As usual, we start with an Nmap scan:
Doing a detailed scan, we can find that port 8080 was running a Jetty instance.
Port 8080 revealed a Jenkins instance login page:
With Jenkins, I attempted to create a Windows batch command that would execute every minute like so:
However, this failed because the box was unable to reach my machine. I suppose there is a firewall or something within the machine that is blocking outgoing TCP traffic.
Instead, we can use this machine to enumerate the box instance. I noticed that the machine was building the workspace in this directory:
I opeted to view the files in that directory using dir /s.
We find another .jenkins folder. Within that, we would find another users folder with some config.xml files:
Naturally, the admin one is more interesting. Taking a look reveals that there is an encoded password within it:
With Jenkins instances, we would need to extract 2 files that are used to decrypt this password, which is the master.key and the hudson.util.Secret files. These can be found within the C:\users\oliver\AppData\Local\Jenkins\.jenkins\secrets\ folder.
Since they might be in non-printable characters, we would need to use Base64 to get them out. This can be done with a little Powershell scripting.
After extracting both of these files, we can use this tool to decrypt them:
Then, we can evil-winrm in as oliver.
Once in the machine, I ran Sharphound.ps1 to enumerate for me:
We find that within Bloodhound, the oliver user has the ForceChangePassword permission over the smith user.
The smith user has GenericWrite permissions over the maria user:
And lastly, the maria user has WriteOwner permissions over the Domain Admins group:
Interesting path of exploits.
Moving to the smith user is rather easy. We can simpy change his password using some Powerview
Then we can evil-winrm in.
Because we had GenericWrite over maria now, we can set an SPN for the user maria and Kerberoast the user.
However, this did not work out well as I was not able to make use of the ticket. Furthermore, the firewall was still up and I could not transfer files around easily. As such, I opted to read the maria user's directory to see what files are present since we cannot do anything else.
As smith, we can create a malicious Powershell script and change the logon script for maria.
Within the desktop, I found this Engines.xls file.
Copying it to another directory, I was able to move it to my machine using the download command from evil-winrm. Within it, we can find some credentials:
We can use the last credential to evil-winrm in as maria:
Because maria has WriteOwner privileges over the group, we can simply add ourselves to the Domain Admin group:
Afterwards, we can re-logon using evil-winrm and see that we have full administrative privileges:
We can then access the administrator desktop and capture the root flag.
