Introduction

Laboratory is a Easy Apache web-server box with an exploitable version of GitLab from HTB and created by oxc45. It showcases problems in front-facing web applications not being updated regularly. Once I get on the box I use LinPEAS and pspy to find a SUID exploitable to path abuse for the root.

I begin every scan using RustScan; once it completes it runs NMAP filters and exports to HTML for easy reading. The code below uses PWD (Present/Current Working Directory) as I have a startup script I run before doing any HTB box:

Copy

During the scans I noticed Port 80 was open. Visiting the website get a redirect over to the HTTPS version of the website. Immediately I edit my host file to add laboratory.htb. I visit the website and notice the HTTPS certificate. I view the certificate and find a secondary VHOST on the box, git.laboratory.htb. I add it to my host file.

Port 80 shows https://laboratory.htb redirect.

Port 80 shows https://laboratory.htb redirect.

Adding both domains to my host file.

Adding both domains to my host file.

Visiting git.laboratory.htb I am presented with a GitLab Community Edition. I was familiar with this as I saw it running on HTB – Ready. I attempt to register with some bogus credentials and get an error. I switch my email to [email protected] and I’m able to successfully register.

GitLab Registration error.

GitLab Registration error.

After logging in I navigate around GitLab. I notice a project SecureWebsite by Dexter McPherson. I note down the user and continue my enumeration. I check the version of GitLab to see if it exploitable like in Ready.

GitLab Community Edition 12.8.1
1year old and exploitable.

GitLab Community Edition 12.8.1 – One year old and exploitable.

It is exploitable as it is a year out of a date and a MetaSploit module is available HERE.

User Escalation

MetaSploit Instructions

Copy

Additional Options

Copy

Running the Exploit

Copy

After getting a shell via MetaSploit I launch a secondary shell via nc so I can easily spawn a new shell should the need arise.

Tab1

Copy

Tab2

Copy

PTY Shell

Copy

As with Ready I began looking for users or credentials I could harvest from the GitLab application. I found an article HERE which lets you reset a users password via the console. I ran through the steps and logged in as Dexter.

Copy
Following the steps from the Gist to reset and login as Dexter.

Following the steps from the Gist to reset and login as Dexter.

After running through the steps above I logged in as the dexter user. Once logged in I navigated around the SecureDocker project. Found his id_rsa OpenSSL key. Copied it, set 600 permissions and logged in.

Grabbing Dexters id_rsa from his SecureDocker.

Grabbing Dexters id_rsa from his SecureDocker.

Go for Root

After logging in as dexter I ran LinPEAS which pointed me to a SUID binary called docker-security. Running pspy64 and executing the process showed me I could exploit PATH to execute a privileged shell.

Tab1

Copy

Tab2

Copy

LinPEAS (Export)

Copy

PsPy64 (Export)

Copy

Escalation with Docker-Security (Tab1)

Copy
Bash Oneliner

Bash Oneliner

Escalation with Docker-Security (Tab2)

Copy
Rooting Laboratory from HTB.

Rooting Laboratory from HTB.

Proof Script

Copy

EXTRA!!

I’m sure if your reading this post you know IPPSEC and his most recent video from HTB. He begins using Obsidian to do ‘proper’ note taking well exploiting the machine. As with the Monkey See, Monkey Do approach I did the for this box available below. The password to open the PDF is – :$O/(IL(c^|9

Let me know your thoughts!

Rooted

Published On: April 27th, 2021 / Categories: HTB, Technology / Tags: , , , , /

Leave A Comment