OSCP PREPROTİONS – HTB Worker

Worker machine is an intentionally vulnerable machine with Windows operating system among retired machines. We are expected to obtain user and root flags by using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, “80/tcp http Microsoft IIS httpd 10.0”, “3690/tcp svnserve Subversion” and “5985 wsman” ports are open.
Let’s first enumerate from port 3690. (svnserve is used for version control, svn is used to maintain current and past versions of projects. It is licensed under Apache).
We provide enumeration as described in hacktirck
https://book.hacktricks.xyz/network-services-pentesting/3690-pentesting-subversion-svn-server
svn ls svn://10.10.10.10.203 #list
svn log svn://10.10.10.10.203 #Commit history
svn checkout svn://10.10.10.10.203 #Download the repository
svn up -r 2 #Go to revision 2 inside the checkout folder

svn checkout svn://10.10.10.203

command to pull the files to our local machine

When we look at the logs, the user nathen seems to have deployed the script, let’s look at the scripts he deployed

Moved.txt deploy.ps1 files, these files are our primary target. Let’s look at the content of the files we downloaded to local
In the dimension.worker.htb directory, I first add it to my /etc/hosts file in case there might be a subdomain here

We read the contents of Deploy.ps1
$user = “nathen”
$plain = “wendel98”
We note down the information and continue.
We could not see the Moved.txt file, interestingly it came when we checkedout again 🙂

In the Moved.txt file, we encountered http://devops.worker.htb. We save this in our etc/hosts file.
Before looking at subdomains, let’s provide enumeration over port 80

defalt an IIS server login we are scanning with gobuster scan

We didn’t get any results. It’s time to look at the subdomains
devops.worker.htb

It asks us for credental information. We log in with the credentials that we have stored in Deplo.ps1
$user = “nathen”
$plain = “wendel98”
We were able to successfully log in using their knowledge

We came across Azuredevops.
Here we have the smarthotel360 project and we click on it.

Here I am providing a bit of enumeration because of the webmail.
Here we have

We saw the New tab where we can add files.
We tried to edit it here but without success

I’m trying to attach the file here I created a test name I did what brach

We have installed cmdasp.aspx as seen here
Here we click on the “Create a pull request” button

Then I write the title

We call Crete
Afterwards

We fill in the information requested to click the places that appear with the arrow and say complate

After completing the compelte

Coming up
I then followed it up with

We run it by saying Quen

After completion

They are all ticked like this. Now let’s go to the target url and see if our shell is working.

As you can see here the shell has arrived
Here we create powershell and give it to ourselves
(we used https://www.revshells.com/ to create revshelli)

When we run this shell script we get our shel in iis apppool\defaultapppool user.

We provided enumeration here, but interestingly we could not detect anything in the user clauses.

In case it’s a different disk
wmic logicaldisk get caption
We execute the command
here we see the w: disk

And we logged into the w disk.

We obtained passwords in the passwd file.
It matches the password we entered in the Nathen user “wendel98” Let’s look at this user in detail.
We look at the robisl and restorer users with directories in detail.

We connect to the Robisl user.

We got the User flags.

We got permission denied, we provide local enumeration.
We didn’t get much result here. Let’s connect with this credential information and look at the devops part again

Here we see that we see a different project, PartsUnlimited
After clicking here, we go to the Pipeline section and create a new one in the piple section.

Here you can choose a configuration type, I chose the strater piplene package but it is no different from the other one, the configuration is the same

Here I change the password of the administrator user so that I can access it
net user administrator Password@1

After typing Koutu, I save and run
After successful registration

We connect with evil-winrm
evil-winrm -i 10.10.10.10.203 -u administrator -p Password@1

That’s how we got the root flag.