# Hack The Box - Worker Writeup

Hack The Box is an online platform allowing you to test your penetration testing skills and exchange ideas and methodologies with thousands of people in the security field.

Worker is a Medium level Windows machine. Based on the creator and community statistics, this box is highly customized and will require us to put some extra effort into the enumeration phase.

## Information Gathering

#### Nmap

By scanning the target IP with Nmap, we’re able to find what ports are open (-p), while fingerprinting the services running and their versions (-sV). We’re also running the default set of scripts (-sC), which can help find additional information and automate some of our initial steps. Once the scan is completed, nmap will write the results to our Extracts folder (-oA)
>> nmap -p80,3690,5985 -sC -sV -oA Extracts/Worker 10.10.10.203

• Port 80 - HTTP: A basic IIS websever that doesn’t immediately appear to be hosting content. We’ll need to look around more for the proper hostnames to use.
• Port 3690 - svnserve: SVN, or Subversion, is an open-source, centralized version control system. We can start looking here for any open files/directories to dig through.
• Port 5985 - HTTP: Although nmap shows this port is hosting some type of HTTP server, port 5985 is also used for WinRM. If we’re able to find credentials, it’s possible this will be our way into the machine.

### Subversion

Using the SVN CLI tool, let’s connect to the server and list out the directories and files available.
>> svn ls svn://10.10.10.203

There’s a dimension.worker.htb reference that we can add to our hosts file, as well as a directory containing the website and moved.txt file. Our next step is to copy down the contents to our local machine.
>> svn cp svn://10.10.10.203 ./svn

### Worker site

Digging around the dimension.worker.htb site, we come across a collection of additional subdomains including alpha, cartoon, lens, solid-state, spectral, and story. None of these sites appeared to have anything of value.

### Version Hostory

Reading the moved.txt file, it looks like the latest version of the site has been migrated to devops.worker.htb.

One of the main features of version control is the ability to track changes and revisit previous iterations of a file. Using the SVN CLI, we’re able to check the logs for any comments that stand out as referencing the past site.
>> svn log svn://10.10.10.203

Let’s check out the changes lining up with r2, “Added deployment script”.
>> svn co -r2 svn://10.10.10.203/ ./r2

### Credentials

Looks like we’ve found Nathen’s credentials in the deployment script.

### Authentication

Navigating to the devops site referenced in the moved.txt file, we’re hit with a login screen. Let’s try out Nathen’s credentials.

### Azure DevOps

Azure DevOps is a platform for storing, testing, and deploying source code using the CI/CD (Continuous Integration / Continuous Delivery) framework. As changes are commited, Azure DevOps has all the information it needs to access and make updates to resources. We should be able to leverage our access here, leading to additional compromise.

## Foothold

### Deploying our Webshell

From the Spectral Repository, we’ll first create a new branch for us to make changes to.

Upload our ASPX Webshell to the branch.

With our changes made, we can create a pull request to merge them in and trigger the CI/CD process. This will deploy the shell to http://spectral.worker.htb/shell.aspx

Applying the final touches to the PR, we’re able to approve it and get it deployed.

### Webshell

Navigating to our Webshell, we’re able to look around the machine for interesting files and information. Located in the W:/svnrepos/www/conf/ directory, a passwd file contains credentials for a wide range of users.

Comparing the discovered credentials with the list of users we see in the C:/Users/ directory, it looks like user robisl will be our way in.

### WinRM

Now that we have credentials for the target box, we can user Evil-WinRM to get a shell.
>> evil-winrm -i 10.10.10.203 -u robisl -p wolves11

### User Flag

>> type ../Desktop/user.txt

## Privilege Escalation

Using robisl’s credentials, let’s try to log into the Azure DevOps platform and see what kind of access he has.

### Azure DevOps Pipeline

Another feature of Azure DevOps is the ability to create build pipelines. A pipeline is a representation of the automation process that runs to build and test an application. The automation process is just a collection of tasks that we can define. We should be able to use this feature to execute commands on the server.

Navigate to Pipelines > New Pipeline

Select Azure Repos Git

Choose the PartsUnlimited repository, and then the Starter Pipeline. Here, we’ll update the pipline to print out the contents of the root flag file right into its output.