Machine Name: Object
Difficulty: Hard
OS: Windows
Rating: 5.0/5.0
Summary
Object is a hard windows machine (Retired) in hackthebox. Its gives us a hands-on experience working with Active Directory Environment with firewall enabled. Initial recon gives us access of a Jenkins server which was used to get the initial access to the machine. Further we found that the machine is a Domain Controller with multiple users. To get the administrative privilege on the machine we need to perform lateral movements across the domain users by abusing ForceChangePassword, GenricWrite and WriteOwner functionalities.
Overall, this machine recommended for anyone planning for OSCP or getting hands on experience in Active Directory Environment.
Scanning and Enumerations
After connecting with the HackTheBox server and starting the Machine we get a IP of 10.10.11.132. And information about the Operating system of the machine which is Windows. We starting with performing a “nmap” scan with -sV and -sC flags
The scan results show us that there are two open ports 80 and 8080 both running web services. We now can further enumerate the services.
Port 80 shows us a landing page. And we find a Domain name object.htb
Port 8080 shows us that Jenkins is running.
We can further add entry for object.htb in /etc/hosts.
We don’t have any credentials to access the Jenkins. But we have a Create Account Functionality.
Now we Create an account to get access.
After logging in with the newly created account we can successfully work in inside Jenkins and verify the version of running Jenkins.
Let’s try to abuse some functionality in jenkins to get a foothold on the machine. We can use the following resource to test jenkins.
Getting Foothold by Abusing Jenkins
We have permission to create new job in the Jenkins server. We can try to add a “Build Triggers” in our newly created job to run a “Windows Batch Script”.
Adding build triggers to the created job.
Adding a Windows batch command to verify that the command execution is possible or not.
When we try to Build the project in the GUI mode the project wont build. As the current user doesn’t have any permission to build it.
We Can try to build it using API.
First we create a API token.
Now we try to run the job using the API.
Here We can verify that our job was built successfully.
Also the output of the Windows Batch Command is showing.
We tried to get a Reverse Shell using Powershell but was unsuccessful as there may be a firewall rule on outbound and inbound connections.
So, we continue enumeration using Jenkins. Using the following command we enumerate more in the Jenkins server.
Here we find a user admin_17207690984073220035.
We enumerate more using the following command.
We find a config.xml which can contain credentials.
Let’s verify the contents of config.xml using the following command.
We can see that we found a password for user “oliver” but it encrypted.
We can then decrypt the secret using jenkins_offline_decrypt.
https://github.com/bstapes/jenkins-decrypt
This reveals the password of oliver . Let’s login to WinRM using the
Username: oliver password: c1cdfun_d2434
Initial Access
Enumerating the machine.
By enumerating the above we can suspect of being in a domain environment.
Uploading PowerView.ps1 to perform domain enumerations.
We can now verify that we are part of a forest object.local and the machine we are logged in is the Domain Controller.
We can find other users for lateral movement.
Let’s upload Sharphound to get a approach for lateral moments.
Lateral Movement
Analyzing in blood hound we find that “oliver” has permission to ForceChangePassword to “smith”.
Now lets upload PowerView_dev.ps1 to abuse the misconfigaration.
Now we can use the following command to Force change smith’s password.
Now we can log into smith’s account using the new credentials.
Further analyzing the output in bloodhound we find that smith has GenericWrite permission on maria.
Lets Try to abuse it. Using the following technique.
We tried to get a shell by abusing the GenericWrite but we were unsuccessful. So, we enumerate the maria’s desktop here we find an excel file which seems very interesting.
We copy the file into a readable directory.
The document reveals information about a few Machines.
The Chamber Username column matches with the Domain user we are trying to log in as. There is a possibility that one of the Chamber Passwords has been re-used for Maria. Let’s save them to a file and run CrackMapExec to find if any of them are valid.
The results show that the credentials Username: maria Password: W3llcr4ft3d_4cls are valid.
Let’s use WinRM to login to the System.
We have access of all the users now let elevate our privelege to the Domain Admins.
By Analyzing in bloodhound we can see that maria has WriteOwner Permission on the Domain Admins group.
Let’s abuse it to get the Domain Admin’s Privilege.
Using the following command we abuse the functionality.
Now we can successfully add maria to the “Domain Admins” group. And Own the machine..
