In this post, I would like to share a walkthrough of the Object Machine from Hack the Box

This room will be considered as a Hard machine on Hack The box

What will you gain from the Object machine?

For the user flag, you will create a new account on Jenkins application and get some information using the Build Trigger on Jenkins. We also required to use Jenkins Decryptor to retrieve an password to oliver’s privileges access

As for the root flag, you need to abuse the group permission of Domain Admins to be given to maria account

Information Gathering on Object Machine

Once we have started the VPN connection which requires download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

From the nmap output, we can only see port 80 and port 8080 is open

Let’s access the website interface using port 80

However, it’s just a simple website interface which i cannot see any loophole on the website.

Let’s execute the gobuster to enumerate other directory.

Sadly, we only have index.html have been stored on the website directory.

Let’s curl the website in case there’s any interesting HTTP header that we can take advantage of. I didn’t find any information that we can use to escalate further.

There is also nothing inside the source code of the website.

Let’s change our target on the website especially using a different port that we found earlier.

Jenkins access and enumeration

The website interface shows a Jenkins Web Interface when we access the machine using port 8080

Sadly, we don’t any Jenkins credentials that we can use to access Jenkins Dashboard. Therefore, we should try to login using a normal credential such as admin:admin

As a result, we got an error saying “Invalid username or password

I notice that there’s a link to “Create an account” and let’s create a new account

As usual, let’s fill up the information above and maybe we can login automatically to the Dashboard.

As expected, we are able to access the Dashboard. There’s a link to “the top page” on the main page and let’s click the link to see what’s stored there.

The page has redirected to a page that looks something like the above. Therefore, let’s try to create a job and work from there.

Creating a project file

Let’s create one new Folder name and then press OK

Nothing much to look into at the moment

Let’s see who is the user for the dashboard but unfortunately, we only have two users as shown above.

We might need to create a Freestyle project

To be frankly honest, I have no knowledge of Jenkins Interface so let’s do some research on the internet.

Research on Jenkins application and exploitation available

I also include some resources for those who want to study more on Jenkins or Exploit:

  1. How to implement a remote Jenkins build trigger with a URL – Coffee Talk: Java, News, Stories and Opinions (theserverside.com)
  2. Exploiting Jenkins build authorization | by Asi Greenholts | Cider Security | Feb, 2022 | Medium
  3. A Case Study on Jenkins RCE. Based on past experience, I‘ll walk… | by Adam Jordan | Medium

From my understanding, we can schedule a task to execute every one minute. We should tick the Build periodically and enter ***** inside the Schedule box

On the bottom, there’s a button such as “Add Build Step” and click Execute shell

As I know, this machine is running a Windows Operating System which I need to run cmd /c whoami to check who I access it as

Troubleshooting the issues on Object Machine

However, i got an error saying that it’s wrong command

I got frustrated for some reason with not getting the command running.

I have been stuck on this problem for a few hours. I’m probably an idiot for not realizing it soon where i use execute shell rather than execute Windows Batch Command

We should enter the same command as previously.

Finally, it works after a few hours of troubleshooting

From console output, I notice that there’s a user called Oliver.

Firewall Protection bypass

We can check if the machine is been firewall protection

Nothing return to us at all

When I check the build history, we got an error message which is normally not a good sign at all.

From my understanding of the error message, there’s some protection is been implemented on the machine.

Let’s see if the protection is also affected the outbound connection too.

Sadly, it’s also affected by the rules.

Gaining Priviliges Access on Object Machine

Powershell enumeration

Let’s check what kind of directory and files are stored in the machine by running the command above.

There’s a users directory that might come in handy for the escalation process.

There’s a directory that contains admin in the name that resides inside the users’ directory.

A file as config.xml is been saved inside the admin directory which for me it’s quite odd.

There are some passwords and hashes been written inside the config.xml

I also notice there’s a secrets directory when i was looking at the main directory

Sadly, we got an error which not sure about the issues. After looking at the message carefully, I notice that I have made a huge mistake here. I should use the cd command but I accidentally typed the type command

At last, it finally work as it should be.

However, we cannot read at all for the hudson.util.secret file which it’s a disappointment.

Let’s try to encode the unreadable message into base64 style.

At last, we can copy the base64 code and paste it into a new file in our attacker’s machine.

Another file that we need to decrypt the Jenkins credentials.

A group of screenshots above shows how to install Jenkins-credentials-decryptor

Let’s follow the step that have been provided to us.

Nice! The tool is running as it should run and the command below will be used for the decryption process.

./jenkins-credentials-decryptor -m master.key -s hudson.util.secrets -c config.xml

Let’s access the machine via evil-winrm tool and using the command above.

You can read the user flag by executing the command “type user.txt

Escalate to Root Priviliges Access on Object Machine

Normally, we use powerview.ps1 tool to enumerate on the windows machine.

We can upload the powerview.ps1 on c:\programdata directory

There are a few other users besides Oliver such as maria and smith.

Both smith and maria permission is denied to access.

The Upload is successfully stored in the window’s machine.

In order for us to use the powerview.ps1 in the machine, we need to use the command “Import-Module .\PowerView.ps1

The command that will be used from now is similiar to another machine such as

  1. Search Machine
  2. Acute Machine

The command above is to change or reset password for smith account.

Logged using smith account

We should be able to access smith account using the password that we change previously.

We also need to upload the powerview.ps1 and import the module as similiar as before.

After roaming on the machine, i found out that there’s a excel file called Engines.xls. As a result, let’s copy the file into smith programdata

Therefore, let’s download the file into our attacker’s machine.

Luckily for us! We have a few password that we can use for maria access.

Let’s access the machine as maria via evil-winrm

Access via maria priliveges access on Object Machine

We maged to access using maria privileges access with the password W3llcr4ft3d_4cls

As usual, we need to upload the PowerView.ps1 and import the module into the machine

The command above will show on how to escalate the maria account access to join Domain Admins privileges access.

However, the effect will not came on the spot which the Domain Admins groups still not added maria into the group

Perhaps… We need to exit the current evil-winrm session so that it process will take place.

And let’s access again as maria with the password that we obtained previously

Voila! Maria account have been added into the Domain Admins group.

Let’s access on the administrator’s desktop!

There’s a root flag on the Desktop directory

We can read the root flag by executing the command “type root.txt

Leave a Reply

Your email address will not be published.