Introduction

As always I start with a baseline AutoRecon scan. I began using AutoRecon well studying for the OSCP and never stopped. AutoRecon showed me that the following ports were open 80/3690.

3690 showed a svndiff error code. A short Google later and I found this page. I would definitely recommend giving it a good read.

Copy
Running Checkout gave me Revision 5. I used diff to view the changes for 2-3.

Running Checkout gave me Revision 5. I used diff to view the changes for 2-3.

After seeing the URLs devops.worker.htb, dimension.worker.htb and spectral.worker.htb. I added these to my host file (spectral you find later):

Copy
Adding to the domains to my host file.

Adding to the domains to my host file.

Next, I navigated over to the Dimension page to view a standard HTML5 website. Navigating to Devops took me to a login prompt. I used Nathen’s creds and proceeded to log in.

Reverse Shell

This next part was a pain in the ass and took a lot of trial and error. Also, I found my web shell would be deleted within minutes of deploying. Below are the instructions but be fast:

Create a new branch under the Repos > Files section.

Create a new branch under the Repos > Files section.

Once the branch has been created use F5 or leave Files and back to select it.

Once the branch has been created use F5 or leave Files and back to select it.

Upload your reverse shell and assign work items to it. I used aspxshell as I saw no scripts running and it was on IIS.

Upload your reverse shell and assign work items to it. I used aspxshell as I saw no scripts running and it was on IIS.

Create a pull request after uploading the file.

Create a pull request after uploading the file.

Create a pull request after uploading the file.

Confirm the pull request and select Create.

Approve and Complete the request.

Approve and Complete the request.

If everything went as planned you should see this.

If everything went as planned you should see this.

Noting the repo name and the naming convention so far I added spectral.worker.htb in my hosts file and headed over to the web shell.

Inside the web shell I noted robisl as a user.

Inside the web shell I noted robisl as a user.

I would recommend against looking around using the web shell as it dropped on me several times and required me to repeat the above process. In the Execute command use the following after setting up a reverse shell. You will need to change HTBIP and the port (if needed):

Copy

I got above well-doing research for the OSCP and the link to all the one-liners can be found here. After getting access to the shell I navigated around the W:\ directory until I found a file called passwd. More information regarding it can be found here. I used this file along with the users found earlier to grab Robisl password. Next, as this was a Windows machine and I got in with PowerShell I used Evil-WinRM to connect to the machine.

Copy
Capping the user flag.

I used Evil-WinRM to grab WinPEAS and a few other tools which lead me nowhere. Eventually, I found if you go back to DevOps but log in as the user robisl you are presented with a PartsUnlimited platform. This PartsUnlimited is actually an e-commerce website platform designed by Microsoft.

The next part took some trial and error but knowing my way around Application Lifecycle Management solutions and Azure pipelines helped a lot. An article I would recommend reading would be Death from Above as it is knowledge adjacent.

Go for Root

Start by creating a new Pipeline. My final Pipeline was about 10 after I started..

Start by creating a new Pipeline. My final Pipeline was about 10 after I started..

Use Azure Reports Git and select PartsUnlimited as its currently active..

Use Azure Reports Git and select PartsUnlimited as its currently active..

Select Starter pipeline

Select Starter pipeline.

Remove everything and add in the following:

Copy

I tried a multi-line script and it failed to create my own user. This was the only method that didn’t fall over at the deployment or connection level.

After finalizing the deployment I logged into Evil-WinRM with my new credentials.

After finalizing the deployment I logged into Evil-WinRM with my new credentials.

Rooted

Published On: January 30th, 2021 / Categories: HTB, Technology / Tags: , , , , , , /

Leave A Comment