Laboratory is a Easy Apache web-server box with an exploitable version of GitLab from HTB and created by oxc45. It showcases problems in front-facing web applications not being updated regularly. Once I get on the box I use LinPEAS and pspy to find a SUID exploitable to path abuse for the root.

I begin every scan using RustScan; once it completes it runs NMAP filters and exports to HTML for easy reading. The code below uses PWD (Present/Current Working Directory) as I have a startup script I run before doing any HTB box:

During the scans I noticed Port 80 was open. Visiting the website get a redirect over to the HTTPS version of the website. Immediately I edit my host file to add laboratory.htb. I visit the website and notice the HTTPS certificate. I view the certificate and find a secondary VHOST on the box, git.laboratory.htb. I add it to my host file.

Port 80 shows https://laboratory.htb redirect.

Adding both domains to my host file.

Visiting git.laboratory.htb I am presented with a GitLab Community Edition. I was familiar with this as I saw it running on HTB – Ready. I attempt to register with some bogus credentials and get an error. I switch my email to [email protected] and I’m able to successfully register.

GitLab Registration error.

After logging in I navigate around GitLab. I notice a project SecureWebsite by Dexter McPherson. I note down the user and continue my enumeration. I check the version of GitLab to see if it exploitable like in Ready.

GitLab Community Edition 12.8.1 – One year old and exploitable.

It is exploitable as it is a year out of a date and a MetaSploit module is available HERE.

After getting a shell via MetaSploit I launch a secondary shell via nc so I can easily spawn a new shell should the need arise.

As with Ready I began looking for users or credentials I could harvest from the GitLab application. I found an article HERE which lets you reset a users password via the console. I ran through the steps and logged in as Dexter.

Following the steps from the Gist to reset and login as Dexter.

After running through the steps above I logged in as the dexter user. Once logged in I navigated around the SecureDocker project. Found his id_rsa OpenSSL key. Copied it, set 600 permissions and logged in.

Grabbing Dexters id_rsa from his SecureDocker.

After logging in as dexter I ran LinPEAS which pointed me to a SUID binary called docker-security. Running pspy64 and executing the process showed me I could exploit PATH to execute a privileged shell.

Bash Oneliner

Rooting Laboratory from HTB.

I’m sure if your reading this post you know IPPSEC and his most recent video from HTB. He begins using Obsidian to do ‘proper’ note taking well exploiting the machine. As with the Monkey See, Monkey Do approach I did the for this box available below. The password to open the PDF is – :$O/(IL(c^|9

Let me know your thoughts!