Worker: Windows box rated as Medium. We will face a SVN repository, with a bit of enumeration we will be able to enter in the box and then using SVN Pipelines we will gain Administrator access.
Last updated
Was this helpful?
Run nmap against our target 10.10.10.203 with the following flags:
-sC Script scan, equivalent to --script=default
-sV Service version info
-p- Scan all ports
We discover a web page on port 80 which doesn't seem to have much at first glance:
But as always, when we encounter a web page, we run gobuster against it:
We didn't get much from this port (also ran the command with bigger wordlists and -x to add some common windows extensions such as asp or aspx along with jsp, html, php, db, txt, xml but we got no luck either)
There's a svn Subversion, running on port 3690.
Subversion: Is a VCS (Version Control System)... it's "like" Git with some differences...
Centralized instead of distributed
You must be connected to make commits
Each user can have just one copy of the trunk
Branching or merging is... well quite time-consuming
Maybe that's why less than 10% of the professional devs use it... and i guess those that use it are because they are forced to...) But it came like 5 years before Git. In case someone wants to know a bit more about it:
We are going to checkout whatever repository we have there:
The most interesting file here is moved.txt:
We found a new Host to add to our /etc/hosts:
Now we can try to access that url:
So, we need some credentials to access here... Let's dig a bit more on that svn repository we just downloaded in order to see if we can find something useful:
We got the Revision number, which is 5 and the name of a user nathen.
The revision number is actually really important, this means we can compare this revision to the previous four and see if there are some differences:
The only change is the moved.txt that we saw before, let's try a different revision:
We can confirm the user nathen and... was there some password in plain text!? We have to take a look at Revision 2:
Now we have a user nathen and password wendel98, if we try to use it on http://devops.worker.htb
Clicking on SmartHotel360 will take us to the following page:
Here we can see the Repositories:
We are going to try and use the SVN repository to gain access to the box, in order to do so we must be able to make some changes to master and upload a page that allow us to execute commands on the machine, since it's IIS 10.0 the page has to be either asp or aspx.
Tried to commit directly on master, but we were unable to do so, we are going to create a new branch, make some changes and then do a pull request.
On Repos go to Branches, New Branch, give your branch a name and Create branch:
Click on our new created branch:
Now upload a cmdasp.aspx (We have one ready to use in our Kali located on '/usr/share/webshells/aspx/cmdasp.aspx')
Click on Upload File(s), browse... and then select our cmdasp.aspx:
We also have to link a work item to the commit:
Now we just click on commit and we'll be able to see the new commit id, and the aspx file on the branch successfully uploaded.
We have to click on Create a pull request (we can see it on the commit id on the previous picture).
Create a New Pull Request of our evilbranch into master, selecting Nathalie (our user) as Reviewer:
If we take a long time to do this process, we may face this problem:
In order to avoid it we have to prepare what we want to do and do it as fast as possible, now we have to repeat the process and will have to use another branch name too.
Once we are back at this point, we have to approve the commit:
And Set auto-complete:
It will automatically complete the pull request
If we go to the master branch now, we should be able to see our cmd page there:
If we look closely, we will see next to master there is a subdomain name spectral so in order to access our new feature we need to add that to our /etc/hosts:
Now if we try to access our new feature:
It was deleted, we really have to move fast in order to be able to get access to this machine it seems. So, we are going to prepare all the steps now, the cmdasp.aspx and the command we will use on it to gain access, which will be an encoded reverse.ps1 script.
We prepare an encoded reverse powershell script
Reverse Powershell script:
We encode it with our PSEnconder.py:
Now on the command shell we have in the page we enter the encoded powershell script with the following arguments
-Exec ByPass
-Nol
-Enc
Have a netcat listening on the port indicated and click on execute:
First let's take a look at the user we are after:
We can see there are more than one volume on this box:
If we go into that volume and take a look around, we will see a passwd file under svnrepos/www/conf
Let's use the tool evil-winrm to enter as robisl with that password:
We are in as robisl and we can grab our user flag, now let's try to escalate privileges, in order to do that we are going to try and access the repository as robisl.
Log in devops.worker.htb as robisl
In order to escalate privileges we are going to exploit the Pipelines feature:
Since the Repository is an Azure Repos Git:
Select our Repository:
Create a Starter pipeline:
The important thing here to modify is the script part:
We get rid of everything not needed and change the net user Administrator password on the script:
Save and run:
We wait a bit meanwhile it does everything, we should have this:
Let's try evi-winrm again with our new creds.
We can grab the root flag ;)
