Hey everyone , I hope you are doing good. This is a easy level machine which involved a gitlab site where you need to gain a foothold using a LFI to RCE exploit.
Rustscan
rustscan -a 10.10.10.216 -- -A -sC -sV
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.10.216:22
Open 10.10.10.216:80
Open 10.10.10.216:443 PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Issuer: commonName=laboratory.htb
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
PORT 80/443 (HTTP/HTTPS)
On visting port 80 I was redirected to https with a domain laboratory.htb
So let’s add this to /etc/hosts file
Running dirsearch was pointless because couldn’t find anything
But I did saw a subdomain from the nmap scan git.laboratory.htb on adding to /etc/hosts
We could not sign in since we have not found any users so I registered an account
On logging in we can’t see anything useful
But going to help page we see the version number of gitlab which is 12.8.1
Searching an exploit for this version I found one RCE
https://github.com/dotPY-hax/gitlab_RCE
Edited the email for the payload
But it was not stable
I grabbed the secrets.yml through unstablized shell also realized that this was a docker container
It was unstable so I decide to go for Metasploit
https://www.rapid7.com/db/modules/exploit/multi/http/gitlab_file_read_rce/
These are the options you would have to set
And we get a bash prompt
To get a more stablized shell
I searched for pretesting gitlab and found a website that had some juicy information about what to look for
I saw a user dexter that had a a repository
But there wasn’t anything intersting there looking back at that directory I saw two files having secret in them
Didn’t found anything then I came across a report that was submitted on hackerone regarding gitlab
https://hackerone.com/reports/493324
But this didn’t worked so I searched for gitlab shell change user password and found documentation
After going through this I came to know that we can reset a user’s password on gitlab
And we logged in as dexter
We see a ssh key so we can login as dexter
There was a cron job running
But I couldn’t run docker
Because we don’t have permissions to execute. So here I spend a lot of time running linpeas , manual going through folders but found nothing then I looked for SUID
We see that it’s using chmod so we can exploit PATH variable
#!/bin/bash
bash