HackTheBox Writeup — Laboratory

Hello Guys , I am Faisal Husaini. My username on HTB is “feodore” . Also join me on discord.

The IP of this box is 10.10.10.216

Port Scan

Running NMAP full port scan on it , we get

We got 3 Open Ports, Port 22 for SSH and Port 80 and Port 443 for Web

Way To User

Checking the NMAP result, we see that the web has redirection to https://laboratory.htb and on the SSL part we see that there is a another domain git.laboratory.htb , so keeping both on our hosts file and checking the web

We confirm from the SSL certificate about the other subdomain

Nothing much interesting on the main domain , so checking the other git domain

We have Gitlab Community Edition installed on the git domain, and we are redirected to the login page where we have options to register a user

We registered a new user and then logged in

Checking the version of the GitLab installed, we see that we have GitLab Community Edition 12.8.1 which has a vulnerability reported on HackerOne for directory traversal

Confirming the exploit by getting the /etc/passwd file

This vulnerability is chained with RCE for which before we have to get the following file

/opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml

Now we followed the report and then create our payload which will be used in Cookie field and for this we have to installed a gitlab instance locally which I did using docker

Our cookie got created and using then ran our curl command and got reverse shell as git user

Now we create a new user for gitlab using gitlab-rails console where we assign the admin role to the newly created user

We now login with our newly created user

Login successful and then moving towards finding something interested which were accessible to admins and we had ssh key for the user dexter

We now connect to user dexter through SSH

Way To Root

Checking for SUID binaries, we get an interesting one,i.e, docker-security

Just running the cat command against the binary, we see that the binary is running chmod command where the path is not defined, so we can just hijack the path and exploit it

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store