# Accessing Azure Devops

On visiting <http://dimension.worker.htb/#work> I see additional subdomain links for worker.htb . i can use curl and grep to parse all the subdomains, and also add these to /etc/hosts .

To explain “-s” is to keep it silent so it will not show progress meters or errors, “-q” is to help create query sets. This option adds contents usually a name + value paiur to the end of the query part of provided URL

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2F3rqylfdunX26IDF1wfYk%2Fimage.png?alt=media&#x26;token=27464631-405c-4847-8882-a604e42ebe70" alt=""><figcaption></figcaption></figure>

“-o” is for output to write to file to only grab what was grep’d

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2FiarooZHr5dUItit7QJ0Q%2Fimage.png?alt=media&#x26;token=f21d7d83-d9ad-4c45-bb36-b165c25c7363" alt=""><figcaption></figcaption></figure>

Added http\:// now I only have a list of the domains.

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2Fg7ojp2WsI7ieBypYfLIj%2Fimage.png?alt=media&#x26;token=04c61639-b97c-4e47-b39d-4a23b65851cb" alt=""><figcaption></figcaption></figure>

Added | sed to make it easier to copy and pase the URLS as necessary.

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2Fb4EeqFzYRAioYOcsz3bp%2Fimage.png?alt=media&#x26;token=7083a97f-0064-4c63-aaac-a81ad6f9633f" alt=""><figcaption></figcaption></figure>

Now to double check the hosts file has been populated

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2FXoCinqmIeqzWbMZiaau3%2Fimage.png?alt=media&#x26;token=900c1673-fe48-4f0e-8631-857320cf9813" alt=""><figcaption></figcaption></figure>

There doesn't seem to be anything of interest on any of these sites.

The second commit within the logged looked interesting. So I used svn update -r 2 to bring the changes from the repository into our working directory. The revision (r) integers are incremented with each new commit to the repository.

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2FLrPVfhGPMOt6mT4qK8t4%2Fimage.png?alt=media&#x26;token=b97c457d-60e6-4a19-bb6d-ed3d32e85fdf" alt=""><figcaption></figcaption></figure>

From the command output above, we see that in this commit a file called moved.txt was deleted and a file named deploy.ps1 was added.

Looks like deploy.ps1 had some credentials for Nathen specifically.

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2FAXV2KPmuUsEHSXLfMwUS%2Fimage.png?alt=media&#x26;token=8085dffa-990b-43f0-9f90-8e80d879f047" alt=""><figcaption></figcaption></figure>

The credentials don't work for Windows remote management, so I can instead look for any type of login functionality on the subdomains. The subdomain devops.worker.htb is configured to use basic authentication.

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2F6pK9wefIiat1qwCcxCMV%2Fimage.png?alt=media&#x26;token=2d2246d0-98d0-4b1c-b684-46dedcb367f2" alt=""><figcaption></figcaption></figure>

And I am in -

<figure><img src="https://2022164620-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FtzurpgroDJSMn9AFVmQP%2Fuploads%2FDoqE2yQeeJyvp2rCZTnZ%2Fimage.png?alt=media&#x26;token=f25caab8-a9fe-45d8-bdf3-86282329f44f" alt=""><figcaption></figcaption></figure>

<br>