Hack The Box Writeup – Laboratory

Breadcrumb Abstract Shape
Breadcrumb Abstract Shape
Breadcrumb Abstract Shape
Cyber News

Hack The Box Writeup – Laboratory

  • October 25, 2024
  • 0

Greetings from Macksofy Technologies. Below is the detailed walkthrough of the Laboratory machine which got retired from HackTheBox
The IP of this box is 10.10.10.216
Port Scan
Running NMAP full port scan on it , we get

We got 3 Open Ports, Port 22 for SSH and Port 80 and Port 443 for Web

Way To User

Checking the NMAP result, we see that the web has redirection to https://laboratory.htb and on the SSL part we see that there is a another domain git.laboratory.htb , so keeping both on our hosts file and checking the web

We confirm from the SSL certificate about the other subdomain

Nothing much interesting on the main domain , so checking the other git domain

We have Gitlab Community Edition installed on the git domain, and we are redirected to the login page where we have options to register a user

We registered a new user and then logged in

Checking the version of the GitLab installed, we see that we have GitLab Community Edition 12.8.1 which has a vulnerability reported on HackerOne for directory traversal

Confirming the exploit by getting the /etc/passwd file

This vulnerability is chained with RCE for which before we have to get the following file
/opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml

Now we followed the report and then create our payload which will be used in Cookie field and for this we have to installed a GitLab instance locally which I did using docker

Our cookie got created and using then ran our curl command and got reverse shell as git user

Picture107

Now we create a new user for gitlab using gitlab-rails console where we assign the admin role to the newly created user

We now login with our newly created user

Login successful and then moving towards finding something interested which were accessible to admins and we had ssh key for the user dexter

We now connect to user dexter through SSH

Way To Root
Checking for SUID binaries, we get an interesting one,i.e, docker-security

Just running the cat command against the binary, we see that the binary is running chmod command where the path is not defined, so we can just hijack the path and exploit it

We exploit the vulnerability and then get root

References
devise
user from rails console
https://stackoverflow.com/questions/35909643/devise-user-from-rails-console
GitLab disclosed on HackerOne: Arbitrary file read via UploadsRewriter when moving and issue
https://hackerone.com/reports/827052
Tags: ctfhackhacktheboxhardhtblinuxmedium

HackTheBox Writeup – Time
New High-Severity Vulnerabilities Discovered in Cisco IOx and F5 BIG-IP Products