Thumbnail: jekyll

HTB Notes 220 Part 1

on under CTF
3 minute read ran nmap -sV -p- -A -T5 -oN /path/file –script=vuln ipAddress
i’m so used to rushing at work, this is painstakingly slow
ports 22, 5080 open
visited 5080 in browser, is a GitLab CE page
hitting it with gobuster for seclinsts raft-large files and directories
@exploit-db, looked up gitlab:
lots of potential exploits
candidate: CVE 2013-4490 Gitlab-shell - Code Execution (Metasploit)
copied exploit to this folder with searchsploit, reviewed
looks like it relies on gitlab using ssh keys in system calls
needs valid creds first
exploring http more while fuzzing runs:
/root/ goes to administrator activity feed /root/ Administrator is @root
/help/ goes to help pages actually hosted on this machine
/public/ yields repo n2/JDmvHSOF /public/ username is @n2
cannot sign in with n2::JDmvHSOF
/search/ is a search page, INTERESTING
/robots.txt yields a lot of INTERESTING rules
/robots.txt there’s a 1 sec rate limit so my fuzzing is nill
/test/ yields another @test user, no activity
looking back over /robots.txt
searching google for gitlab issues
found some arb file read from hackerone
@hackerone: can read arb file by copy malformed issue from one project issue to another
registered and logged into machine gitlab as n3
created project n3/some-crap
INTERESTING: this gitlab is in container
created project n3/some-other-crap
created issue in some-other-crap
moved issue to some-crap
error occured while moving the issue
did not move, did not copy the file out
i need to know exact gitlab version
vers 11.4.7 CE
oh liveoverflow wrote about an RCE for this
found exploit edb-id 49334 gitlab 11.4.7 RCE
updated searchsploit (-u)
cancelled still-running fuzz
n3 user creds are: [email protected]::P9GWvfJbdK2ypMw
searchsploit done updating, still no 49334
downloaded and moved to /usr/share/metasploit-framework/modules/exploits/ruby/webapps/
updated db (updatedb)
started msfconsole
no 49334 found
followed a few guides on importing metasploit modules
wow none worked
this is a huge pain, tried 5 methods so far
returned the next day
have realized that i am an idiot, this is a python script, not ruby
started machine back up
machine responds to pings again
reviewing pythong exploit
flags are -u gitlabuser -p gitlabpass -g url -l localIP -p localPort
created netcat listener on 1234
re-registered user at target gitlab, htbuser::htbuser1234
test ran exploit against machine output: creating project ‘project1612’
output: exploit completed successfully
watching listener…nothing yet
maybe it reached back out and couldn’t touch my machine
re-checked tun0 IP, is correct
re-checked given port, is correct
logged in as the new htbuser, viewed projects
project1612 import still underway
INTERESTING: there’s also a dude/ready-channel.git
i wonder if i need to offer the container IP 172dot instead of 10dot
maybe not, the exploit DID create the repo looking through /ready-channel.git
lots and lots of files
some scripts in /ready-channel/scripts
INTERESTING: /ready-channel/web.config
this file contains rules that i can perhaps edit out
back to exploits
found to test
it’s from the liveoverflow article i was reading yesterday
kids are going nuts and need to be put to bed

HTB, CTF, Gitlab
comments powered by Disqus