nmap 1 2 3 4 5 6 7 8 9 └─$ sudo nmap -sS 10.10.10.203 -p80,3690 -sV --min-rate=2000 Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 00:14 EST Nmap scan report for 10.10.10.203 Host is up (0.26s latency). PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS httpd 10.0 3690/tcp open svnserve Subversion 5985/tcp
to User 开放了svn,尝试未授权,可以看到有5个版本变更
1 2 3 4 5 6 7 8 9 10 11 └─$ svn info svn://10.10.10.203:3690 Path: . URL: svn://10.10.10.203 Relative URL: ^/ Repository Root: svn://10.10.10.203 Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1 Revision: 5 Node Kind: directory Last Changed Author: nathen Last Changed Rev: 5 Last Changed Date: 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020)
直接全拖下来
1 svn checkout svn://10.10.10.203:3690
得到一个子域名dimension,一个moved.txt
1 2 └─$ ls dimension.worker.htb moved.txt
可以看到最新的版本已经迁移到devops.worker.htb
1 2 3 4 5 6 └─$ cat moved.txt This repository has been migrated and will no longer be maintaned here. You can find the latest version at: http://devops.worker.htb // The Worker team :)
看一下历史版本的变更
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 └─$ svn log ------------------------------------------------------------------------ r5 | nathen | 2020-06-20 09:52:00 -0400 (Sat, 20 Jun 2020) | 1 line Added note that repo has been migrated ------------------------------------------------------------------------ r4 | nathen | 2020-06-20 09:50:20 -0400 (Sat, 20 Jun 2020) | 1 line Moving this repo to our new devops server which will handle the deployment for us ------------------------------------------------------------------------ r3 | nathen | 2020-06-20 09:46:19 -0400 (Sat, 20 Jun 2020) | 1 line - ------------------------------------------------------------------------ r2 | nathen | 2020-06-20 09:45:16 -0400 (Sat, 20 Jun 2020) | 1 line Added deployment script ------------------------------------------------------------------------ r1 | nathen | 2020-06-20 09:43:43 -0400 (Sat, 20 Jun 2020) | 1 line First version ------------------------------------------------------------------------
挨个回滚
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 svn up -r version_num ===r3 updated deploy.ps1 but no passwd └─$ cat deploy.ps1 $user = "nathen" $plain = "" $pwd = ($plain | ConvertTo-SecureString)$Credential = New-Object System.Management.Automation.PSCredential $user , $pwd $args = "Copy-Site.ps1" Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args " ) ===r2 U deploy.ps1 get password └─$ cat deploy.ps1 $user = "nathen" $plain = "wendel98" $pwd = ($plain | ConvertTo-SecureString)$Credential = New-Object System.Management.Automation.PSCredential $user , $pwd $args = "Copy-Site.ps1" Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args " )
r2中有一个用户名密码
拿去登录devops.worker.htb
这里需要注意,因为他azureops这里用的ntlm认证,开着bp的话会断掉ntlm认证流程最终401,所以我关了bp
可以参考链接
https://0xdf.gitlab.io/2019/06/01/htb-sizzle.html#beyond-root---ntlm-auth
进来后就是azure devops工作台
当前用户nathen被分配了一个项目,可以看到蛮多库
其中有一个dimension
返回来访问一下dimension
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 └─$ curl dimension.worker.htb -sv * Host dimension.worker.htb:80 was resolved. * IPv6: (none) * IPv4: 10.10.10.203 * Trying 10.10.10.203:80... * Connected to dimension.worker.htb (10.10.10.203) port 80 > GET / HTTP/1.1 > Host: dimension.worker.htb > User-Agent: curl/8.8.0 > Accept: */* > * Request completely sent off < HTTP/1.1 200 OK < Content-Type: text/html < Last-Modified: Fri, 03 Apr 2020 10:27:05 GMT < Accept-Ranges: bytes < ETag: "dcb2296ca29d61:0" < Server: Microsoft-IIS/10.0 < X-Powered-By: ASP.NET < Date: Sun, 24 Nov 2024 08:58:24 GMT < Content-Length: 14588
web上还有蛮多子域名
1 2 3 4 5 6 7 └─$ curl dimension.worker.htb -s |grep -E 'http://[^.]+.worker.htb' -o http://alpha.worker.htb http://cartoon.worker.htb http://lens.worker.htb http://solid-state.worker.htb http://spectral.worker.htb http://story.worker.htb
因为是asp.net的,我们又拿到了他们当前运行业务azure devops上的生产库,所以考虑webshell上传
不过这里直接队master上传的话会提示
1 TF402455: Pushes to this branch are not permitted; you must use a pull request to update this branch.
所以我们选个喜欢的库创建分支
在分支中上传webshell,这里我一开始传错了传的asp的shell,应该是aspx
上传后,发起pull请求,work items注意不能丢
再自己给自己的请求approve
而后进行合并
等待部署
趁着部署时候看下部署文件,会发现它是部署到w:\sites\下
拿到webshell之后弹shell,返回来的是web用户,切换到W:看下
在svnreops里翻到一个passwd,我还以为是样例
然后看了下当前用户目录
1 2 3 4 5 6 7 8 9 10 11 12 13 14 PS W:\svnrepos\www\conf> dir c:/users/ Directory: C:\users Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 2020 -03-28 14 :59 .NET v4.5 d----- 2020 -03-28 14 :59 .NET v4.5 Classic d----- 2020 -08-18 00 :33 Administrator d-r--- 2020 -03-28 14 :01 Public d----- 2020 -07-22 01 :11 restorer d----- 2020 -07-08 19 :22 robisl
找了下robis1用户的密码是在passwd里
拿去winrm登录,get user
to Root 当前用户下没翻到什么东西,拿去登录azure devops看下有没有项目
与第一个用户不同,他被赋予了另一个项目
但是库里没有用的东西,不过他倒是有编辑build的权限
azrure pipelines的script可以在build中执行命令的,可以参考文档
https://learn.microsoft.com/zh-cn/azure/devops/pipelines/scripts/powershell?view=azure-devops&tabs=yaml
这里我创建一个默认的build流程,然后报错了
看了下是他没有default的pool
所以把default改成Setuppool就好,重新编辑然后save,这里用curl做测试
run,等了一会收到请求
确定能运行,就替换为revshell
Get Root
