# HackTheBox-Object
## NMAP
```bash
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Mega Engines
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open http Jetty 9.4.43.v20210629
|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.43.v20210629)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
```
## PORT 80 (HTTP)
On port 80 we can see a domain name `object.htb` so let's add this domain name in `/etc/hosts` file and start fuzzing for files and directories using `gobuster` also it tells about to "login and submit code on the automation server" which is running at port 8080
Gobuster didn't find anything so next we can enumerate for subdomains
I kept running `wfuzz` so while it's running we can look at port 8080, on this port we have an instance on jenkins running
## PORT 8080 (HTTP)
I tried the default admin:admin credentials but it didn't work so we can just create an account
We are logged and on bottom right corner we can see the version of jenkins which is `2.317`
Also there wasn't any subdomain which wfuzz found
So we can make a Freestyle project by going to `New Item`
After naming the project you'll be presented to Build Triggers, Build Environment, Source code management and etc. Select `Build Triggers `and then select `Build periodically` , it will allow to create a schedule task which you can configure similar to a cron job and this will start building your project, we can configure the job to run after a minute `* * * * *`
https://stackoverflow.com/questions/12472645/how-do-i-schedule-jobs-in-jenkins
Next under Build, we can see an option for Add Build step in which we can select `Execute Windows Batch command`
Going back to dashboard we can see a successful build
This shows that we are executing commands as `oliver`
So next I tried to see if I can ping my machine from here
We can so now let's transfer nc64.exe on this machine
But it wasn't able to make a connection to this port
So I changed the port to 9001 and it still didn't make a connection
It could be that there's a firewall configure to not allow any outbound traffic, so we can use powershell's cmdlet `Get-NetFirewallRule` to list firewall rules and we need to check for outbound
```bash
cmd.exe /c powershell.exe -c Get-NetFirewallRule -Action Block -Enabled True -Direction Outbound
```
So we can't get a reverse shell as the traffic won't go out , next we can do is look where jenkins stores passwords or how it stores them so we can retrieve and decrpyt those, I found a question asked on stackoverflow about this
https://stackoverflow.com/questions/39340322/how-to-reset-the-user-password-of-jenkins-on-windows
Looking for a decrpytor for passwords I found a github repo which was go script
https://github.com/hoto/jenkins-credentials-decryptor
And this wants `credentials.xml`, `master.key` and `hudson.util.Secret`
We still don't see a credentials.xml file , so to transfer these on our machine we need to base64 encode this and then read those files
Now we can just decode them from base64 and get the original file
But still we need to credentials.xml file but couldn't find on the box, so looking into directories there was a folder named `users`
There's a `config.xml` so let's just grab it and see if it's of any use for us
It wasn't what we needed so going into admin's folder might be something what we need
## Foothold
Now we see another config file, so there's no need to encode it we can just read this as it will be in plain text
So this is contains the hashed password that we can crack using the tool we found on github
Like this we were able to recover the plain text password which is `c1cdfun_d2434`, since winrm is open on the machine we can just use this password for oliver user and get a shell on the machine
Looking at `C:\Users` we do see other users as well
We can check for local ports on the machine by running `nestat -aof`
Port 88 being open on this machine tells us that it's an active directory machine and this is a domain controller as kerberos runs on a DC.
So to enumerate the AD domain we need to somehow transfer `sharphound.exe` on the machine so we can gather information about the domain, thankfully we can upload files through evil-winrm with it's `upload` feature (also to note that I am using evil-winrm v 3.2 as the recent one was using having issues with uploading and downloading files )
We can get the domain name by running `$env:USERDNSDOMAIN`
```bash
SharpHound.exe --domain object.local --CollectionMethod all --domaincontroller 127.0.0.1
```
Giving the absolute path to zip archive we can download the file to our machine (remember that downloading only works with absolute path)
Start bloohound by running neo4j first and then bloodhoud GUI and upload the json files from the zip archive
Running any of the pre-build query we can see the data is loaded and it returns the result
We can search for oliver node and mark it as owned so we can look for paths to gain privileges
## Privilege Escalation (Smith)
Running the query shortest path to domain admin, we can see a path from oliver to smith that we can change smith's password, further `smith` has write options on `maria` user object and maria is a writeowner of domain admin
I tried to change smith's password with `net user ` but it didn't work
We could try to use powerview module to do that which is suggested in bloodhound help to abuse `ForceChangePassword`
And now to login as smith
Now to abuse `GenericWrite`, we can make this user account a SPN to get a TGS ticket
I followed the abuse described in bloodhound
This added a SPN to this user account, but when I tried to kerberoast it didn't work
We still can abuse this by setting up a logon script, this will execute when maria will logon to the machine
https://www.thehacker.recipes/ad/movement/access-controls/logon-script
## Privilege Escalation (Maria)
So using powerview's module we can use
```powershell
Set-DomainObject -Identity maria -SET @{scriptpath="C:\ProgramData\logonscript.ps1"}
```
This will execute the powershell script which will list the contents in Desktop folder of maria, I did however tried to change maria's password through `net user maria Password123!` but this didn't work
```powershell
dir C:\Users\maria\Desktop > C:\ProgramData\dir_result.txt
```
We can see a text has been created which shows that there's an execl file in Desktop folder of maria user
Now just replace the current command in the ps1 script with this
```powershell
copy C:\Users\maria\Desktop\Engines.xls C:\ProgramData\
```
And we'll get the excel file in ProgramData
Download the file
On opening the excel document we can see three passwords for maria user
So I made a list of these three passwords and use `crackmapexec` to brute force password for maria user
This shows a `Pwn3d!`status meaning that we can get a shell
Now going back to bloodhound GUI we can see the `WriteOwner` on `Domain Admins ` group
https://book.hacktricks.xyz/windows/active-directory-methodology/acl-persistence-abuse
```powershell
Set-DomainObjectOwner -Identity "Domain Admins" -OwnerIdentity maria
```
So now we have set the object owner of the group domain admins to maria and we now have to grant all permissions on this object
```powershell
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity maria -Rights All
```
Now add maria user to this domain admins group
```powershell
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'maria'
```
We can see that we are a memeber of domains admins group so we can read the root and user flag but you need to login again because the changes will be effected after you login again
## References
- https://stackoverflow.com/questions/12472645/how-do-i-schedule-jobs-in-jenkins
- http://woshub.com/manage-windows-firewall-powershell/
- https://stackoverflow.com/questions/39340322/how-to-reset-the-user-password-of-jenkins-on-windows
- https://github.com/hoto/jenkins-credentials-decryptor
- https://shellgeek.com/get-domain-name-using-powershell-and-cmd/
- https://cheatsheet.haax.fr/windows-systems/network-and-domain-recon/domain_mapping/
- https://www.thehacker.recipes/ad/movement/access-controls/logon-script
- https://book.hacktricks.xyz/windows/active-directory-methodology/acl-persistence-abuse