HackTheBox – Laboratory

01:00 – Start of nmap, looking at SSL Certificates to get a hostname
02:20 – Examining the website
04:30 – Getting git.Laboratory.htb out of the certificate and checking that host
06:10 – Registering for a GitLab Account then poking at gitlab
07:20 – Getting the GitLab Version and finding a Vulnerability
09:20 – Creating two issues, so we can perform the LFI
11:45 – Using the LFI to extract the application secret then b
15:55 – Installing a vulnerable gitlab docker so we can build our serialized payload
17:00 – Starting the docker container, then executing bash inside of it
17:55 – Changing the docker secret to the one of Laboratory
18:25 – Restarting with gitlab-ctl restart, then entering the console with gitlab-rails console
19:20 – Creating the serialization payload
22:10 – Reverse shell as git returned. Discovering we are inside of docker
23:00 – Running the automated docker script DeepCe
24:50 – Playing with the gitlab console to turn our user into an admin
27:00 – Sorry for the abrupt cut, phone went off and edited that out poorly.
27:15 – Viewing projects on gitlab as admin to find an SSH Key
31:20 – Shell as dexter, running LinPEAS
34:05 – SetUID Binary docker-security found, searching for strings then running ltrace
34:50 – ltrace shows the binary does not use absolute path, doing a PATH HIJACK to trick the program into executing a shell
36:50 – Going over notes

source

by IppSec

linux http server