HTB — Ready Writeup
This is my write-up for the ‘Ready’ box found on Hack The Box.
Summary:
- An outdated GitLab instance with open registration and vulnerable to an authenticated RCE
- Plaintext password storage in configuration files
- Docker container breakout by mounting the host filesystem
Services
nmap -vv --reason -sV -Pn 10.10.10.220PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
5080/tcp open http syn-ack nginx
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
User Flag
The nmap scan discovered a HTTP service running on port 5080. Browsing to this reveals a GitLab service with open registration enabled. This means that any user can register for an account, which would allow further enumeration as an authenticated user. So I registered for an account:
Unfortunately, there was no special content or open repositories that I could access. However, I was able to determine the GitLab instance version in the /help
page, which was version 11.4.7
Searching for GitLab 11.4.7 vulnerabilities, I discovered an authenticated Remote Code Execution (RCE) Proof of Concept (PoC) on Exploit-DB. This was based on a Server Side Request Forgery (SSRF) exploit chain, published in December 2020.
I used this PoC to trigger a reverse shell callback and gained a shell as the low privilege user, git
, and retrieved the user.txt
flag.
Root Flag
First, I upgraded to a more functional shell using python:
python3 -c 'import pty;pty.spawn("/bin/bash")'
Next, I grabbed a copy of the LinPEAS enumeration script and transferred it to the target with python’s SimpleHTTPServer
module.
While analyzing the output, I noticed that this access was in the context of a docker container, so I determined I will likely need to achieve a docker breakout to obtain the root flag.
However, most docker breakouts require you to be in the root context of the container first, but I was still operating under the git
user context. Fortunately, I also noticed that the LinPEAS automated enumeration had reported a plaintext password in the /opt/backup/gitlab.rb
file:
I successfully authenticated to the container’s root
account using this password:
This HackTricks GitBook was a great reference for docker breakouts, and I learned that containers, when started with the --privileged
flag, will be able to mount and access the host filesystem. I confirmed these filesystems were accessible with fdisk -l
and that the host Linux filesystem device was /dev/sda2
.
Last, I mounted the filesystem using mount
and then accessed the root.txt
flag.
mkdir /tmp/mnt2
mount /dev/sda2 /tmp/mnt2
cat /tmp/mnt2/root/root.txt