Hack the Box: Laboratory

Laboratory was an easy machine on Hack the Box.

TL;DR: I’ll find a virtual domain with a vulnerable instance of Gitlab. It can be exploited to gain a shell on Docker instance. I’ll use this access to change Dexter’s password and gain access to his private repository. The repository contains a private SSH key which I’ll use to get user flag. Privileges escalation can be done by exploiting a custom SUID binary. It calls chmod application with user priviliges which can be exploited to run any code by manipulating PATH variable.

User

Nmap:

$ sudo nmap -sS -sV -sC laboratory.htb
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-11 18:57 CET
Nmap scan report for laboratory.htb (10.10.10.216)
Host is up (0.013s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to https://laboratory.htb/
443/tcp open ssl/ssl Apache httpd (SSL-only mode)
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: The Laboratory
| ssl-cert: Subject: commonName=laboratory.htb
| Subject Alternative Name: DNS:git.laboratory.htb
| Not valid before: 2020-07-05T10:39:28
|_Not valid after: 2024-03-03T10:39:28
| tls-alpn:
|_ http/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

On the main domain there’s a landing page:

On git virtual subdomain there’s a Gitlab instance:

After creating an account, I can see one project in the system:

Repo seems to contain code of the landing page. True to author’s words doesn’t seem to be hackable. I’ll need another way to get in.

The Gitlab is in version 12.8.1:

There’s a pretty new known file read remote code execution vulnerability of this version. There’s even Metasploit module that exploits it:

Running it will grant me shell:

The shell seems to have spawned in the docker. I’ll use that access to change Dexter’s password to Gitlab using CLI:

After logging into Gitlab to Dexter’s account I can see his private repo:

In the repo there’s SSH private key:

Using this key I can access SSH and grab user flag:

Root

Running LinPeas reveals an interesting Suid binary:

After decompiling it I can see that it runs chmod in an insecure way with root privileges:

It can be exploited by manipulating PATH environment variable: