CTF-Writeups/HackTheBox/Object.md
2022-03-05 23:58:43 +05:00

12 KiB

HackTheBox-Object

NMAP

PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Mega Engines
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open  http    Jetty 9.4.43.v20210629
|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(9.4.43.v20210629)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

PORT 80 (HTTP)

On port 80 we can see a domain name object.htb so let's add this domain name in /etc/hosts file and start fuzzing for files and directories using gobuster also it tells about to "login and submit code on the automation server" which is running at port 8080

Gobuster didn't find anything so next we can enumerate for subdomains

I kept running wfuzz so while it's running we can look at port 8080, on this port we have an instance on jenkins running

PORT 8080 (HTTP)

I tried the default admin:admin credentials but it didn't work so we can just create an account

We are logged and on bottom right corner we can see the version of jenkins which is 2.317

Also there wasn't any subdomain which wfuzz found

So we can make a Freestyle project by going to New Item

After naming the project you'll be presented to Build Triggers, Build Environment, Source code management and etc. Select Build Triggers and then select Build periodically , it will allow to create a schedule task which you can configure similar to a cron job and this will start building your project, we can configure the job to run after a minute * * * * *

https://stackoverflow.com/questions/12472645/how-do-i-schedule-jobs-in-jenkins

Next under Build, we can see an option for Add Build step in which we can select Execute Windows Batch command

Going back to dashboard we can see a successful build

This shows that we are executing commands as oliver

So next I tried to see if I can ping my machine from here

We can so now let's transfer nc64.exe on this machine

But it wasn't able to make a connection to this port

So I changed the port to 9001 and it still didn't make a connection

It could be that there's a firewall configure to not allow any outbound traffic, so we can use powershell's cmdlet Get-NetFirewallRule to list firewall rules and we need to check for outbound

cmd.exe /c powershell.exe -c Get-NetFirewallRule -Action Block -Enabled True -Direction Outbound

So we can't get a reverse shell as the traffic won't go out , next we can do is look where jenkins stores passwords or how it stores them so we can retrieve and decrpyt those, I found a question asked on stackoverflow about this

https://stackoverflow.com/questions/39340322/how-to-reset-the-user-password-of-jenkins-on-windows

Looking for a decrpytor for passwords I found a github repo which was go script

https://github.com/hoto/jenkins-credentials-decryptor

And this wants credentials.xml, master.key and hudson.util.Secret

We still don't see a credentials.xml file , so to transfer these on our machine we need to base64 encode this and then read those files

Now we can just decode them from base64 and get the original file

But still we need to credentials.xml file but couldn't find on the box, so looking into directories there was a folder named users

There's a config.xml so let's just grab it and see if it's of any use for us

It wasn't what we needed so going into admin's folder might be something what we need

Foothold

Now we see another config file, so there's no need to encode it we can just read this as it will be in plain text

So this is contains the hashed password that we can crack using the tool we found on github

Like this we were able to recover the plain text password which is c1cdfun_d2434, since winrm is open on the machine we can just use this password for oliver user and get a shell on the machine

Looking at C:\Users we do see other users as well

We can check for local ports on the machine by running nestat -aof

Port 88 being open on this machine tells us that it's an active directory machine and this is a domain controller as kerberos runs on a DC.

So to enumerate the AD domain we need to somehow transfer sharphound.exe on the machine so we can gather information about the domain, thankfully we can upload files through evil-winrm with it's upload feature (also to note that I am using evil-winrm v 3.2 as the recent one was using having issues with uploading and downloading files )

We can get the domain name by running $env:USERDNSDOMAIN

SharpHound.exe --domain object.local --CollectionMethod all --domaincontroller 127.0.0.1

Giving the absolute path to zip archive we can download the file to our machine (remember that downloading only works with absolute path)

Start bloohound by running neo4j first and then bloodhoud GUI and upload the json files from the zip archive

Running any of the pre-build query we can see the data is loaded and it returns the result

We can search for oliver node and mark it as owned so we can look for paths to gain privileges

Privilege Escalation (Smith)

Running the query shortest path to domain admin, we can see a path from oliver to smith that we can change smith's password, further smith has write options on maria user object and maria is a writeowner of domain admin

I tried to change smith's password with net user but it didn't work

We could try to use powerview module to do that which is suggested in bloodhound help to abuse ForceChangePassword

And now to login as smith

Now to abuse GenericWrite, we can make this user account a SPN to get a TGS ticket

I followed the abuse described in bloodhound

This added a SPN to this user account, but when I tried to kerberoast it didn't work

We still can abuse this by setting up a logon script, this will execute when maria will logon to the machine

https://www.thehacker.recipes/ad/movement/access-controls/logon-script

Privilege Escalation (Maria)

So using powerview's module we can use

Set-DomainObject -Identity maria -SET @{scriptpath="C:\ProgramData\logonscript.ps1"}

This will execute the powershell script which will list the contents in Desktop folder of maria, I did however tried to change maria's password through net user maria Password123! but this didn't work

dir C:\Users\maria\Desktop > C:\ProgramData\dir_result.txt

We can see a text has been created which shows that there's an execl file in Desktop folder of maria user

Now just replace the current command in the ps1 script with this

copy C:\Users\maria\Desktop\Engines.xls C:\ProgramData\

And we'll get the excel file in ProgramData

Download the file

On opening the excel document we can see three passwords for maria user

So I made a list of these three passwords and use crackmapexec to brute force password for maria user

This shows a Pwn3d!status meaning that we can get a shell

Now going back to bloodhound GUI we can see the WriteOwner on Domain Admins group

https://book.hacktricks.xyz/windows/active-directory-methodology/acl-persistence-abuse

Set-DomainObjectOwner -Identity "Domain Admins" -OwnerIdentity maria

So now we have set the object owner of the group domain admins to maria and we now have to grant all permissions on this object

Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity maria -Rights All

Now add maria user to this domain admins group

Add-DomainGroupMember -Identity 'Domain Admins' -Members 'maria'

We can see that we are a memeber of domains admins group so we can read the root and user flag but you need to login again because the changes will be effected after you login again

References