HackTheBox-Laboratory

ARZ101
6 min readApr 17, 2021

Hey everyone , I hope you are doing good. This is a easy level machine which involved a gitlab site where you need to gain a foothold using a LFI to RCE exploit.

Rustscan

rustscan -a 10.10.10.216 -- -A -sC -sV                                                          
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
[~] The config file is expected to be at "/root/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.10.216:22
Open 10.10.10.216:80
Open 10.10.10.216:443
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Issuer: commonName=laboratory.htb
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption

PORT 80/443 (HTTP/HTTPS)

On visting port 80 I was redirected to https with a domain laboratory.htb

So let’s add this to /etc/hosts file

Running dirsearch was pointless because couldn’t find anything

But I did saw a subdomain from the nmap scan git.laboratory.htb on adding to /etc/hosts

We could not sign in since we have not found any users so I registered an account

On logging in we can’t see anything useful

But going to help page we see the version number of gitlab which is 12.8.1

Searching an exploit for this version I found one RCE

https://github.com/dotPY-hax/gitlab_RCE

Edited the email for the payload

But it was not stable

I grabbed the secrets.yml through unstablized shell also realized that this was a docker container

It was unstable so I decide to go for Metasploit

https://www.rapid7.com/db/modules/exploit/multi/http/gitlab_file_read_rce/

These are the options you would have to set

And we get a bash prompt

To get a more stablized shell

I searched for pretesting gitlab and found a website that had some juicy information about what to look for

I saw a user dexter that had a a repository

But there wasn’t anything intersting there looking back at that directory I saw two files having secret in them

Didn’t found anything then I came across a report that was submitted on hackerone regarding gitlab

https://hackerone.com/reports/493324

But this didn’t worked so I searched for gitlab shell change user password and found documentation

After going through this I came to know that we can reset a user’s password on gitlab

And we logged in as dexter

We see a ssh key so we can login as dexter

There was a cron job running

But I couldn’t run docker

Because we don’t have permissions to execute. So here I spend a lot of time running linpeas , manual going through folders but found nothing then I looked for SUID

We see that it’s using chmod so we can exploit PATH variable

#!/bin/bash
bash

--

--