HTB — Ready Writeup

This is my write-up for the ‘Ready’ box found on Hack The Box.

Summary:

• An outdated GitLab instance with open registration and vulnerable to an authenticated RCE
• Plaintext password storage in configuration files
• Docker container breakout by mounting the host filesystem

Services

nmap -vv --reason -sV -Pn 10.10.10.220
PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
5080/tcp open  http    syn-ack nginx
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

User Flag

The nmap scan discovered a HTTP service running on port 5080. Browsing to this reveals a GitLab service with open registration enabled. This means that any user can register for an account, which would allow further enumeration as an authenticated user. So I registered for an account:

GitLab instance with open registration enabled

Unfortunately, there was no special content or open repositories that I could access. However, I was able to determine the GitLab instance version in the /help page, which was version 11.4.7

GitLab Community Version Information

Searching for GitLab 11.4.7 vulnerabilities, I discovered an authenticated Remote Code Execution (RCE) Proof of Concept (PoC) on Exploit-DB. This was based on a Server Side Request Forgery (SSRF) exploit chain, published in December 2020.

I used this PoC to trigger a reverse shell callback and gained a shell as the low privilege user, git , and retrieved the user.txt flag.

Triggering the exploit

Catching the reverse shell

Root Flag

First, I upgraded to a more functional shell using python:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Next, I grabbed a copy of the LinPEAS enumeration script and transferred it to the target with python’s SimpleHTTPServer module.

While analyzing the output, I noticed that this access was in the context of a docker container, so I determined I will likely need to achieve a docker breakout to obtain the root flag.

Docker Container Context from LinPEAs output

However, most docker breakouts require you to be in the root context of the container first, but I was still operating under the git user context. Fortunately, I also noticed that the LinPEAS automated enumeration had reported a plaintext password in the /opt/backup/gitlab.rb file:

Plaintext Password from LinPEAS output

I successfully authenticated to the container’s root account using this password:

This HackTricks GitBook was a great reference for docker breakouts, and I learned that containers, when started with the --privileged flag, will be able to mount and access the host filesystem. I confirmed these filesystems were accessible with fdisk -l and that the host Linux filesystem device was /dev/sda2.

Host filesystem as /dev/sda2

Last, I mounted the filesystem using mount and then accessed the root.txt flag.

mkdir /tmp/mnt2
mount /dev/sda2 /tmp/mnt2
cat /tmp/mnt2/root/root.txt