HTB - Object Writeup

Liam Geyer

👾 Machine Overview

This is a writeup of the machine Object from HTB , it’s a hard difficulty Windows machine which featured RCE on a Jenkins server, and a fairly straightforward AD attack chain.

🔍 Enumeration

An initial nmap scan of the host gave the following results:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-04 09:51 EDT
Nmap scan report for 10.129.96.147
Host is up (0.036s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Mega Engines
8080/tcp open http Jetty 9.4.43.v20210629
|_http-server-header: Jetty(9.4.43.v20210629)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.94 seconds

👔 Jenkins

Checking out the website on port 80, there’s not much.

Mega Engines Homepage

We’re directed to the automation server on port 8080, running Jenkins.

Jenkins Login

The default credentials didn’t work, but there’s a fun little create an account button, I made a user with bogus information/

Jenkins Registration

I used the new account to login, and went to checkout the script console, but wasn’t able to.

jenkins Script Console

We do have access to create a new project, so I created a Freestyle Project to run commands on the host.

Creating a Project

In the build options, I configured the project to execute a windows batch command with a PowerShell reverse shell.

Project Options

In Build Triggers, I set the schedule * * * * * to have the project run every minute. Unfortunately, I wasn’t able to get the reverse shell to call out, likely due to firewall rules.

I got pretty stuck here for a bit, so I decided to checkout the filesystem and see if there was anything I could grab, and looked into Jenkins secrets.

To get credentials out of Jenkins there’s 3 files that need to be dumped:

  1. master.key
  2. hudson.util.secret - This one needs to be encoded
  3. config.xml

I was able to use powershell to find and cat out master.key and config.xml to the Jenkins console pretty easily, but hudon.util.secret had nothing but garbled output. I base64 encoded it to preserve the entire file.

1
powershell -c [convert]::ToBase64String((cat ..\..\secrets\hudson.util.Secret -Encoding byte))

After exfiltrating all 3 files to my host, I used this script to decrypt the jenkins secret.

Decrypting Jenkins Secrets

That got me creds for the oliver user, which I was able to use to WinRM in and grab the flag.

Shell as Oliver

🥇 Root

First I checked out oliver‘s groups and permissions.

Privileges and Groups

No super interesting groups or anything, and I wasn’t able to find anything that stuck out to me by running WinPEAS. I decided to run SharpHound and see if it found anything good.

BloodHound

Looks like we have a pretty straightforward path from Oliver to DA, we need to change Smith’s password, and then exploit the GenericWrite permission over Maria.

First I used PowerView to change Smith’s password.

Changing Smith's Password

Then I created a new credential object as Smith.

Authenticating as Smith

I tried changing maria’s password with the same technique, but it didn’t work. Instead, I tried a targeted kerberoasting attack on Maria.

I used PowerView to set an SPN for Maria.

Setting an SPN for Maria

Then I kerberoasted Maria’s account.

Kerberoasting Maria

Then I threw that output into hashcat.

Cracking Maria

It wasn’t able to crack. So I pivoted strategies, researching exploiting GenericAll, another thing we can try is to overrite the LogonScript attribute. Using this we can drop a payload that will execute whenever Maria logs on.

First I tried setting the logon script to a beacon, which didn’t work.

Changing Maria's logonscript

Next, I tried setting it to a script that output the content’s of Maria’s user folder to a file, which worked.

Changing Maria's logonscript

From there, I was able to drop a new script to exfiltrate Engines.xls which was on Maria’s desktop.

Engines.xls

This had several passwords in it, which I sprayed against Maria using CME.

Password Spray

Finally I was able to use Maria’s WriteOwner over the Domain Admins group to add a new user to the group.

1
2
3
4
5
6
7
8
9
10
11
12
# Import PowerView

# Make maria the owner of DA
Set-DomainObjectOwner -Identity "Domain Admins" -OwnerIdentity maria

# Give her the ability to write members
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -Rights "WriteMembers" -PrincipalIdentity maria

# Add maria to DA
Add-DomainGroupMember -Identity 'Domain Admins' -Members maria

# Logout and back in

And voila, Maria is a DA.

Whoami as Admin

Then I grabbed the flag and called it a day.

Root flag

📖 Resources

🔗 Hyperlink ℹ️ Info
CybersecNotes Targeted Kerberoasting
HackTricks Cloud Jenkins Post Exploitation
HackTricks Exploiting GenericAll
  • Title: HTB - Object Writeup
  • Author: Liam Geyer
  • Created at : 2024-07-26 00:00:00
  • Updated at : 2024-10-10 09:01:47
  • Link: https://lfgberg.org/2024/07/26/htb/object/
  • License: This work is licensed under CC BY-NC-SA 4.0.