OSCP PREPROTİONS – HTB Worker

Worker machine is an intentionally vulnerable machine with Windows operating system among retired machines. We are expected to obtain user and root flags by using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, “80/tcp http Microsoft IIS httpd 10.0”, “3690/tcp svnserve Subversion” and “5985 wsman” ports are open.
Let’s first enumerate from port 3690. (svnserve is used for version control, svn is used to maintain current and past versions of projects. It is licensed under Apache).
We provide enumeration as described in hacktirck
https://book.hacktricks.xyz/network-services-pentesting/3690-pentesting-subversion-svn-server
svn ls svn://10.10.10.10.203 #list
svn log svn://10.10.10.10.203 #Commit history
svn checkout svn://10.10.10.10.203 #Download the repository
svn up -r 2 #Go to revision 2 inside the checkout folder

svn checkout svn://10.10.10.203

command to pull the files to our local machine

When we look at the logs, the user nathen seems to have deployed the script, let’s look at the scripts he deployed

Moved.txt deploy.ps1 files, these files are our primary target. Let’s look at the content of the files we downloaded to local
In the dimension.worker.htb directory, I first add it to my /etc/hosts file in case there might be a subdomain here

We read the contents of Deploy.ps1
$user = “nathen”
$plain = “wendel98”
We note down the information and continue.
We could not see the Moved.txt file, interestingly it came when we checkedout again 🙂

In the Moved.txt file, we encountered http://devops.worker.htb. We save this in our etc/hosts file.
Before looking at subdomains, let’s provide enumeration over port 80

defalt an IIS server login we are scanning with gobuster scan

We didn’t get any results. It’s time to look at the subdomains
devops.worker.htb

It asks us for credental information. We log in with the credentials that we have stored in Deplo.ps1
$user = “nathen”
$plain = “wendel98”
We were able to successfully log in using their knowledge

We came across Azuredevops.
Here we have the smarthotel360 project and we click on it.

Here I am providing a bit of enumeration because of the webmail.
Here we have

We saw the New tab where we can add files.
We tried to edit it here but without success

I’m trying to attach the file here I created a test name I did what brach

We have installed cmdasp.aspx as seen here
Here we click on the “Create a pull request” button

Then I write the title

We call Crete
Afterwards

We fill in the information requested to click the places that appear with the arrow and say complate

After completing the compelte

Coming up
I then followed it up with

We run it by saying Quen

After completion

They are all ticked like this. Now let’s go to the target url and see if our shell is working.

As you can see here the shell has arrived
Here we create powershell and give it to ourselves
(we used https://www.revshells.com/ to create revshelli)

When we run this shell script we get our shel in iis apppool\defaultapppool user.

We provided enumeration here, but interestingly we could not detect anything in the user clauses.

In case it’s a different disk
wmic logicaldisk get caption
We execute the command
here we see the w: disk

And we logged into the w disk.

We obtained passwords in the passwd file.
It matches the password we entered in the Nathen user “wendel98” Let’s look at this user in detail.
We look at the robisl and restorer users with directories in detail.

We connect to the Robisl user.

We got the User flags.

We got permission denied, we provide local enumeration.
We didn’t get much result here. Let’s connect with this credential information and look at the devops part again

Here we see that we see a different project, PartsUnlimited
After clicking here, we go to the Pipeline section and create a new one in the piple section.

Here you can choose a configuration type, I chose the strater piplene package but it is no different from the other one, the configuration is the same

Here I change the password of the administrator user so that I can access it
net user administrator Password@1

After typing Koutu, I save and run
After successful registration

We connect with evil-winrm
evil-winrm -i 10.10.10.10.203 -u administrator -p Password@1

That’s how we got the root flag.

Comments

  1. Allisen

    Excellent web site. Lots of helpful information here.
    I’m sending it to several buddies ans additionally sharing in delicious.
    And certainly, thank you for your sweat!

  2. Junaid

    wonderful points altogether, you just received a new reader.
    What might you suggest in regards to your submit that you
    simply made some days in the past? Any positive?

  3. Yasmina

    Incredible! This blog looks just like my old one!

    It’s on a entirely different topic but it
    has pretty much the same page layout and design. Great choice of colors!

  4. Shatia

    An impressive share! I’ve just forwarded this onto a friend who has been doing a little research on this.
    And he actually bought me dinner because I discovered it for
    him… lol. So allow me to reword this…. Thanks for the meal!!
    But yeah, thanx for spending some time to discuss this subject here on your website.

  5. Naiomi

    Heya just wanted to give you a quick heads up and let you know
    a few of the images aren’t loading properly. I’m
    not sure why but I think its a linking issue. I’ve tried it in two different browsers and both show the same results.

  6. Brandey

    Hello my family member! I want to say that this post is amazing, great written and include almost all significant infos.
    I’d like to see more posts like this .

  7. Estefani

    Hello, I think your site might be having browser compatibility issues.
    When I look at your blog site in Firefox, it looks fine but when opening in Internet Explorer,
    it has some overlapping. I just wanted to give you a quick heads up!
    Other then that, awesome blog!

  8. Dang

    Hello there, I found your website via Google while searching for a comparable subject,
    your site came up, it seems to be good. I have bookmarked it in my google bookmarks.

    Hi there, just changed into aware of your blog thru
    Google, and found that it is truly informative. I am going to watch out for brussels.
    I will be grateful when you continue this in future. Lots
    of people can be benefited out of your writing. Cheers!

  9. Tom

    Link exchange is nothing else except it is only placing the other person’s
    web site link on your page at proper place and other person will also
    do same in favor of you.

  10. Jule

    Does your site have a contact page? I’m having trouble locating it but, I’d like to send you an email.
    I’ve got some recommendations for your blog you might be interested in hearing.
    Either way, great blog and I look forward to seeing it expand over time.

  11. Phong

    Hi there, You’ve done a great job. I’ll definitely digg it and personally recommend to my
    friends. I am sure they will be benefited from this web site.

  12. Rashad

    Hello there! This post couldn’t be written any better!
    Reading through this post reminds me of my old room mate!
    He always kept chatting about this. I will forward this page to him.
    Pretty sure he will have a good read. Thank you for sharing!

  13. Starlett

    I know this if off topic but I’m looking into starting
    my own weblog and was wondering what all is required to get setup?
    I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very internet smart so I’m not 100% sure. Any recommendations or
    advice would be greatly appreciated. Thanks

  14. Kyleigh

    Does your website have a contact page? I’m having problems locating
    it but, I’d like to send you an email. I’ve got some ideas for your blog you might be interested in hearing.

    Either way, great blog and I look forward to seeing
    it improve over time.

  15. Angila

    I know this if off topic but I’m looking into starting my own blog and was curious what all is required to
    get set up? I’m assuming having a blog like yours would cost a pretty penny?
    I’m not very internet smart so I’m not 100% sure. Any suggestions or advice would be greatly appreciated.

    Many thanks

  16. Kylon

    I’ll immediately snatch your rss feed as I can not in finding your e-mail subscription hyperlink or
    e-newsletter service. Do you’ve any? Kindly permit me realize so
    that I may just subscribe. Thanks.

  17. Manuella

    Heya i’m for the primary time here. I found this board and I to find It truly useful & it helped me out much.
    I’m hoping to give one thing again and aid others like you aided me.

  18. Bittany

    An interesting discussion is definitely worth comment.
    I think that you ought to publish more on this subject, it may not be a taboo subject but generally folks don’t talk about such subjects.
    To the next! Kind regards!!

  19. Ishaq

    Hi there, i read your blog occasionally and i own a similar one and i was
    just wondering if you get a lot of spam comments?
    If so how do you prevent it, any plugin or anything you
    can advise? I get so much lately it’s driving me insane so any assistance is very much appreciated.

  20. Araceli

    Howdy would you mind stating which blog platform you’re using?
    I’m looking to start my own blog in the near future but I’m having a hard time selecting between BlogEngine/Wordpress/B2evolution and Drupal.
    The reason I ask is because your design seems different then most blogs and I’m looking for
    something unique. P.S Sorry for getting off-topic but I had to ask!

  21. Lidia

    Hey there! Would you mind if I share your blog with my zynga group?

    There’s a lot of people that I think would really appreciate
    your content. Please let me know. Many thanks

  22. Josa

    No matter if some one searches for his vital thing, thus he/she wants to be available that in detail, thus that thing is maintained over here.

  23. Aliscia

    It’s in fact very complicated in this full of activity life to listen news on TV,
    thus I only use world wide web for that reason, and get the newest
    news.

  24. Youa

    It’s really a nice and helpful piece of info. I am happy that you simply shared
    this helpful info with us. Please keep us up to date like this.

    Thanks for sharing.

  25. Arly

    Great weblog here! Additionally your website rather a lot up fast!

    What web host are you the use of? Can I am getting your associate link in your host?
    I want my website loaded up as fast as yours lol

  26. ecommerce

    Hi! Do you know if they make any plugins to help with Search
    Engine Optimization? I’m trying to get my blog to rank for some targeted keywords
    but I’m not seeing very good success. If you know of any please share.
    Many thanks! You can read similar article here: Sklep

  27. Phone Tracker Free

    Through the parental monitoring program, parents can pay attention to their children’s mobile phone activities and monitor WhatsApp messages more easily and conveniently. The application software runs silently in the background of the target device, recording conversation messages, emoticons, multimedia files, photos, and videos. It applies to every device running on Android and iOS systems.

  28. hitman.agency

    Hello! Do you know if they make any plugins to help
    with SEO? I’m trying to get my blog to rank for some targeted keywords but I’m
    not seeing very good results. If you know of any please share.
    Thank you! You can read similar text here: Hitman.agency

  29. Donette Dottavio

    Thanks for another excellent post. The place else may just anybody get that type of information in such an ideal manner of writing? I’ve a presentation next week, and I am at the search for such info.

  30. Puravive

    Thanx for the effort, keep up the good work Great work, I am going to start a small Blog Engine course work using your site I hope you enjoy blogging with the popular BlogEngine.net.Thethoughts you express are really awesome. Hope you will right some more posts.

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir