OSCP PREPROTİONS – HTB Object

Object machine is a vulnerable machine with windows operating system among retired machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, we found that 80 http Microsoft IIS, 8080 http Jetty, 5985, 53 DNS, 123 ntp ports are open.
I am providing enumeration on port 80,

I didn’t see any valuable information here in the source code in developer mode.
When providing enumeration through the interface

Object.htb:8080 has an outgoing url link (we can see it in line 150 of the source code)
I add this domain address to /etc/hosts and off I go.

Here I came across Jenkins, an open source automation server like Github and gitlab. I searched for a vulnerability related to this, I could not find it, I did not find a default password, as a last resort, I created a user account and logged in (there is a register user button)

Here I have provided enumeration and I see the admin and the user we created from the People page.

I continue enumeration.
We click on the Create a job tab and then we’re Freestyle Project.

We are doing post-uild actions in the build environment section

Then we do exceute Windows batch command

I am typing the whoami command to make it run

I didn’t get any feedback after I saved it. And I couldn’t find the run part

Let’s recreate it by scheduling, if it is scheduled, maybe it can run our command.

We save and continue. Here it gives us a warning that it will always run (* we found it by trial and error management)

I see #1 in the buil history section, I click on it and go to the comsola output section where I can see the output of the command.

Here we tried to install nc on the machine and get revershell, but it could not make a request. It has access as ping but no file pulling, we thought it might be a fw rule.
I check the firewall rule with powershell.
cmd.exe /c powershell.exe -c Get-NetFirewallRule -Action Block -Enabled True -Direction Outbound

We out it from here.

Here we see the block in the output output.
Now we are doing Google searchng to see if there is any valuable information here.
We are looking at the password and user found in Jenkis.
https://stackoverflow.com/questions/39340322/how-to-reset-the-user-password-of-jenkins-on-windows
then we find the important files.

Here we see the files and then I read the contents of admin_17207690984073220035\config.xml.

In the file
oliver {AQAAABAAAAAQqU+m+mC6ZnLa0+yaanj2eBSbTk+h4P5omjKdwV17vcA=}
Credeantial information we have identified this information
But let’s try to decode it decytpted with jenkins.
We searched on Google.
https://github.com/hoto/jenkins-credentials-decryptor
tool.
We are downloading it.

Then I pull all the requested files to my local machine

Here I got the master and hundson file
Then I ran the jenkins tool and pulled the credential information

oliver / c1cdfun_d2434
I am using this credential to connect to evil-winrm.

We’ve got Shell as Oliver.

Here we have obtained our user flag.
Now I provide local enumeration to get the root flag.

I continue to provide enumeratio with limited powers.

Here I see that it is from the *Domain Users group.
I look at the running connections to see if the domain is running inside, it is understood on port 88 inside, so there is definitely a domain inside.

We get information on the domain using the bloodhound tool to gather information about the domain.
I install shraphound.exe on the target machine and run it.

We are downloading the zip file .

Then I examine it with bloundhound.

I owend user Oliver and examine it from node info and when I click first degree object control I see “ForcechangePassword” belonging to user smirh.

We understand that we can change the password for user Smith. Let’s look at the help section here

Let’s abuse Windows

there are two ways to perform this attack, one using net.exe and the other using the powerview tool
You can use the set-domainuserpassword function using the powerview tool.
(the reason for not using the net command is that the running file can be intercepted by analysts)

We compiled and ran the commands given in the Help section
We changed the password for user Smith to Password123!
Let’s connect with evil-winrm with this credent,al information

We got Shell from user Smith, we were restricted here, now I go back to bloondhound and mark user Smith as owend.

We indicate to the Maria user that we can use the genericwrite vulnerability.
Generic Write access gives the ability to write to any unprotected property in the target object, including “members” for a group and “serviceprincipalnames” for a user.
Let’s look at the help section

This added an SPN to this user account, but when I tried to kerberoast it didn’t work

Let’s provide enumeration in this user to see what information we can get from Maria.
First we will use the Set-DomainObjec tool in the powerview tool.

Here we encountered engines.xls, let’s pull this file and edit the logon script.

We opened Engines.xls file

Here we see the user password, 3 different passwords are called.
We detect the password “W3llcr4ft3d_4cls”.

We obtained Shell from user Maria.
We go through the Bloondhould section again, select user maria and provide enumeration

Administrator has WriteOwner privileges. It allows us to change the ownership of the domain admin group to any user and this gives us access to change ACLs in that group. Let’s try setting the owner of the domain admin group to maria.

First, we set the domain group admin object owner as maria and now we need to give all permissions to this object.
Set-DomainObjectOwner -Identity ‘Domain Admins’ -OwnerIdentity ‘maria’

We then add an ACL to have full control over this brup
Add-DomainObjectAcl -TargetIdentity “Domain Admins” -PrincipalIdentity maria -Rights All

We can add ourselves as a member of the Domain Admins group, having full control over the group.
net group “Domain Admins” maria /add /domain

We can see that Maria is now a member of the Domain Admins group. To gain effective access to the administrator files, we exit the WinRM session and try again

This way we were able to list the files, access the adminsirator file directory and get the root flag.