In this post, I would like to share a walkthrough of the Object Machine from Hack the Box
This room will be considered as a Hard machine on Hack The box
What will you gain from the Object machine?
For the user flag, you will create a new account on Jenkins application and get some information using the Build Trigger on Jenkins. We also required to use Jenkins Decryptor to retrieve a password to oliver’s privileges access
As for the root flag, you need to abuse the group permission of Domain Admins to be given to maria account
Information Gathering on Object Machine
Once we have started the VPN connection which requires download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
From the Nmap output, we can only see port 80 and port 8080 is open
Let’s access the website interface using port 80
However, it’s just a simple website interface and i cannot see any loophole on the website.
Let’s execute the gobuster to enumerate another directory.
Sadly, we only have index.html have been stored on the website directory.
Let’s curl the website in case there’s any interesting HTTP header that we can take advantage of. I didn’t find any information that we can use to escalate further.
There is also nothing inside the source code of the website.
Let’s change our target on the website especially using a different port that we found earlier.
Jenkins access and enumeration
The website interface shows a Jenkins Web Interface when we access the machine using port 8080
Sadly, we don’t any Jenkins credentials that we can use to access Jenkins Dashboard. Therefore, we should try to login using a normal credential such as admin:admin
As a result, we got an error saying “Invalid username or password“
I notice that there’s a link to “Create an account” and let’s create a new account
As usual, let’s fill up the information above and we can login automatically to the Dashboard.
As expected, we can access the Dashboard. There’s a link to “the top page” on the main page and let’s click the link to see what’s stored there.
The page has redirected to a page that looks something like the above. Therefore, let’s try to create a job and work from there.
Creating a project file
Let’s create one new Folder name and then press the OK
Nothing much to look into at the moment
Let’s see who is the user for the dashboard but unfortunately, we only have two users as shown above.
We might need to create a Freestyle project
Research on Jenkins application and exploitation available
I also include some resources for those who want to study more on Jenkins or Exploit:
- How to implement a remote Jenkins build trigger with a URL – Coffee Talk: Java, News, Stories and Opinions (theserverside.com)
- Exploiting Jenkins build authorization | by Asi Greenholts | Cider Security | Feb, 2022 | Medium
- A Case Study on Jenkins RCE. Based on past experience, I‘ll walk… | by Adam Jordan | Medium
From my understanding, we can schedule a task to execute every minute. We should tick the Build periodically and enter ***** inside the Schedule box
On the bottom, there’s a button such as “Add Build Step” and click Execute shell
As I know, this machine is running a Windows Operating System which I need to run cmd /c whoami to check who I access it as
Troubleshooting the issues on Object Machine
However, i got an error saying that it was the wrong command
I got frustrated for some reason with not getting the command running.
I have been stuck on this problem for a few hours. I’m an idiot for not realizing it soon when i use execute shell rather than execute Windows Batch Command
We should enter the same command as previously.
Finally, it works after a few hours of troubleshooting
From the console output, I notice that there’s a user called Oliver.
Firewall Protection bypass
We can check if the machine has been security system protection
Nothing returns to us at all
When I check the build history, we got an error message which is normally not a good sign at all.
From my understanding of the error message, there’s some protection has been implemented on the machine.
Let’s see if the protection is also affected the outbound connection too.
Sadly, it’s also affected by the rules.
Gaining Privileges Access on Object Machine
Let’s check what kind of directory and files are stored in the machine by running the command above.
There’s a user directory that might come in handy for the escalation process.
There’s a directory that contains admin in the name that resides inside the users’ directory.
A file as config.xml has been saved inside the admin directory which for me it’s quite odd.
There are some passwords and hashes been written inside the config.xml
I also notice there’s a secrets directory when i was looking at the main directory
Sadly, we got an error which is not sure about the issues. After looking at the message carefully, I notice that I have made a huge mistake here. I should use the cd command, but I accidentally typed the type of command
At last, it finally works as it should.
However, we cannot read at all for the hudson.util.secret file which it’s a disappointment.
Let’s try to encode the unreadable message into base64 style.
At last, we can copy the base64 code and paste it into a new file in our attacker’s machine.
Another file that we need to decrypt the Jenkins credentials.
A group of screenshots above shows how to install Jenkins-credentials-decryptor
Let’s follow the step that has been provided to us.
Nice! The tool is running as it should run, and the command below will be used for the decryption process.
./jenkins-credentials-decryptor -m master.key -s hudson.util.secrets -c config.xml
Let’s access the machine via evil-winrm tool and use the command above.
You can read the user flag by executing the command “type user.txt“
Escalate to Root Privileges Access on Object Machine
Normally, we use powerview.ps1 tool to enumerate on the windows machine.
We can upload the powerview.ps1 on c:\programdata directory
There are a few other users besides Oliver such as maria and smith.
Both Smith and maria’s permission is denied to access.
The Upload is successfully stored in the window’s machine.
For us to use the Powerview.ps1 in the machine, we need to use the command “Import-Module .\PowerView.ps1“
The command that will be used from now is like another machine such as
The command above is to change or reset the password for the smith account.
Logged using smith account
We should be able to access the smith account using the password that we change previously.
After roaming on the machine, i found out that there was an excel file called Engines.xls. As a result, let’s copy the file into smith programdata
Therefore, let’s download the file into our attacker’s machine.
Luckily for us! We have a few passwords that we can use for maria’s access.
Let’s access the machine as maria via evil-winrm
Access via maria privileges access on Object Machine
We managed to access using maria privileges access with the password W3llcr4ft3d_4cls
As usual, we need to upload the PowerView.ps1 and import the module into the machine
The command above will show on how to escalate the maria account access to join Domain Admins privileges access.
However, the effect will not come on the spot because the Domain Admins groups still have not added maria to the group
Perhaps… We need to exit the current evil-winrm session so that it process will take place.
And let’s access again as maria with the password that we obtained previously
Voila! Maria’s account has been added to the Domain Admins group.
Let’s access on the administrator’s desktop!
There’s a root flag on the Desktop directory
We can read the root flag by executing the command “type root.txt“