HackTheBox – Laboratory

01:00 – Start of nmap, looking at SSL Certificates to get a hostname
02:20 – Examining the website
04:30 – Getting git.Laboratory.htb out of the certificate and checking that host
06:10 – Registering for a GitLab Account then poking at gitlab
07:20 – Getting the GitLab Version and finding a Vulnerability
09:20 – Creating two issues, so we can perform the LFI
11:45 – Using the LFI to extract the application secret then b
15:55 – Installing a vulnerable gitlab docker so we can build our serialized payload
17:00 – Starting the docker container, then executing bash inside of it
17:55 – Changing the docker secret to the one of Laboratory
18:25 – Restarting with gitlab-ctl restart, then entering the console with gitlab-rails console
19:20 – Creating the serialization payload
22:10 – Reverse shell as git returned. Discovering we are inside of docker
23:00 – Running the automated docker script DeepCe
24:50 – Playing with the gitlab console to turn our user into an admin
27:00 – Sorry for the abrupt cut, phone went off and edited that out poorly.
27:15 – Viewing projects on gitlab as admin to find an SSH Key
31:20 – Shell as dexter, running LinPEAS
34:05 – SetUID Binary docker-security found, searching for strings then running ltrace
34:50 – ltrace shows the binary does not use absolute path, doing a PATH HIJACK to trick the program into executing a shell
36:50 – Going over notes

source by IppSec

linux http server

Léa LOPEZ

Léa LOPEZ

Léa LOPEZ, Telecom System Administrator, Ambala College of Engineering and Applied Research, Ambala (INDIA)

29 thoughts on “HackTheBox – Laboratory

Leave a Reply