Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
HackTheBox - Bitlab
|htbmachinesretired|

Summary

Bitlab,a Linux box created by HackTheBox user Frey and thek, was an overall easy medium difficulty box. The initial foothold was about finding the cred and the profile and this get you RCE and a low-privilege shell.I did the unintended way and got root from www-data.

Enumeration

nmap scan

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Nmap 7.70 scan initiated Mon Sep  9 10:05:11 2019 as: nmap -sC -sV -oN nmap/bitlab 10.10.10.114
Nmap scan report for 10.10.10.114
Host is up (0.15s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 a2:3b:b0:dd:28:91:bf:e8:f9:30:82:31:23:2f:92:18 (RSA)
|   256 e6:3b:fb:b3:7f:9a:35:a8:bd:d0:27:7b:25:d4:ed:dc (ECDSA)
|_  256 c9:54:3d:91:01:78:03:ab:16:14:6b:cc:f0:b7:3a:55 (ED25519)
80/tcp open  http    nginx
| http-robots.txt: 55 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
|_http-server-header: nginx
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.114/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Sep  9 10:05:35 2019 -- 1 IP address (1 host up) scanned in 23.93 seconds

We see only port 22 and port 80 open. as we don’t have anything creds and the OpenSSH version looks recent. Lets focus on port 80.

Enumerating the web service we find ​http://10.10.10.114/help/bookmarks.html

on this we see some JavaScript as Github Login which seem to be a obfuscated JavaScript

1
var a =function(){ var _0x4b18=["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72\x5F\x6C\x6F\x67\x69\x6E","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6C\x61\x76\x65","\x75\x73\x65\x72\x5F\x70\x61\x73\x73\x77\x6F\x72\x64","\x31\x31\x64\x65\x73\x30\x30\x38\x31\x78"];document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]]= _0x4b18[3];document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]]= _0x4b18[5]; })

after deobfuscating the JavaScript we find credential for user clave as clave:11des0081x.

We saw the git-lab running on the web server login with the above credential we see two repository deployer and profile.
Seeing the deployer code we see, when we commit anything in profile this code deploy profile.

We can merge a myrev.php and commit that in profile repository.

and when we visit http://bitlab.htb/profile/myrev.php we get a shell back as www-data.

Privilege Escalation

Enumerating from www-data we see we can sudo git pull with password.

I copied the entire profile repository from /var/www/html/profile to /tmp/ and created a git hook. post-merge.

and update the profile repository on the remote and do a sudo git pull and listen for the callback,

and can read root.txt

with being root we can read user.txt too

with this we have pwned bitlab

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/bitlab/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteupretiredhacktheboxeasydeobfuscatinggit-hooks