web services. We can now further enumerate the services.
Port 80 shows us a landing page. And we find a Domain name object.htb
Port 8080 shows us that Jenkins is running.
We can further add entry for object.htb in /etc/hosts.
We don’t have any credentials to access Jenkins. But we have a Create Account Functionality.
Now we Create an account to get access.
After logging in with the newly created account, we can successfully work inside Jenkins and verify the version of running Jenkins.
Let’s try to abuse some functionality in Jenkins to get a foothold on the machine. We can use the following resource to test Jenkins.
Getting Foothold by Abusing Jenkins
We have permission to create a new job in the Jenkins server. We can try to add “Build Triggers” in our newly created job to run a “Windows Batch Script”.
Adding build triggers to the created job.
Adding a Windows batch command to verify whether the command execution is possible or not.
When we try to Build the project in the GUI mode, the project won’t build. As the current user doesn’t have any permission to build it.
We Can try to build it using API.
First, we create an API token.
Now we try to run the job using the API.
Here We can verify that our job was built successfully.
Also, the output of the Windows Batch Command is showing.
We tried to get a Reverse Shell using Powershell but were unsuccessful, as there may be a firewall rule on outbound and inbound connections.
So, we continue enumeration using Jenkins. Using the following command, we enumerate more in the Jenkins server.
Here we find a user admin_17207690984073220035.
We enumerate more using the following command.
We find a config.xml which can contain credentials.
Let’s verify the contents of config.xml using the following command.
We can see that we found a password for user “oliver”, but it was encrypted.
We can then decrypt the secret using jenkins_offline_decrypt.
https://github.com/bstapes/jenkins-decrypt
This reveals the password of Oliver. Let’s log in to WinRM using the
Username: Oliver password: c1cdfun_d2434
Initial Access
Enumerating the machine.
By enumerating the above, we can suspect of being in a domain environment.
Uploading PowerView.ps1 to perform domain enumerations.
We can now verify that we are part of a forest object.local and the machine we are logged in is the Domain Controller.
We can find other users for lateral movement.
Let’s upload Sharphound to get an approach for lateral moments.
Lateral Movement
Analyzing in bloodhound we find that “Oliver” has permission to ForceChangePassword to “Smith”.
Now let’s upload PowerView_dev.ps1 to abuse the misconfiguration.
Now we can use the following command to Force change Smith’s password.
Now we can log into Smith’s account using the new credentials.
Further analyzing the output in bloodhound we find that Smith has GenericWrite permission on Maria.
Let’s Try to abuse it. Using the following technique.
We tried to get a shell by abusing the GenericWrite but were unsuccessful. So, we enumerate maria’s desktop, and here we find an Excel file which seems very interesting.
We copy the file into a readable directory.
The document reveals information about a few Machines.
The Chamber Username column matches the Domain user we are trying to log in as. There is a possibility that one of the Chamber Passwords has been re-used for Maria. Let’s save them to a file and run CrackMapExec to find if they are valid.
The results show that the credentials Username: maria Password: W3llcr4ft3d_4cls are valid.
Let’s use WinRM to log in to the System.
We have access to all the users now, let’s elevate our privilege to the Domain Admins.
By Analyzing in bloodhound, we can see that Maria has WriteOwner Permission on the Domain Admins group.
Let’s abuse it to get the Domain Admin’s Privilege.
Using the following command, we abuse the functionality.
Now we can successfully add Maria to the “Domain Admins” group. And Own the machine..
