From 5a87b2cb92f84b3c2519fc38eb58bca7a5c56fc0 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Sat, 5 Mar 2022 23:58:43 +0500
Subject: [PATCH] Create Object.md
---
HackTheBox/Object.md | 335 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 335 insertions(+)
create mode 100644 HackTheBox/Object.md
diff --git a/HackTheBox/Object.md b/HackTheBox/Object.md
new file mode 100644
index 0000000..b0798e0
--- /dev/null
+++ b/HackTheBox/Object.md
@@ -0,0 +1,335 @@
+# HackTheBox-Object
+
+## NMAP
+
+```bash
+PORT STATE SERVICE VERSION
+80/tcp open http Microsoft IIS httpd 10.0
+| http-methods:
+| Supported Methods: OPTIONS TRACE GET HEAD POST
+|_ Potentially risky methods: TRACE
+|_http-server-header: Microsoft-IIS/10.0
+|_http-title: Mega Engines
+5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
+|_http-server-header: Microsoft-HTTPAPI/2.0
+|_http-title: Not Found
+8080/tcp open http Jetty 9.4.43.v20210629
+|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1
+| http-robots.txt: 1 disallowed entry
+|_/
+|_http-server-header: Jetty(9.4.43.v20210629)
+|_http-title: Site doesn't have a title (text/html;charset=utf-8).
+Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
+
+```
+
+## PORT 80 (HTTP)
+
+
+
+On port 80 we can see a domain name `object.htb` so let's add this domain name in `/etc/hosts` file and start fuzzing for files and directories using `gobuster` also it tells about to "login and submit code on the automation server" which is running at port 8080
+
+
+
+Gobuster didn't find anything so next we can enumerate for subdomains
+
+
+
+I kept running `wfuzz` so while it's running we can look at port 8080, on this port we have an instance on jenkins running
+
+
+## PORT 8080 (HTTP)
+
+
+
+I tried the default admin:admin credentials but it didn't work so we can just create an account
+
+
+
+
+
+
+
+We are logged and on bottom right corner we can see the version of jenkins which is `2.317`
+
+Also there wasn't any subdomain which wfuzz found
+
+
+
+So we can make a Freestyle project by going to `New Item`
+
+
+
+After naming the project you'll be presented to Build Triggers, Build Environment, Source code management and etc. Select `Build Triggers `and then select `Build periodically` , it will allow to create a schedule task which you can configure similar to a cron job and this will start building your project, we can configure the job to run after a minute `* * * * *`
+
+https://stackoverflow.com/questions/12472645/how-do-i-schedule-jobs-in-jenkins
+
+
+
+Next under Build, we can see an option for Add Build step in which we can select `Execute Windows Batch command`
+
+
+
+Going back to dashboard we can see a successful build
+
+
+
+
+
+This shows that we are executing commands as `oliver`
+
+So next I tried to see if I can ping my machine from here
+
+
+
+
+
+We can so now let's transfer nc64.exe on this machine
+
+
+
+
+
+But it wasn't able to make a connection to this port
+
+
+
+So I changed the port to 9001 and it still didn't make a connection
+
+
+
+It could be that there's a firewall configure to not allow any outbound traffic, so we can use powershell's cmdlet `Get-NetFirewallRule` to list firewall rules and we need to check for outbound
+
+```bash
+cmd.exe /c powershell.exe -c Get-NetFirewallRule -Action Block -Enabled True -Direction Outbound
+
+```
+
+
+
+So we can't get a reverse shell as the traffic won't go out , next we can do is look where jenkins stores passwords or how it stores them so we can retrieve and decrpyt those, I found a question asked on stackoverflow about this
+
+
+
+https://stackoverflow.com/questions/39340322/how-to-reset-the-user-password-of-jenkins-on-windows
+
+Looking for a decrpytor for passwords I found a github repo which was go script
+
+https://github.com/hoto/jenkins-credentials-decryptor
+
+
+
+And this wants `credentials.xml`, `master.key` and `hudson.util.Secret`
+
+
+
+We still don't see a credentials.xml file , so to transfer these on our machine we need to base64 encode this and then read those files
+
+
+
+Now we can just decode them from base64 and get the original file
+
+
+
+
+
+But still we need to credentials.xml file but couldn't find on the box, so looking into directories there was a folder named `users`
+
+
+
+There's a `config.xml` so let's just grab it and see if it's of any use for us
+
+
+
+
+
+It wasn't what we needed so going into admin's folder might be something what we need
+
+
+
+## Foothold
+
+Now we see another config file, so there's no need to encode it we can just read this as it will be in plain text
+
+
+
+
+
+So this is contains the hashed password that we can crack using the tool we found on github
+
+
+
+Like this we were able to recover the plain text password which is `c1cdfun_d2434`, since winrm is open on the machine we can just use this password for oliver user and get a shell on the machine
+
+
+
+Looking at `C:\Users` we do see other users as well
+
+
+
+We can check for local ports on the machine by running `nestat -aof`
+
+
+
+Port 88 being open on this machine tells us that it's an active directory machine and this is a domain controller as kerberos runs on a DC.
+
+So to enumerate the AD domain we need to somehow transfer `sharphound.exe` on the machine so we can gather information about the domain, thankfully we can upload files through evil-winrm with it's `upload` feature (also to note that I am using evil-winrm v 3.2 as the recent one was using having issues with uploading and downloading files )
+
+
+
+We can get the domain name by running `$env:USERDNSDOMAIN`
+
+
+
+```bash
+SharpHound.exe --domain object.local --CollectionMethod all --domaincontroller 127.0.0.1
+```
+
+
+
+Giving the absolute path to zip archive we can download the file to our machine (remember that downloading only works with absolute path)
+
+
+
+Start bloohound by running neo4j first and then bloodhoud GUI and upload the json files from the zip archive
+
+
+
+Running any of the pre-build query we can see the data is loaded and it returns the result
+
+
+
+We can search for oliver node and mark it as owned so we can look for paths to gain privileges
+
+
+
+## Privilege Escalation (Smith)
+
+Running the query shortest path to domain admin, we can see a path from oliver to smith that we can change smith's password, further `smith` has write options on `maria` user object and maria is a writeowner of domain admin
+
+
+
+I tried to change smith's password with `net user ` but it didn't work
+
+
+
+We could try to use powerview module to do that which is suggested in bloodhound help to abuse `ForceChangePassword`
+
+
+
+
+
+And now to login as smith
+
+
+
+Now to abuse `GenericWrite`, we can make this user account a SPN to get a TGS ticket
+
+
+
+I followed the abuse described in bloodhound
+
+
+
+
+
+This added a SPN to this user account, but when I tried to kerberoast it didn't work
+
+
+
+We still can abuse this by setting up a logon script, this will execute when maria will logon to the machine
+
+https://www.thehacker.recipes/ad/movement/access-controls/logon-script
+
+## Privilege Escalation (Maria)
+
+So using powerview's module we can use
+
+```powershell
+Set-DomainObject -Identity maria -SET @{scriptpath="C:\ProgramData\logonscript.ps1"}
+```
+
+This will execute the powershell script which will list the contents in Desktop folder of maria, I did however tried to change maria's password through `net user maria Password123!` but this didn't work
+
+```powershell
+dir C:\Users\maria\Desktop > C:\ProgramData\dir_result.txt
+```
+
+
+
+
+
+
+
+
+We can see a text has been created which shows that there's an execl file in Desktop folder of maria user
+
+
+
+Now just replace the current command in the ps1 script with this
+
+```powershell
+copy C:\Users\maria\Desktop\Engines.xls C:\ProgramData\
+```
+
+And we'll get the excel file in ProgramData
+
+
+
+Download the file
+
+
+
+On opening the excel document we can see three passwords for maria user
+
+
+
+So I made a list of these three passwords and use `crackmapexec` to brute force password for maria user
+
+
+
+This shows a `Pwn3d!`status meaning that we can get a shell
+
+
+
+Now going back to bloodhound GUI we can see the `WriteOwner` on `Domain Admins ` group
+
+https://book.hacktricks.xyz/windows/active-directory-methodology/acl-persistence-abuse
+
+```powershell
+Set-DomainObjectOwner -Identity "Domain Admins" -OwnerIdentity maria
+```
+
+
+
+So now we have set the object owner of the group domain admins to maria and we now have to grant all permissions on this object
+
+```powershell
+Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity maria -Rights All
+```
+
+Now add maria user to this domain admins group
+
+```powershell
+Add-DomainGroupMember -Identity 'Domain Admins' -Members 'maria'
+```
+
+
+
+
+
+We can see that we are a memeber of domains admins group so we can read the root and user flag but you need to login again because the changes will be effected after you login again
+
+
+
+
+
+## References
+- https://stackoverflow.com/questions/12472645/how-do-i-schedule-jobs-in-jenkins
+- http://woshub.com/manage-windows-firewall-powershell/
+- https://stackoverflow.com/questions/39340322/how-to-reset-the-user-password-of-jenkins-on-windows
+- https://github.com/hoto/jenkins-credentials-decryptor
+- https://shellgeek.com/get-domain-name-using-powershell-and-cmd/
+- https://cheatsheet.haax.fr/windows-systems/network-and-domain-recon/domain_mapping/
+- https://www.thehacker.recipes/ad/movement/access-controls/logon-script
+- https://book.hacktricks.xyz/windows/active-directory-methodology/acl-persistence-abuse