Worker HTB
IP
initial nmap scan
we have the following ports open on the target machine
Lets run a more in-depth scan of these ports
results
what we can see
HTTP web server IIS 10.0
Port 3690: subversion whats is it
svnserver is a lightweight server, capable of speaking to clients over TCP/IP using a custom and stateful protocol, its main function is to act as a centralized version control system, it is currently licensed under Apache
we are dealing with a windows server
Lets check out the web server
when we access the web server we can see the default IIS server landing page
for good measures we will run feroxbuster and see if we can find any hidden web pages
Lets check out this svnserve server
enumerating svnserve, we can utilize the tool svn which comes with kali,
Lets list any contents that may be in the repo
we do find something interesting
Looks like we found a possible subdomain and a .txt file
Let's download the repo's contents
we can see the following
reading moved.txt
looks like we have another subdomain to add to our hosts file
Lets check out these new subdomains
dimension.worker.htb
not alot to work with here
for good measure lets run feroxbuster and see if we can find anything
devops.worker.htb
we are asked for a username and password
while checking out the source code we picked up from the subversion server, we didnt find much in the code itself, but we do have a .svn directory
Inside the .svn directory, we do find wc.db which is associated with the Version Control System (VCS) called SQLite WC-NG, which is used by some Subversion (SVN) clients, these wc.db files are used to store metadata and information
we should be able to open the file with sqlitebrowser
within the 'PRISTINE' table we can find multiple SHA1 hashes
Let's copy all these hashes to a file
we can query the database
and we have both the SH1 and MD5 hashes
Once we have saved all the hases to a file lets clean them up before we start running them through hash cat
Now we have our hashes all cleaned up lets run them through hashcat
we were unable to crack the hashes, back to the drawing board
back to enumerating svn
we can check the subversion log
we can see the following
Looking at the r2 we can see the user nathen added a deployment script Lets check it out
we do find a set of credentials
but to be safe lets check out the other commits
we find an updated deploy.ps1 script
maybe we dont have a password
nothing new
nothing new
Lets see if these creds work for devops.worker.htb
they are indeed valid and we have access to the DevOps subdomain
we can see
we are in Azure DevOps instance
we are logged in as the user WORKER/nathen
we can see a current project "SmartHotel360"
if we click on the "SmartHotel360" Project then click on repo we can load the SmartHotel360 repo
at the top of the page there is a dropdown that shows other repos that are available in this project
within the menu on the left hand side we can see Pipelines
What are Pipelines in Azure?
CI/DC (Continuous Integration and Continuous Deployment) service that automates the build, test, and deployment phases of the dev processes
when we click view (right corner) we can see further details
looking at the YAML file
looks like this task takes the files from the source code and writes them into the destination folder (most likely where they are hosted by IIS)
we will keep an eye out for the target folder
if we click on run or Queue we can see the following
Looks like we do have permission s to start a build, which means if we can make modifications to the site via the repo here, we can use the pipeline to push the changes made in the repo to the hosted site
Lets see if we can upload a basic webshell to the site
lets try through the
alpharepo, we can click upload file
select our webshell
try to Commit our shell shows the following error
we do have the ability to cerate a branch
Now we should have the ability to upload our webshell
Now back in pipelined, we can select the CICD job for the project we uploaded into (Alpha), and run the build job, giving it the branch we created earlier (shrek123)
Now after 30 secounds or so we can head over to http://alpha.worker.htb/cmdasp.aspx
Dont forget to add
alphasubdomain to our hosts file
we can run commands on the target server lets
Lets upload nc64.exe to the target server and establish a reverse-shell
Lets start a python http server within the same directory as
nc64.exe
2. Through our web shell lets utilize wget to pick up and place our file within the \programdata directory
Lets start a listner
Lets execute nc.exe
we have a shell on the target
looking through the \Users directory we can see the users on the system
Since we know there is a Azure DevOps instance lets see if there is any reference from the Azure DevOps Pipeline to W: , We can list all the drives on the target by using wmic
we can most certainly see the
W:drive
we can get the same results using powershell to
Lets jump over to the w:
Looking through the files we do something interesting
within the /w/svnrepos/www/conf we find the file passwd
as you can see we have a list of plain text passwords, wonder if these are the same passwords but unhashed we found earlier
we did see a user named robisl in the /Users and we can see a user in the passwd file that matches along with a password, lets see if we can winrm into the machine
it works!
Couldnt find a whole lot in the way of priv esc
Lets see if we can login to DevOps using ribisl creds
we have authentication
we can see a different project, contains alot of files but none seem to interesting
within the Project Setting -> General -> Security we can see robisl is a build administrator
This group has the ability to define builds with CI and other pipeline related tasks.
Lets see if we can create a pipeline
we want to navigate to Pipelines -> New Pipeline
lets select Azure Repos Git, and then select PartUnlimited from the list
Now we want to select what kind of project this will be select Starter Pipeline
we should see a YAML file that defines the pipeline
Lets break down this YAML file
trigger: will define when this runs, in this default case, the pipeline will run on commits (or merges) to the master branch, Now our current userrobisldoesnt have permission to commit to master, but saving will also run the pipeline, so trigger is to importantpool: defines how the pipeline runs.steps: defines the various scripts that will run in order. Ascriptcan be on line, or in YAML|indicates a multiline string keeping newlines until the next based on ident
Lets troubleshoot the template
When we try to run our templates doesn't get pushed to the branch as the user ronisl isn't permitted
Lets create a new branch named
shrek1234
we do get he following error
why is it failing?
because there is not a pool named
Defaultand robisl doesnt have the permissions to authorize resources.
how can we fix this?
we can click on the Azure DevOps logo in the top left corner of the screen, then collection settings at the bottom left, on the left side, there's a menu for Agents pools
there is a pool called
Setup
Lets go back to Pipelines for PartsUnlimited and start a new Pipeline. At the config, we will name the poo;
Setup, save and run
we will need to deleted the branch we created or create a new one ( created a new one shrek12345)
when we save and run we can see the following
we can see in the summary everything worked just fine
Gaining a shell on the system
if we look back in the YAML file, we have the ability to run scripts and programs on the target server, remeber we upload nc.exe Lets see if we can execute it and gain shell on the system
start a nc listener
same processes as before but we are going to edit the script field in the YAML file
let's save and run
if we look at our listener we can see the following
Last updated
