HTB Worker Walkthrough

Spyx · January 30, 2021

This is walkthrough of retired machine on HTB - Worker

As first I ran some default nmap scan and them I scanned for all TCP ports

Only 3 ports open:

  • HTTP on port 80
  • SVN service on port 3690
  • WinRM on port 5985

When i checked web port it was just default IIS page.

I enumerate snv with nmap scrips

nmap -p 3690 --script svn-brute --script-args svn-brute.repo=/svn/ 10.10.10.203
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-30 01:39 EST
Nmap scan report for devops.worker.htb (10.10.10.203)
Host is up (0.16s latency).

PORT     STATE SERVICE
3690/tcp open  svn
| svn-brute:   
|_  Anonymous SVN detected, no authentication needed

Nmap done: 1 IP address (1 host up) scanned in 1.04 seconds

Bingo. I can get repository from svn as no authentication is needed

svn checkout svn://10.10.10.203

There is a website for dimension.worker.htb and one file called moved.txt

Repository was moved to devops.worker.htb. I update my /etc/hosts file for this subdomain. But this repository require authentication

As i did not have any credential i decide to return to svn as there will be possibility that commits before contains any credentials.Svn checkout has option -r to pull commit before

Bingo i got some credentials. As WinRM is enabled I tried to log into system but no luck. THem i tried this creds on devops site and I was in!

Site contain some websites i picked twenty.worker.htb. On this repository I created new branch as it not allow my pull request in master one

I copies shell from local system. As system use windows i decide to go with base aspx shell. Under new branch i uploaded my shell.aspx

THem pull request and approve it. I did nt get any error message so i edited my /etc/hosts file and visit twenty.worker.htb/cmd.aspx

Quickly run whoami and systeminfo. I was running as web service and system was windows server 2019. As its new system i decide to run nishang powershell script to get proper reverse shell

I was in! Move to public folder and run winpeas.exe. Winpeas tell me there is W drive there. Start looking for some clues and find passwd file

File contain password and usernames in clear text. One user match one in C:\users folder.

Tried evil-winrm and I was in as user robisl. I start looking for some options and re-run winpeas maybe i missed something. Them i tried to log as robisl to devops.worker.htb and there was another repo. THis repo allow run pipeline for application. As I was able to run anything why not add rohisl as administrator.

It worked and after relunch my evil-winrm session i was administrator on box

Thank you reading

Twitter, Facebook