Introduction

Ready is a Medium ‘CTF’ style box from HTB and created by bertolis. It showcases problems in older versions of GitLab community edition and how they can be used to escalate privilege. Once we get on the box we realize we are in a docker container and use a docker escape to escalate to root. I begin every scan using RustScan; once it completes it runs NMAP filters and exports to HTML for easy reading:

Copy

The initial scan only came back with Port 22 open which is SSH. By default SSH will not be your first point of entry (unless your doing a challenge). Also by default RustScan only scans the top 1000 ports; because of these factors I initiated a full port scan:

Copy
RustScan showing Port 5080 open.

RustScan showing Port 5080 open.

Port 5080 was open and when visiting the port via a web browser I could see GitLab running. I registered for GitLab and signed into the environment.

GitLab Community Edition running on Port 5080.

GitLab Community Edition running on Port 5080.

Upon logging into the GitLab environment I looked around for Active Projects. ready-channel which was an active Drupal install was present. It was also a false flag. After spending time finding credentials HERE and trying to find the ‘ghost install’ I took a step back. Eventually I noticed the version of GitLab was severely outdated.

GitLab Community Edition running 11.4.7

GitLab Community Edition running 11.4.7

User Escalation

Keeping up to date on security related news and using GitHub products I was aware of the vulnerability available to older version of GitLab community edition. I read through a few articles and eventually found a script by dotPY-hax. It was super straight forward to configure and provided a low-priv shell.

Running the gitlab_rce.py for shell.

Running the gitlab_rce.py for shell.

Copy

Once the shell popped I upgraded the shell to be interactive and grabbed the user flag. I checked around the opt/var directories to find the GitLab install. Eventually I noticed a backup directory and this file – /opt/backup/gitlab.rb. After clearing up the clutter I found a password which I used to escalate my privilege to root.

Copy
Finding the password to escalate to root.

Finding the password to escalate to root.

After checking the root directory and (unsuccessfully) finding the flag I realized I was inside a docker container. I am very familiar with docker as I use it in my personal network. I was able to follow the following two guides HERE and HERE to get to root.

AttackMachine

Copy

Host

Copy

AttackMachine

Copy
Root flag for the Ready machine by HTB.

Root flag for the Ready machine by HTB.

Rooted

Published On: May 16th, 2021 / Categories: HTB, Technology / Tags: , , , , /

Leave A Comment