HackTheBox - BitLab - WriteUp
Brief
This is my writeup for HackTheBox’s box called Bitlab which is a very good box. This box begins with a running GitLab server. Through enumeration you find credentials to the git server. Following which you get a shell to the box. Modifying a PHP script you get creds to the user and exploiting git you get access to root. Lets get to work.
Reconnaissance
I use a tool called nmapAutomator and it is something I can recommend, alternatively you can also use AutoRecon
Nmap Basic Scan
1 |
|
We only have two ports open on TCP and UDP. We begin our enumeration with the HTTP server.
Enumeration
Before visiting the BitLab’s site we will add this is to the /etc/hosts/
.
1 |
|
in case virtual hosts are configured.
HTTP Enumeration
Paying a visit to http://bitlab.htb
we are greeted with a Gitlab server.
Before enumerating further I quickly did a searchsploit for Gitlab
with searchsploit gitlab
to know things I should pay close attention to.
Gobuster
I put gobuster to task to enumerate directories gobuster-old -t 40 -u http://bitlab.htb/ -e -w $DIRECTORY_BIG -s 200 -fw
and begun clicking around and reading source pages.
Since we are in dire need of credentials I began enumerating usernames with the help of gobuster-old -t 40 -u http://bitlab.htb/ -e -w $USERLIST_BIG -s 200 -fw
Soon enough get some usernames. When we visit http://bitlab.htb/root
we can see more clickable options. Once we clicked Help
it lands us to this webpage.
Once we click on gitlab login. Nothing happens but we can see some hex. I see some JS which when decoded will give the username : clave
and password : 11des0081x
: -
1 |
|
I then went to the login page and copied the function to my chrome console.
Which then entered the credentials to the webpage upon clicking the Sign In button we get in.
We see profile of clave
load who is a also a Developer.
Once you click Settings
of the user it takes you to a webpage : http://bitlab.htb/profile/
which can be seen below : -
Exploitation
We see two repositories clave
seems to be a part of : -
- Profile
- Deployer
We also have visibility of one snippet : http://bitlab.htb/snippets/1
.
This webpages’s source code is in the repository http://bitlab.htb/root/profile/blob/master/index.php
of which we have write access to.
First I verified if this is indeed what’s happening. So we modify the index.php
of the repository to see potential methods of getting a reverse shell. I modified the index.php
to something like this.
I then commited these changes and merged it to master. Once I merged it to master I went to the URL : http://bitlab.htb/profile/
which responded with this : -
We now have code execution.
I now copied a trusted reverse shell from jivoi’s pentest repository and modified $ip
and $port
.
1 |
|
We now recieve a reverse shell.
Privilege Escalation
I downloaded LinEnum.sh
from my local machine to the remote host and ran it. Which pointed out we can use git
with sudo
without a password.
Upon some GoogleFu and a look at GTFOBins I started looking into hooks
. Hooks are basically scripts that runs when an event occurs. You can read about it more here. We can use post-merge
to get this to work. First we copy the repository to a location which we can write on /tmp
. Then we copy the git
repository to that location so that the changes we make through web are not reflected there.
We now make some changes to the repo and merge them so that we can trigger the post-merge
hook.
First we modify the repository by making some changes. I made a file gimmeroot.php
I the commited those changes.
Upon commiting those changes. I create a merge request for the same commit and merged the request with master.
Now we do sudo git pull
and expect the post-merge
to execute and give us a shell as root
.
We get a callback, as root