Worker machine is an intentionally vulnerable machine with Windows operating system among retired machines. We are expected to obtain user and root flags by using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full Port Scan
As a result of port scanning, “80/tcp http Microsoft IIS httpd 10.0”, “3690/tcp svnserve Subversion” and “5985 wsman” ports are open.
Let’s first enumerate from port 3690. (svnserve is used for version control, svn is used to maintain current and past versions of projects. It is licensed under Apache).
We provide enumeration as described in hacktirck
https://book.hacktricks.xyz/network-services-pentesting/3690-pentesting-subversion-svn-server
svn ls svn://10.10.10.10.203 #list
svn log svn://10.10.10.10.203 #Commit history
svn checkout svn://10.10.10.10.203 #Download the repository
svn up -r 2 #Go to revision 2 inside the checkout folder
svn checkout svn://10.10.10.203
command to pull the files to our local machine
When we look at the logs, the user nathen seems to have deployed the script, let’s look at the scripts he deployed
Moved.txt deploy.ps1 files, these files are our primary target. Let’s look at the content of the files we downloaded to local
In the dimension.worker.htb directory, I first add it to my /etc/hosts file in case there might be a subdomain here
We read the contents of Deploy.ps1
$user = “nathen”
$plain = “wendel98”
We note down the information and continue.
We could not see the Moved.txt file, interestingly it came when we checkedout again 🙂
In the Moved.txt file, we encountered http://devops.worker.htb. We save this in our etc/hosts file.
Before looking at subdomains, let’s provide enumeration over port 80
defalt an IIS server login we are scanning with gobuster scan
We didn’t get any results. It’s time to look at the subdomains
devops.worker.htb
It asks us for credental information. We log in with the credentials that we have stored in Deplo.ps1
$user = “nathen”
$plain = “wendel98”
We were able to successfully log in using their knowledge
We came across Azuredevops.
Here we have the smarthotel360 project and we click on it.
Here I am providing a bit of enumeration because of the webmail.
Here we have
We saw the New tab where we can add files.
We tried to edit it here but without success
I’m trying to attach the file here I created a test name I did what brach
We have installed cmdasp.aspx as seen here
Here we click on the “Create a pull request” button
Then I write the title
We call Crete
Afterwards
We fill in the information requested to click the places that appear with the arrow and say complate
After completing the compelte
Coming up
I then followed it up with
We run it by saying Quen
After completion
They are all ticked like this. Now let’s go to the target url and see if our shell is working.
As you can see here the shell has arrived
Here we create powershell and give it to ourselves
(we used https://www.revshells.com/ to create revshelli)
When we run this shell script we get our shel in iis apppool\defaultapppool user.
We provided enumeration here, but interestingly we could not detect anything in the user clauses.
In case it’s a different disk
wmic logicaldisk get caption
We execute the command
here we see the w: disk
And we logged into the w disk.
We obtained passwords in the passwd file.
It matches the password we entered in the Nathen user “wendel98” Let’s look at this user in detail.
We look at the robisl and restorer users with directories in detail.
We connect to the Robisl user.
We got the User flags.
We got permission denied, we provide local enumeration.
We didn’t get much result here. Let’s connect with this credential information and look at the devops part again
Here we see that we see a different project, PartsUnlimited
After clicking here, we go to the Pipeline section and create a new one in the piple section.
Here you can choose a configuration type, I chose the strater piplene package but it is no different from the other one, the configuration is the same
Here I change the password of the administrator user so that I can access it
net user administrator Password@1
After typing Koutu, I save and run
After successful registration
We connect with evil-winrm
evil-winrm -i 10.10.10.10.203 -u administrator -p Password@1
That’s how we got the root flag.