Linux Easy Box where we will have to dig into GitLab and gitlab-rails ending with some path hijacking, but first, let's enumerate !
Last updated
Let's start by running nmapAutomator on our target:
Our basic scan returns the following:
We have the following ports open
This is the SSH (Secure Shell) port, we might be able to use it later to log in if we find any valid username and its password or a valid key.
HTTP port that redirects to HTTPS one (443) on the Nmap scan we can see that we have discovered laboratory.htb and a DNS git.laboratory.htb we add both to our /etc/hosts.
We can also discover the DNS with gobuster
This port is related to HTTPS, and it's the one we will access while trying to go to https://laboratory.htb so let's try to see if there's anything interesting:
After some enumeration on the web page, we couldn't find much of interest so let's go to https://git.laboratory.htb here we will see a GitLab Community Edition running, and we can Register
We must use the email domain of laboratory in order to be able to successfully register:
And once we click on Register we are in as our new user evil
Looking through the page we can enumerate the GitLab version quite easily, we go to Help and it'll appear:
Searching for possible vulnerabilities on this version we found this report on HackerOne:
That leads us to this git repository:
Let's clone the repository and inspect the python code!
We have to modify the script since this GitLab has restricted email domains, and also we change the port on where we will be listening:
We prepare a netcat listener on port 9009:
Now we can use the script:
We have to choose the option 2 since we want RCE and our version is 12.8.1, the script will stop and ask us if we already have a listener (how nice). We can also see what it is doing:
Registering user hcbh4toQHD:IWTygssOAM
Creating project by8giL18px
Creating project qQfLhudoho
Creating issue gggHd8VkFn for project by8giL18px
Moving issue from by8giL18px to qQfLhudoho
Grabbing file secrets.yml
Deploying payload
Delete user hcbh4toQHD
The shell really is unstable, whenever we press enter it fades:
As soon as we get in we start another listener and the first command we type in is another reverse to make it a bit more stable:
On our other shell we grab the incoming connection:
We are in as git user, enumerating we will find out that we are inside a Docker container:
We are inside a container but we cannot escape yet, although we see that we have gitlab-rails: ~/gitlab-rails/working, searching about gitlab-rails we found two interesting pages:
Both links pointing to how change or look users with gitlab-rails console.
First we set the environment to production:
Now we can find users by id, we load the first user on the variable user
Let's modify a bit the user
user.password --> set a new password
user.password_confirmation --> confirm new password
user.save! --> save new configuration
Let's try to log in GitLab with dexter and our new password evilpass
Once we are logged in we can see there are two repositories:
If we enter on SecureDocker project we will find an interesting folder:
Inside that folder there is an even more interesting one!
Inside .ssh we have the id_rsa key that will allow us to log in as Dexter
We copy that id_rsa into a file in our box and chmod 600 it in order to be able to use it with ssh to log in:
At this point we can grab our user hash, once we do it lets enumerate and try to escalate privileges
We get suid3num.py to the box to see if there are binaries with SUID:
Set a SimpleHTTPServer on our box:
On Laboratory shell as dexter grab the script and execute it:
We can see there is a Custom SUID Binary
Inspecting the binary with ltrace:
It's setting uid and gid to 0 (root) and then using chmod without full path, we can hijack that to become root:
Since it's using chmod without the full path, it will be looking through all the directories in our $PATH variable and will use the first chmod that it finds. Knowing that we will prepend to our PATH /tmp/.folder and there we will create a file called chmod on where we will put /bin/bash and make it executable:
If we execute the SUID binary now:
