HackTheBox Writeup — Bitlab

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

The IP of this box is 10.10.10.114

Running masscan on it , we get

Running NMAP against the open ports we got

We see only two ports open , running OpenSSH on Port 22 and nginx on Port 80

Checking the web service running on browser , we see

It is hosting a Gitlab Community Edition , also it redirects us to a Login Page

Exploring futher , we see a Help section and clicking on that

We get a index directory which has an html file named bookmarks.html

Clicking on it we see the bookmarks

We see 5 booksmarks , but when Hovering over the Gitlab Login , we see the below javascript code

javascript:(function(){%20var%20_0x4b18=[“\x76\x61\x6C\x75\x65”,”\x75\x73\x65\x72\x5F\x6C\x6F\x67\x69\x6E”,”\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64",”\x63\x6C\x61\x76\x65",”\x75\x73\x65\x72\x5F\x70\x61\x73\x73\x77\x6F\x72\x64",”\x31\x31\x64\x65\x73\x30\x30\x38\x31\x78"];document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]]=%20_0x4b18[3];document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]]=%20_0x4b18[5];%20})()

It was in URL encoded form ,so I used Burp to decode it back and then get it in usable form

As we see got the perfect usable code , so we open Console on the browser and paste it there

After pasting and then entering the code , we see some changes on the Login Area

We see that we got credentials on the login area , also we can check the password in text form and see

So we login to the page and then see

We have a project here , looking further into it

We see there is a file , so all we do is put our own php file to get reverse shell

So here we just put our simple code which will run system commands through the GET parameter , so we save it and then merge it to master repo and then confirm the file is saved

Now we move onto settings and click it to get to the Profile of Clave

Click on the Settings option , we get redirected to the profile page of Clave

Now we try to access the php page we created

We see that we can access it successfully , since we didnt provide any system command so it gave an warning , so now we provide a command id

We see that we successfully get command execution , now we get ready to get our reverse shell

Now looking back on netcat listener , we get

Our reverse shell was successful , now we run the sudo -l command

We see that the current user www-data can run sudo as root without password with /usr/bin/git pull command

Also, if we remember from above there was a PostgreSQL thing, digging more in the files and folders, we get

We get a php file named con.php which contains some SQL commands, running this file in the server

We get creds for user clave, so we move onto login through SSH with these creds

SSH connection was successful with user clave and now moving into getting the User Flag

Moving further to Priv Esc

We move back to the least priveleged shell we had, i.e, www-data shell where we could use git pull with sudo

We go to the tmp directory and then copy all the contents of the profile in the folder named git

git pull is a Git command used to update the local version of a repository from a remote

So we put the Bash One Liner reverse shell code into the post-merge to get reverse shell

We are good to go and ready to use the git pull with sudo

We ran the command and now checking the netcat listener

We got shell as root successfullly, so we now get the root flag

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app