Laboratory — HackTheBox WalkThrough

Source

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

Enumeration

Nmap Command
Nmap Result
add hostname
add virtual host
target webpage
Virtual Host Sign in
Virtual Host register
Register error
GitLab Version
Vulnerability in 12.8.1 GitLab

CVE-2020–10977 Initial report submitted by vakzz on hackerone

Note: you can only read if the current (service user) has Permission. I have tried.

submit issue
file to read — Directory Traversal
Move issue to second/another project
retrive passwd file
passwd file
Manual RCE Method

Note: If you are trying this on Kali Machine, make sure to take a snapshot from VMware. If something goes wrong then you can revert it through snapshot.

Note: You need to read/download the secret.yml file from target using same above mentioned method. Location: /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml

Secret_key_base — Target
rshell
HTTP service
gitlab-rails console
payload
Payload
Cookie Parameter
netcat listener
curl string
Curl string with cookie
Reverse Shell
Docker
find user
user error
Change user password
Sign In
dexter’s projects
SSH Private Key
permission of file
user flag
Find SUID
SUID enabled on this binary
Root Flag

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.

Reference

https://gist.github.com/dnozay/188f256839d4739ca3e4
https://docs.gitlab.com/ee/administration/troubleshooting/navigating_gitlab_via_rails_console.html#modifying-active-record-objects
https://hackerone.com/reports/827052

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store