HTB Ready Writeup (ENG)


#HTB Writeup Hack Linux English

2021 Oct 05: 16:58

User.txt

First of all, we have to run an nmap scan nmap -sC 10.10.10.220. As we can see, there are 2 open ports.

22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18cd9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open  http    nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.220:5080/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about

At port 5080 there is an older version of GitLab hosted. The version is 11.4.7, and on Explitdb there is a python exploit. We need to download and run it as: python 49334.py, after that it will show which arguments should we give, and the -h flag gives a detailed description about the arguments. The next step is registering an account on the GitLab to have the arguments what the script needs. It's important to start a listening in another terminal before running the exploit rlwrap nc -lvnp 1234. After this in the listening terminal we've got a reverse shell. The next is the shell upgrading:

export TERM=xterm-256color<br></br>python3 -c 'import pty; pty.spawn(/bin/bash)'

In the /home directory there is a dude home folder, where we can find the user.txt.

Root.txt

After a little search in the /opt/backup folder we can find a gitlab.rb file, we have to grep the password keyword to get the root password. With the su root command and the previously found password we can login to root. The root.txt isn't in the /root/ directory, so we have to search it somewhere else. It's on the /dev/sda2 drive. We have to mount it with the mount /dev/sda2 /tmp command and the root.txt is in the /tmp/root/ directory.