In this post, I would like to share a walkthrough of the Object Machine from Hack the Box
This room will be considered as a Hard machine on Hack The box
What will you gain from the Object machine?
For the user flag, you will create a new account on Jenkins application and get some information using the Build Trigger on Jenkins. We also required to use Jenkins Decryptor to retrieve an password to oliver’s privileges access
As for the root flag, you need to abuse the group permission of Domain Admins to be given to maria account
Information Gathering on Object Machine
Once we have started the VPN connection which requires download from Hackthebox, we can start information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
From the nmap output, we can only see port 80 and port 8080 is open
Let’s access the website interface using port 80
However, it’s just a simple website interface which i cannot see any loophole on the website.
Let’s execute the gobuster to enumerate other directory.
Sadly, we only have index.html have been stored on the website directory.
Let’s curl the website in case there’s any interesting HTTP header that we can take advantage of. I didn’t find any information that we can use to escalate further.
There is also nothing inside the source code of the website.
Let’s change our target on the website especially using a different port that we found earlier.
Jenkins access and enumeration
The website interface shows a Jenkins Web Interface when we access the machine using port 8080
Sadly, we don’t any Jenkins credentials that we can use to access Jenkins Dashboard. Therefore, we should try to login using a normal credential such as admin:admin
As a result, we got an error saying “Invalid username or password“
I notice that there’s a link to “Create an account” and let’s create a new account
As usual, let’s fill up the information above and maybe we can login automatically to the Dashboard.
As expected, we are able to access the Dashboard. There’s a link to “the top page” on the main page and let’s click the link to see what’s stored there.
The page has redirected to a page that looks something like the above. Therefore, let’s try to create a job and work from there.
Creating a project file
Let’s create one new Folder name and then press OK
Nothing much to look into at the moment
Let’s see who is the user for the dashboard but unfortunately, we only have two users as shown above.
We might need to create a Freestyle project
Research on Jenkins application and exploitation available
I also include some resources for those who want to study more on Jenkins or Exploit:
- How to implement a remote Jenkins build trigger with a URL – Coffee Talk: Java, News, Stories and Opinions (theserverside.com)
- Exploiting Jenkins build authorization | by Asi Greenholts | Cider Security | Feb, 2022 | Medium
- A Case Study on Jenkins RCE. Based on past experience, I‘ll walk… | by Adam Jordan | Medium
From my understanding, we can schedule a task to execute every one minute. We should tick the Build periodically and enter ***** inside the Schedule box
On the bottom, there’s a button such as “Add Build Step” and click Execute shell
As I know, this machine is running a Windows Operating System which I need to run cmd /c whoami to check who I access it as
Troubleshooting the issues on Object Machine
However, i got an error saying that it’s wrong command
I got frustrated for some reason with not getting the command running.
I have been stuck on this problem for a few hours. I’m probably an idiot for not realizing it soon where i use execute shell rather than execute Windows Batch Command
We should enter the same command as previously.
Finally, it works after a few hours of troubleshooting
From console output, I notice that there’s a user called Oliver.
Firewall Protection bypass
We can check if the machine is been firewall protection
Nothing return to us at all
When I check the build history, we got an error message which is normally not a good sign at all.
From my understanding of the error message, there’s some protection is been implemented on the machine.
Let’s see if the protection is also affected the outbound connection too.
Sadly, it’s also affected by the rules.
Gaining Priviliges Access on Object Machine
Let’s check what kind of directory and files are stored in the machine by running the command above.
There’s a users directory that might come in handy for the escalation process.
There’s a directory that contains admin in the name that resides inside the users’ directory.
A file as config.xml is been saved inside the admin directory which for me it’s quite odd.
There are some passwords and hashes been written inside the config.xml
I also notice there’s a secrets directory when i was looking at the main directory
Sadly, we got an error which not sure about the issues. After looking at the message carefully, I notice that I have made a huge mistake here. I should use the cd command but I accidentally typed the type command
At last, it finally work as it should be.
However, we cannot read at all for the hudson.util.secret file which it’s a disappointment.
Let’s try to encode the unreadable message into base64 style.
At last, we can copy the base64 code and paste it into a new file in our attacker’s machine.
Another file that we need to decrypt the Jenkins credentials.
A group of screenshots above shows how to install Jenkins-credentials-decryptor
Let’s follow the step that have been provided to us.
Nice! The tool is running as it should run and the command below will be used for the decryption process.
./jenkins-credentials-decryptor -m master.key -s hudson.util.secrets -c config.xml
Let’s access the machine via evil-winrm tool and using the command above.
You can read the user flag by executing the command “type user.txt“
Escalate to Root Priviliges Access on Object Machine
Normally, we use powerview.ps1 tool to enumerate on the windows machine.
We can upload the powerview.ps1 on c:\programdata directory
There are a few other users besides Oliver such as maria and smith.
Both smith and maria permission is denied to access.
The Upload is successfully stored in the window’s machine.
In order for us to use the powerview.ps1 in the machine, we need to use the command “Import-Module .\PowerView.ps1“
The command that will be used from now is similiar to another machine such as
The command above is to change or reset password for smith account.
Logged using smith account
We should be able to access smith account using the password that we change previously.
After roaming on the machine, i found out that there’s a excel file called Engines.xls. As a result, let’s copy the file into smith programdata
Therefore, let’s download the file into our attacker’s machine.
Luckily for us! We have a few password that we can use for maria access.
Let’s access the machine as maria via evil-winrm
Access via maria priliveges access on Object Machine
We maged to access using maria privileges access with the password W3llcr4ft3d_4cls
As usual, we need to upload the PowerView.ps1 and import the module into the machine
The command above will show on how to escalate the maria account access to join Domain Admins privileges access.
However, the effect will not came on the spot which the Domain Admins groups still not added maria into the group
Perhaps… We need to exit the current evil-winrm session so that it process will take place.
And let’s access again as maria with the password that we obtained previously
Voila! Maria account have been added into the Domain Admins group.
Let’s access on the administrator’s desktop!
There’s a root flag on the Desktop directory
We can read the root flag by executing the command “type root.txt“