HackTheBox Writeup — Worker

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is 10.10.10.203

Port Scan

Running NMAP full port scan on it , we get

We get 3 Open Ports for Web , SnvServe and WinRM

Moving to the web part first

Initial Foothold

Checking the web, we get the default Microsoft IIS server webpage

Nothing interesting on it yet to we move onto enumerating the svnserve

We run nmap scripts for enumerating more on svnserve and see that no authentication is needed on it

So we use svn list command to list the files in the repository

We get a subdomain which we will put on our hosts file and then move onto checking into the web

We get a wonderful webpage, clicking on the Work link, we get the contents of it where we see more links leading to different subdomains

Clicking on the Alpha link leads us to the subdomain alpha.worker.htb which isnt currently on my hosts file , so will add it for future use

Now for the time being, I enumerated more on svnserve and checked the differences on my working copy and the master copy of the repository and found another subdomain along with credentials, putting that subdomain into the hosts file

Checking the devops.worker.htb domain and it prompts us for basic authentication

We enter the creds we got from svnserve and login to dashboard

We see one project named SmartHotel360, clicking on it and moving towards the Repos section

We can switch to alpha repository and upload our aspx web shell on a different branch created by us

We created the branch and now upload our shell

Now we have to create a pull request, we can see the link already in the above of our contents area

We created our pull request by approving it ourself and also link a work item

Since we uploaded our shell to the alpha repository, we can access it on its domain and get code execution successfully

I used metasploit’s web_delivery system to get meterpreter and then shell to work on

We have shell as low privilege user, so we will now move onto escalating to a better privileged user

User Escalation

We check the local drive shares on the machine and see there is a W drive

We switched to that drive and then check the contents on that drive

On the svnrepos\www\conf folder, we have a file named passwd containing all the usernames and their passwords, we can also see the credentials which we got before

Checking the current users on the box, we see that robisl is a user and we have the credentials for it on the passwd file

We used evil-winrm to connect to the machine with the new credentials we got and then get the user flag

Privilege Escalation

We log into the devops.worker.htb domain again but this time with the creds of robisl uer

We see some other project this time and clicking on it

We see that there is an option on the left side pane for building Pipelines

We can use this functionality to get RCE, we follow the below steps

We select the Azure Repos Git option

We select the PartsUnlimited repository and then click Continue

Now we selected the YAML file option and then it leads us to put our YAML code and then we put the code which will copy the root flag to a temp directory and change its permission to be accessible to robisl user

We saved and run the code and it succeeded

Now checking back in the shell, we have our root flag which we can access

If you might wondering why not getting a shell , we can get shell using the metasploit’s web_delivery method and get meterpreter first and then shell as NT Authority\System

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store