Hack the Box: Laboratory

3 min readApr 26, 2021

Laboratory was an easy machine on Hack the Box.

TL;DR: I’ll find a virtual domain with a vulnerable instance of Gitlab. It can be exploited to gain a shell on Docker instance. I’ll use this access to change Dexter’s password and gain access to his private repository. The repository contains a private SSH key which I’ll use to get user flag. Privileges escalation can be done by exploiting a custom SUID binary. It calls chmod application with user priviliges which can be exploited to run any code by manipulating PATH variable.

User

Nmap:

$ sudo nmap -sS -sV -sC laboratory.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-11 18:57 CET
Nmap scan report for laboratory.htb (10.10.10.216)
Host is up (0.013s latency).
Not shown: 997 filtered ports
PORT    STATE SERVICE VERSION
22/tcp  open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp  open  http    Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open  ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after:  2024-03-03T10:39:28
| tls-alpn: 
|_  http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

On the main domain there’s a landing page:

On git virtual subdomain there’s a Gitlab instance:

After creating an account, I can see one project in the system:

Repo seems to contain code of the landing page. True to author’s words doesn’t seem to be hackable. I’ll need another way to get in.

The Gitlab is in version 12.8.1:

There’s a pretty new known file read remote code execution vulnerability of this version. There’s even Metasploit module that exploits it:

Running it will grant me shell:

The shell seems to have spawned in the docker. I’ll use that access to change Dexter’s password to Gitlab using CLI:

After logging into Gitlab to Dexter’s account I can see his private repo:

In the repo there’s SSH private key:

Using this key I can access SSH and grab user flag:

Root

Running LinPeas reveals an interesting Suid binary:

After decompiling it I can see that it runs chmod in an insecure way with root privileges:

It can be exploited by manipulating PATH environment variable:

Written by Tellico Lungrevink

19 Followers

Recommended from Medium

Dicky Aditrianza

HackTheBox Writeup — PC

Hello everyone, I’m a beginner here! I’m trying to write a write-up on an HTB machine again.

4 min readJun 4

Hack The Box — Sense — without Metasploit (TJNull’s list for OSCP)

Daniyal Ahmed

Hack The Box — Sense — without Metasploit (TJNull’s list for OSCP)

This is my 8th write-up for Sense, a machine from TJNull’s list of HackTheBox machines for OSCP Practice. The full list can be found here.

4 min readMay 8

Lists

Staff Picks

457 stories307 saves

Stories to Help You Level-Up at Work

19 stories229 saves

Self-Improvement 101

20 stories625 saves

Productivity 101

20 stories579 saves

Oscar

Hack The Box WriteUp: Inject

1. Reconnaissance Phase

6 min read5 days ago

Wali

Topology — HTB

This article is about the HTB machine — Topology. Despite its categorization as an Easy-level challenge, the process of attaining initial…

5 min readAug 15

Prem J

Hunting Hack the box write up

In this post. I'll describe how I found the flag in Hunting (one of the labs in hack-the-box).

4 min readJul 22

moko55

HackTheBox Writeup — Delivery

Step1 : Enumeration

5 min readAug 7

See more recommendations

Help
Status
Writers
Blog
Careers
Privacy
Terms
About
Text to speech
Teams