In this post, I would like to share a walkthrough of the Object Machine from Hack the Box


This room will be considered as a Hard machine on Hack The box

What will you gain from the Object machine?


For the user flag, you will create a new account on Jenkins application and get some information using the Build Trigger on Jenkins. We also required to use Jenkins Decryptor to retrieve a password to oliver’s privileges access


As for the root flag, you need to abuse the group permission of Domain Admins to be given to maria account

Information Gathering on Object Machine


Once we have started the VPN connection which requires download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN


From the Nmap output, we can only see port 80 and port 8080 is open


Let’s access the website interface using port 80


However, it’s just a simple website interface and i cannot see any loophole on the website.


Let’s execute the gobuster to enumerate another directory.


Sadly, we only have index.html have been stored on the website directory.


Let’s curl the website in case there’s any interesting HTTP header that we can take advantage of. I didn’t find any information that we can use to escalate further.


There is also nothing inside the source code of the website.


Let’s change our target on the website especially using a different port that we found earlier.

Jenkins access and enumeration


The website interface shows a Jenkins Web Interface when we access the machine using port 8080


Sadly, we don’t any Jenkins credentials that we can use to access Jenkins Dashboard. Therefore, we should try to login using a normal credential such as admin:admin


As a result, we got an error saying “Invalid username or password


I notice that there’s a link to “Create an account” and let’s create a new account


As usual, let’s fill up the information above and we can login automatically to the Dashboard.


As expected, we can access the Dashboard. There’s a link to “the top page” on the main page and let’s click the link to see what’s stored there.


The page has redirected to a page that looks something like the above. Therefore, let’s try to create a job and work from there.

Creating a project file


Let’s create one new Folder name and then press the OK


Nothing much to look into at the moment


Let’s see who is the user for the dashboard but unfortunately, we only have two users as shown above.


We might need to create a Freestyle project

To be frankly honest, I have no knowledge of Jenkins Interface so let’s do some research on the internet.

Research on Jenkins application and exploitation available


I also include some resources for those who want to study more on Jenkins or Exploit:

  1. How to implement a remote Jenkins build trigger with a URL – Coffee Talk: Java, News, Stories and Opinions (theserverside.com)
  2. Exploiting Jenkins build authorization | by Asi Greenholts | Cider Security | Feb, 2022 | Medium
  3. A Case Study on Jenkins RCE. Based on past experience, I‘ll walk… | by Adam Jordan | Medium

From my understanding, we can schedule a task to execute every minute. We should tick the Build periodically and enter ***** inside the Schedule box


On the bottom, there’s a button such as “Add Build Step” and click Execute shell


As I know, this machine is running a Windows Operating System which I need to run cmd /c whoami to check who I access it as

Troubleshooting the issues on Object Machine


However, i got an error saying that it was the wrong command


I got frustrated for some reason with not getting the command running.


I have been stuck on this problem for a few hours. I’m an idiot for not realizing it soon when i use execute shell rather than execute Windows Batch Command


We should enter the same command as previously.


Finally, it works after a few hours of troubleshooting


From the console output, I notice that there’s a user called Oliver.

Firewall Protection bypass


We can check if the machine has been security system protection


Nothing returns to us at all


When I check the build history, we got an error message which is normally not a good sign at all.


From my understanding of the error message, there’s some protection has been implemented on the machine.


Let’s see if the protection is also affected the outbound connection too.


Sadly, it’s also affected by the rules.

Gaining Privileges Access on Object Machine

PowerShell enumeration


Let’s check what kind of directory and files are stored in the machine by running the command above.


There’s a user directory that might come in handy for the escalation process.


There’s a directory that contains admin in the name that resides inside the users’ directory.


A file as config.xml has been saved inside the admin directory which for me it’s quite odd.


There are some passwords and hashes been written inside the config.xml


I also notice there’s a secrets directory when i was looking at the main directory


Sadly, we got an error which is not sure about the issues. After looking at the message carefully, I notice that I have made a huge mistake here. I should use the cd command, but I accidentally typed the type of command


At last, it finally works as it should.


However, we cannot read at all for the hudson.util.secret file which it’s a disappointment.


Let’s try to encode the unreadable message into base64 style.


At last, we can copy the base64 code and paste it into a new file in our attacker’s machine.


Another file that we need to decrypt the Jenkins credentials.


A group of screenshots above shows how to install Jenkins-credentials-decryptor


Let’s follow the step that has been provided to us.


Nice! The tool is running as it should run, and the command below will be used for the decryption process.

./jenkins-credentials-decryptor -m master.key -s hudson.util.secrets -c config.xml

Let’s access the machine via evil-winrm tool and use the command above.


You can read the user flag by executing the command “type user.txt

Escalate to Root Privileges Access on Object Machine


Normally, we use powerview.ps1 tool to enumerate on the windows machine.


We can upload the powerview.ps1 on c:\programdata directory


There are a few other users besides Oliver such as maria and smith.


Both Smith and maria’s permission is denied to access.


The Upload is successfully stored in the window’s machine.


For us to use the Powerview.ps1 in the machine, we need to use the command “Import-Module .\PowerView.ps1


The command that will be used from now is like another machine such as

  1. Search Machine
  2. Acute Machine

The command above is to change or reset the password for the smith account.

Logged using smith account


We should be able to access the smith account using the password that we change previously.

We also need to upload the powerview.ps1 and import the module similar to before.

After roaming on the machine, i found out that there was an excel file called Engines.xls. As a result, let’s copy the file into smith programdata


Therefore, let’s download the file into our attacker’s machine.


Luckily for us! We have a few passwords that we can use for maria’s access.


Let’s access the machine as maria via evil-winrm

Access via maria privileges access on Object Machine


We managed to access using maria privileges access with the password W3llcr4ft3d_4cls


As usual, we need to upload the PowerView.ps1 and import the module into the machine


The command above will show on how to escalate the maria account access to join Domain Admins privileges access.


However, the effect will not come on the spot because the Domain Admins groups still have not added maria to the group


Perhaps… We need to exit the current evil-winrm session so that it process will take place.


And let’s access again as maria with the password that we obtained previously


Voila! Maria’s account has been added to the Domain Admins group.


Let’s access on the administrator’s desktop!


There’s a root flag on the Desktop directory


We can read the root flag by executing the command “type root.txt