Hack The Box Bitlab Walkthrough – 10.10.10.114

Hack The Box Bitlab Walkthrough writeup - 10.10.10.114 writeup

Hack The Box Bitlab is a medium-difficulty Linux machine. There are a couple of ways to exploit this machine. I’m going to use the intended one. The other way involved good old OllyDBG which I honestly don’t like πŸ™‚

I’ve added the machine IP 10.10.10.114 to etc/ hosts as bitlab.htb. Let’s start with nmap port scan -a mandatory step to start with any machine.

Here is the nmap scan results:

Namp reports there are only 2 ports open. Port 80 and a Nginx webserver and Port 22. Since the port 22 needs credentials to log in to the machine, so I proceed to see what’s running in the port 80.

The Nginx on port 80 hots GitLab Community Edition. (A web-based DevOps lifecycle tool that provides a Git-repository manager providing wiki, issue-tracking and CI/CD pipeline features, using an open-source license. ref: Wikipedia).

As the GitLab page needs credentials to log in, I’m proceeding to find other ways to exploit. Some HTB users in the forum suggested to go GoBuster, but I found an easy way to find the directory using robots.txt. The sites robots.txt has revealed a lot of directories that disallowing search engines.

Getting The Credentials

I checked though the different directlries one by one. I found some interesting HEX withon the directory /help’s source-code:

The last part of the source-code is an encoded GitLab login script that contains user name and password. After decoding the hex using http://ddecode.com/hexdecoder/ I now have the valid username and password of the page. clave:11des0081x

Uisng the credentials I obtained, I successfully logged-in to the BitLab page. The page contains few code repositories. lets go through it.

The Good Old PHP Reverse Shell

So looking through the code repository, I noticed the user “Clave” is able to edit the profile index.php file. This is great news for me, I can make a reverse shell using the modified index.php file. For that, I need my good old friend PenTestMonkey’s PHP Reverse shell. I’m going to copy the script and modify it to add my local IP and port to call the shell back from my Kali machine.

And I replaced my reverse shell script with the GitLab’s index.php script. Then, clicked on “Commit Changes” button. I made sure my updates has been went through. I made a merge request to finsh the update.

Getting the Reverse Shell

Once the process is done, I setup my listener nc -nlvp 4444. I opened the page i just updated. (http://bitlab.htb/profile/index.php)

I’m ready to go, I have the reverse shell. However, the shell I have is www-data with low privilage, I had to run

I ran the sudo -l command to see the better visibility

However, I wasn’t able to perform anything since I have a low privilege shell. After browsing the site for a while, I noticed that there is a snipped has a PHP code that would help me to get DB user credentials. I would need to modify the PHP code in order to achieve this.

From this:

To this:

Code:

Getting the user.txt

And update my index.php and browse the page again.

I have the db password in encoded format. I’d need to decode it before I ssh the box.

string(1) “1” [1]=> string(5) “clave” [2]=> string(22) “c3NoLXN0cjBuZy1wQHNz==” }

I used kali decoder to decode the hash. The password was ssh-str0ng-p@ss

I went on ssh the box using clave as the user. I tried the password as ssh-str0ng-p@ss, unfortunately, it didn’t work, I tried the password ssh-str0ng-p@ssbase64 it didn’t work also, but it worked when I use hashed password as a password it worked. and I got the user.txt.

Privilege escalation

From my previous reverse shell, I will perfom a git-pull so that I can execute git pull as root. I will have to create a writable folder where I will copy the git, as per thr forum, this can be done in the subdirectory of /tmp directory.

I ran the following commands:

After the copying is done, my next step is to create a hook called post-merge which will be executed once the code has been pulled in to nav1n directory. Also, I need to change the directory permission to executable with chmod +x.

Here are the commands I ran.

In the meantime I ran a listener on the port 6666 in another terminal.

Navin

Hey there, I'm Navin, a passionate Info-Sec enthusiast from Bahrain. I started this blog to share my knowledge. I usually write on HackTheBox machines and challenges, cybersecurity-related articles and bug-bounty. If you are an HTB user and like my articles, please respect here: https://www.hackthebox.eu/home/users/profile/68523

View all posts by Navin →

1
Leave a Reply

Leave a Reply

  Subscribe  
newest oldest most voted
Notify of
PhoenixKiller
Guest

Very nice writeup, i didn’t even realise RemoteConnection.exe was the intended solution! like you i always run sudo -l once i get a reverse shell and immediately expected the git pull to be the intended way of getting root 😊 git has so called hooks that get executed before or after certain actions. a git pull triggers the pre-commit trigger i exploited this by setting up a git remote on my own laptop, clone it from the gitlab box, add the bash script i want run as root inside the repo directory at .git/hooks/pre-commit, added a commit on my laptop… Read more »

You cannot copy content of this page

%d bloggers like this: