Subversion (SVN)
Nmap discovered a Subversion server on the target port 3690
The running service is Subversion
apache subversion (often abbreviated SVN, after its command name svn) is a software versioning and revision control system distributed as open source under the Apache License. Software developers use Subversion to maintain current and historical versions of files such as source code, web pages, and documentation. Its goal is to be a mostly compatible successor to the widely used Concurrent Versions System (CVS).
unlike git, Apache Subversion is a centralized version control system, storing the entire project history in a central repository. This differs from Git’s distributed model, where each user has a complete repository, allowing greater flexibility in collaboration and offline work.
Banner Grab
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ nc -vn $IP 3690
(UNKNOWN) [10.10.10.203] 3690 (svn) open
( success ( 2 2 ( ) ( edit-pipeline svndiff1 accepts-svndiff2 absent-entries commit-revprops depth log-revprops atomic-revprops partial-replay inherited-props ephemeral-txnprops file-revs-reverse list ) ) ) Performing the banner grab results the followings;
( success ... ): Indicates that the operation was successful.( 2 2 ... ): This part might be indicating version or compatibility information.( ): An empty set of parentheses, possibly indicating an empty set or no additional information for a particular aspect.( edit-pipeline svndiff1 accepts-svndiff2 absent-entries commit-revprops depth log-revprops atomic-revprops partial-replay inherited-props ephemeral-txnprops file-revs-reverse list ): This part seems to list various capabilities or parameters related to the successful operation. It includes things like edit pipeline support, handling svndiff1 and svndiff2, dealing with absent entries, commit revision properties, handling depth, log revision properties, atomic revision properties, partial replay, inherited properties, ephemeral transaction properties, reversing file revisions, and listing capabilities
svn
an apache subversion server instance can be interacted with using svn, a command-line tool provided by Apache Subversion. This tool enables users to manage version-controlled files and directories, offering functionalities such as tracking changes, creating branches, and merging code, essential for collaborative software development and project management.
Repository
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ svn ls svn://$IP
dimension.worker.htb/
moved.txtThe output lists two items in the repository:
- a directory named,
dimension.worker.htb/ - a file named,
moved.txt
While the directory name suggests a possible domain (worker.htb), prompting further investigation, I will be prioritizing the moved.txt file first
moved.txt
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ svn cat svn://$IP/moved.txt
This repository has been migrated and will no longer be maintaned here.
you can find the latest version at: http://devops.worker.htb
// the worker team :)reading the moved.txt file reveals the migration of repository to a new location at http://devops.worker.htb
Notably, the file confirms the presence of the worker.htb domain
dimension.worker.htb and devops.worker.htb appear to be virtual hosts or sub-domains
The domain information has been appended to the /etc/hosts file on Kali for local DNS resolution
This information may be leveraged to explore other available endpoints in the web server
No Proxy
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ svn ls svn://$IP
dimension.worker.htb/
moved.txt
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ svn ls svn://dimension.worker.htb
dimension.worker.htb/
moved.txt
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ svn ls svn://devops.worker.htb
dimension.worker.htb/
moved.txtThe consistent results across different Subversion server URLs indicate the absence of a configured proxy.
The listed resources (dimension.worker.htb/ and moved.txt) are the same, suggesting direct and unhindered access to the Subversion repository.
I will continue to enumerate the dimension.worker.htb directory
dimension.worker.htb
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ svn ls svn://$IP/dimension.worker.htb
LICENSE.txt
README.txt
assets/
images/
index.htmlThe dimension.worker.htb directory includes resources typically associated with a web root directory, suggesting it may function as a valid web application hosted on the web server.
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ svn cat svn://$IP/dimension.worker.htb/index.html | wc -c
14588
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ curl -s http://dimension.worker.htb/index.html | wc -c
14588The content retrieved via svn and curl commands from the index.html file in the dimension.worker.htb directory is identical, confirming that the Subversion repository mirrors the content accessible through the web server. This alignment suggests synchronization between the Subversion repository and the hosted web application
Info
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ svn info svn://$IP
Path: .
URL: svn://10.10.10.203
Relative URL: ^/
Repository Root: svn://10.10.10.203
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 5
Last Changed Date: 2020-06-20 15:52:00 +0200 (Sat, 20 Jun 2020)Querying for info shows a username; nathen
It also reveals that the current repository has been “revisioned” 5 times
Log
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ svn log svn://$IP
------------------------------------------------------------------------
r5 | nathen | 2020-06-20 15:52:00 +0200 (Sat, 20 Jun 2020) | 1 line
Added note that repo has been migrated
------------------------------------------------------------------------
r4 | nathen | 2020-06-20 15:50:20 +0200 (Sat, 20 Jun 2020) | 1 line
Moving this repo to our new devops server which will handle the deployment for us
------------------------------------------------------------------------
r3 | nathen | 2020-06-20 15:46:19 +0200 (Sat, 20 Jun 2020) | 1 line
-
------------------------------------------------------------------------
r2 | nathen | 2020-06-20 15:45:16 +0200 (Sat, 20 Jun 2020) | 1 line
Added deployment script
------------------------------------------------------------------------
r1 | nathen | 2020-06-20 15:43:43 +0200 (Sat, 20 Jun 2020) | 1 line
First version
------------------------------------------------------------------------The revision log provides insights into the history of changes made to the repository. The sequential numbering up to revision 5 indicates the evolution of the repository over time. Each log entry includes a note appended by the nathen user, revealing information about specific actions.
The presence of a migration note and mentions of a new devops server and deployment script suggest a significant transition in the repository’s structure and deployment process. Further investigation into the nature of these changes is warranted, as they may hold clues about the repository’s current configuration.
Moreover, it is crucial to consider that historical revisions or commits might contain sensitive information, such as credentials or configurations. A thorough examination of older revisions is recommended to identify any potential security implications.
Reversion
Reverting the current repository to older revisions is easily accomplished using the up command in svn. This command efficiently navigates through the repository’s history, allowing users to explore and extract specific versions as needed
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ svn checkout svn://$IP
A dimension.worker.htb
A dimension.worker.htb/
[...REDACTED...]
A moved.txt
Checked out revision 5.In order to use the up command in svn, the repository must be locally available.
For that, I will download the current repository to Kali using the checkout command
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ ll
total 20K
4.0K drwxr-xr-x 4 kali kali 4.0K Nov 23 09:44 .
4.0K drwxr-xr-x 4 kali kali 4.0K Nov 23 09:42 dimension.worker.htb
4.0K -rw-r--r-- 1 kali kali 162 Nov 23 09:42 moved.txt
4.0K drwxr-xr-x 4 kali kali 4.0K Nov 23 09:41 .svn
4.0K drwxr-xr-x 5 kali kali 4.0K Feb 6 2023 ..The repository has been downloaded to Kali
The notable aspect is the presence of the .svn directory
Similar to the .git directory in Git, the .svn directory in Apache Subversion (SVN) serves as a crucial repository metadata storage. Understanding the contents of the .svn directory is paramount, offering insights into repository structure and potentially exposing sensitive information.
r1
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ svn up -r 1
updating '.':
D moved.txt
Updated to revision 1.Reverting to the revision 1 resulted in the removal of the file, moved.txt
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ ll dimension.worker.htb
total 56K
4.0k drwxr-xr-x 4 kali kali 4.0k nov 23 09:56 ..
4.0k drwxr-xr-x 4 kali kali 4.0k nov 23 09:42 .
16k -rw-r--r-- 1 kali kali 15k nov 23 09:42 index.html
4.0k drwxr-xr-x 2 kali kali 4.0k nov 23 09:42 images
4.0k drwxr-xr-x 6 kali kali 4.0k nov 23 09:41 assets
20k -rw-r--r-- 1 kali kali 17k nov 23 09:41 LICENSE.txt
4.0k -rw-r--r-- 1 kali kali 771 nov 23 09:41 README.txtAdditionally, the dimension.worker.htb directory doesn’t appears to have changed much
r2
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ svn up -r 2
Updating '.':
A deploy.ps1
Updated to revision 2.Reverting to the revision 2 appended a PowerShell script; deploy.ps1
CLEARTEXT Credential
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ cat deploy.ps1
$user = "nathen"
$plain = "wendel98"
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")The PowerShell script, deploy.ps1, appears to initiate a process to execute another PowerShell script, Copy-Site.ps1
While the presence of the other PowerShell script, Copy-Site.ps1, raises inquiries, the deploy.ps1 file contains a PSCredential object with a CLEARTEXT password for the nathen user
nathen:wendel98
Validation Failure & Speculation
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ evil-winrm -i $IP -u nathen -p 'wendel98'
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
Error: An error of type WinRM::WinRMAuthorizationError happened, message is WinRM::WinRMAuthorizationError
Error: Exiting with code 1Attempting to validate the found credential against the target WinRM server fails
This suggests that the credential of the nathen user has since been updated
However, it was mentioned that the current Subversion server has been migrated and is no longer maintained
devops.worker.htb is the new location over the Web server, and it’s observed to be locked behind the basic HTTP authentication.
Although the system credential of the nathen user is updated, the credential might still be used for other purpose
Additionally, given the history of malpractice, the user might have not updated the password and conduct password reuse
r3
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ svn up -r 3
updating '.':
U deploy.ps1
Updated to revision 3.Reverting to the revision 3 updated the deploy.ps1 file, which was created in the revision 2 above
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ cat deploy.ps1
$user = "nathen"
# note: We cant have my password here!!!
$plain = ""
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args") It would appear that someone has noted the malpractice of using CLEARTEXT credential and replaced the $plain variable with a note
This may suggest that there is another admin user with at least the same amounts (if not more) of privileges as the nathen user has
r4
┌──(kali㉿kali)-[~/…/htb/labs/worker/svn]
└─$ svn up -r 4
Updating '.':
D deploy.ps1
Updated to revision 4.The deploy.ps1 file has been deleted in the revision 4, likely for a security measure