HackTheBox: Object Writeup 

HackTheBox Object Writeup

Machine Name: Object 

Difficulty: Hard 

OS: Windows 

Rating: 5.0/5.0 

Summary 

Object is a hard Windows machine (Retired) in hackthebox. It gives us hands-on experience working with Active Directory Environment with firewall enabled. Initial recon gives us access to a Jenkins server which was used to get the initial access to the machine. Further, we found that the machine is a Domain Controller with multiple users. To get the administrative privilege on the machine, we need to perform lateral movements across the domain users by abusing ForceChangePassword, GenricWrite and WriteOwner functionalities.  

Overall, this machine is recommended for anyone planning for OSCP or getting hands-on experience in Active Directory Environment. 

Scanning and Enumerations 

After connecting with the HackTheBox server and starting the Machine, we get an IP of 10.10.11.132. And information about the Operating system of the machine, which is Windows. We start with performing a “nmap” scan with -sV and -sC flags 

The scan results show us that there are two open ports, 80 and 8080, both running web services. We can now further enumerate the services. 

Port 80 shows us a landing page. And we find a Domain name object.htb  

Port 8080 shows us that Jenkins is running.  

We can further add entry for object.htb in /etc/hosts.  

We don’t have any credentials to access Jenkins. But we have a Create Account Functionality. Graphical user interface, application

Description automatically generated 

Now we Create an account to get access. 

Graphical user interface, application

Description automatically generated

After logging in with the newly created account, we can successfully work inside Jenkins and verify the version of running Jenkins. 

Let’s try to abuse some functionality in Jenkins to get a foothold on the machine. We can use the following resource to test Jenkins. 

Getting Foothold by Abusing Jenkins 

We have permission to create a new job in the Jenkins server.  We can try to add “Build Triggers” in our newly created job to run a “Windows Batch Script”. 

Adding build triggers to the created job. 

Adding a Windows batch command to verify whether the command execution is possible or not.A screenshot of a computer

Description automatically generated 

When we try to Build the project in the GUI mode, the project won’t build. As the current user doesn’t have any permission to build it. 

Text Box

We Can try to build it using API. 

First, we create an API token. 

Now we try to run the job using the API. 

Here We can verify that our job was built successfully.Graphical user interface, text, application

Description automatically generated 

Also, the output of the Windows Batch Command is showing. 

 We tried to get a Reverse Shell using Powershell but were unsuccessful, as there may be a firewall rule on outbound and inbound connections. 

Text Box

So, we continue enumeration using Jenkins. Using the following command, we enumerate more in the Jenkins server. 

Here we find a user admin_17207690984073220035. 

Text Box

We enumerate more using the following command. 

We find a config.xml which can contain credentials. 

Let’s verify the contents of config.xml using the following command. 

We can see that we found a password for user “oliver”, but it was encrypted. 

We can then decrypt the secret using jenkins_offline_decrypt. 

https://github.com/bstapes/jenkins-decrypt

This reveals the password of Oliver. Let’s log in to WinRM using the  

Username: Oliver password: c1cdfun_d2434 

Initial Access 

Enumerating the machine. 

Graphical user interface, text

Description automatically generated

By enumerating the above, we can suspect of being in a domain environment. 

Uploading PowerView.ps1 to perform domain enumerations. 

A screenshot of a computer

Description automatically generated with medium confidence

We can now verify that we are part of a forest object.local and the machine we are logged in is the Domain Controller. 

We can find other users for lateral movement.  

Text

Description automatically generated

Let’s upload Sharphound to get an approach for lateral moments. 

Lateral Movement 

Analyzing in bloodhound we find that “Oliver” has permission to ForceChangePassword to “Smith”. 

Now let’s upload PowerView_dev.ps1 to abuse the misconfiguration. Text

Description automatically generated 

Now we can use the following command to Force change Smith’s password. 

Now we can log into Smith’s account using the new credentials. 

Further analyzing the output in bloodhound we find that Smith has GenericWrite permission on Maria. 

Let’s Try to abuse it. Using the following technique. 

We tried to get a shell by abusing the GenericWrite but were unsuccessful. So, we enumerate maria’s desktop, and here we find an Excel file which seems very interesting.  

Text Box

We copy the file into a readable directory.  

The document reveals information about a few Machines. 

The Chamber Username column matches the Domain user we are trying to log in as. There is a possibility that one of the Chamber Passwords has been re-used for Maria. Let’s save them to a file and run CrackMapExec to find if they are valid. 

The results show that the credentials Username: maria Password: W3llcr4ft3d_4cls are valid.A screenshot of a computer

Description automatically generated with medium confidence 

Let’s use WinRM to log in to the System. 

We have access to all the users now, let’s elevate our privilege to the Domain Admins. 

By Analyzing in bloodhound, we can see that Maria has WriteOwner Permission on the Domain Admins group.

Let’s abuse it to get the Domain Admin’s Privilege. 

Text Box

Using the following command, we abuse the functionality. 

Now we can successfully add Maria to the “Domain Admins” group. And Own the machine..  

Subscribe to our Newsletter
Subscription Form
DOWNLOAD THE DATASHEET

Fill in your details and get your copy of the datasheet in few seconds

CTI Report
DOWNLOAD THE EBOOK

Fill in your details and get your copy of the ebook in your inbox

Ebook Download
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download ICS Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Cloud Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download IoT Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Code Review Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Red Team Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download AI/ML Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download DevSecOps Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Product Security Assessment Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Mobile Sample Report
DOWNLOAD A SAMPLE REPORT

Fill in your details and get your copy of sample report in few seconds

Download Web App Sample Report

Let’s make cyberspace secure together!

Requirements

Connect Now Form

What our clients are saying!

Trusted by