diff --git a/HackTheBox/Laboratory.md b/HackTheBox/Laboratory.md
new file mode 100644
index 0000000..13814a2
--- /dev/null
+++ b/HackTheBox/Laboratory.md
@@ -0,0 +1,187 @@
+# HackTheBox-Laboratory
+
+## Rustscan
+
+```
+rustscan -a 10.10.10.216 -- -A -sC -sV
+.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
+| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
+| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
+`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
+The Modern Day Port Scanner.
+________________________________________
+: https://discord.gg/GFrQsGy :
+: https://github.com/RustScan/RustScan :
+ --------------------------------------
+Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan
+[~] The config file is expected to be at "/root/.rustscan.toml"
+[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
+[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
+Open 10.10.10.216:22
+Open 10.10.10.216:80
+Open 10.10.10.216:443
+
+PORT STATE SERVICE REASON VERSION
+22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
+80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41
+| http-methods:
+|_ Supported Methods: GET HEAD POST OPTIONS
+|_http-server-header: Apache/2.4.41 (Ubuntu)
+|_http-title: Did not follow redirect to https://laboratory.htb/
+443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu))
+| http-methods:
+|_ Supported Methods: OPTIONS HEAD GET POST
+|_http-server-header: Apache/2.4.41 (Ubuntu)
+|_http-title: The Laboratory
+| ssl-cert: Subject: commonName=laboratory.htb
+| Subject Alternative Name: DNS:git.laboratory.htb
+| Issuer: commonName=laboratory.htb
+| Public Key type: rsa
+| Public Key bits: 4096
+| Signature Algorithm: sha256WithRSAEncryption
+
+```
+
+## PORT 80/443 (HTTP/HTTPS)
+
+On visting port 80 I was redirected to https with a domain `laboratory.htb`
+
+
+
+So let's add this to `/etc/hosts` file
+
+
+
+
+
+Running dirsearch was pointless because couldn't find anything
+
+
+
+But I did saw a subdomain from the nmap scan `git.laboratory.htb` on adding to `/etc/hosts`
+
+
+
+
+
+We could not sign in since we have not found any users so I registered an account
+
+
+
+On logging in we can't see anything useful
+
+
+
+But going to help page we see the version number of gitlab which is 12.8.1
+
+
+
+Searching an exploit for this version I found one RCE
+
+https://github.com/dotPY-hax/gitlab_RCE
+
+Edited the email for the payload
+
+
+
+
+
+
+
+But it was not stable
+
+
+
+I grabbed the `secrets.yml` through unstablized shell also realized that this was a docker container
+
+
+
+It was unstable so I decide to go for metasploit
+
+https://www.rapid7.com/db/modules/exploit/multi/http/gitlab_file_read_rce/
+
+
+
+These are the options you would have to set
+
+
+
+And we get a bash prompt
+
+
+
+To get a more stablized shell
+
+
+
+
+
+I searched for `pentesting gitlab` and found a website that had some juicy information about what to look for
+
+
+
+
+
+I saw a user `dexter` that had a a repository
+
+
+
+But there wasn't anything intersting there looking back at that directory I saw two files having `secret` in them
+
+
+
+Didn't found anything then I came across a report that was submitted on hackerone regarding gitlab
+
+https://hackerone.com/reports/493324
+
+
+
+
+
+But this didn't worked so I searched for `gitlab shell change user password ` and found documentation
+
+
+
+After going through this I came to know that we can reset a user's password on gitlab
+
+
+
+And we logged in as `dexter`
+
+
+
+
+
+
+
+We see a ssh key so we can login as `dexter`
+
+
+
+There was a cron job running
+
+
+
+But I couldn't run docker
+
+
+
+Because we don't have permissions to execute. So here I spend a lot of time running `linpeas` , manual going through folders but found nothing then I looked for SUID
+
+
+
+
+
+
+
+We see that it's using `chmod` so we can exploit PATH variable
+
+```
+#!/bin/bash
+bash
+
+```
+
+
+
+
\ No newline at end of file