 Hey everyone, before we dive into this video, I just have two things to say. First of all, Hack the Box sent me this wonderful swag bag, so I got a cool shirt, I got a cool t-shirt, I got a cool sweatshirt, I got a cool mouse pad, I got a cool hat, everything, and I just wanted to say thank you, and I really don't give Hack the Box as much love as I should, so what are we doing today? What are we doing some Hack the Box, and I want to shower them with love, because thank you guys, thank you so so much. And on that note, bringing me to point number two, I wanted to bring your awareness, bring your eyes over to the Cyber Apocalypse CTF 2021 that Hack the Box is doing super duper soon. Check it out. So the backstory here is ready to save the world. The 22nd of April is International Earth Day, and guess what? The earth was hacked by malicious extraterrestrials. Their ultimate plan is to seize control of our planet. It's only you who can save us from this terrible fate. It's going to be a five day game, so five day capture of the flag, starting on Monday the 19th of April, which is coming up. Friday, all the way to the end of the week there, ending Friday the 23rd, and there is a team game, max of 10 hackers, awesome five days, should be from beginner to intermediate, so a lot of kind of accessible content here. New content uploaded every day, so they're going to be rolling stuff out, jeopardy style game, and it's coming up quick. Here's the countdown, ladies and gentlemen. At the time of recording, we are just under two days away, and you can register here by clicking that Count Me In button. But check out the prizes for this thing. It's put together by Hack the Box in CryptoHack, so if you haven't checked out CryptoHack.org, they have phenomenal cryptography challenges. I really want to make some videos for you, CryptoHack, but I know you have a rule, anything that's over 40 points or something, it's not allowed to do. So hey, hey, hey, hey. But these prizes are stinking fantastic and incredible. It's open to everybody, which is great, and every challenge that gets at least one solve, Hack the Box will be making a donation to Code.org. So I love that. That's stinking awesome. Code.org is a non-profit organization dedicated to expanding access to computer science education, increasing participation by young women and students from underrepresented groups. That's all great stuff. So hey, kudos to you guys. Thanks for doing that. That's incredible. Obvious, great, excellent top notch hacking content. This is kind of the challenges, category stuff that you're going to expect to see. Some really good ones are there. You got hardware, you got blockchain. That's not normally what you see, but it's good stuff. Look at these prizes. VIP, stickers, merch, swag, VIP plus, academy cubes, and 1500 US dollars in cash and $100 worth of Hack the Box swag card and Hack the Box stickers and annual VIP plus and 1000 academy cubes. This is unreal, so I'd recommend really go check that out. Look, huge numbers thrown across the board. Good stuff. Check it out. If you want to go register, you totally should. We got about two days until the game starts. Go to CTF.hackthebox.eu, create an account, create a team, and join the Cyber Apocalypse CTF. I'll showcase that real quick here. Actually, I don't have this last pass configured to this voucher machine. It's not set up in Firefox, so I don't know if I can actually log in. But if you were to log in, type in your cool, like, lead hacks or username, and then you do it, and then you do it, and you click on Cyber Apocalypse CTF. Sign up today. It's totally free, and it's going to be a ton of fun. Obviously, they've got support in the Discord server. It is on CTF time, which is big, and that's it. That's enough of me yapping about that, but hey, that should be a ton of fun. And kudos to you guys for putting on an incredible game. I think there are, what, like 4,000 folks registered now? So it should be a huge game, and you should dive in. Okay, hey, let's do it. Let's do the real video now, now that I've kind of yapped for four minutes, but I really wanted to get that on your radar, and now let's dive into some actual Hack the Box content that I want to showcase. This is going to be the laboratory machine or laboratory. I would keep, I kept typing it without an O in laboratory, and then everything was wrong. I was like literally mistyping the host name over and over and over again. Disclaimer, I am not smart. This is an easy room, although I think some of the user ratings brought it up to about medium, and I would say medium seems a little bit more fair to me. Like look, I was struggling, and I say I'm not smart, because like I can do easy rooms sometimes, not really, not really all that often. I still struggle with the easy boxes, the easy machines, but I had to do some digging, and I was begging my head against the wall for this one. So I wanted to walk you through my thoughts, bring you down every rabbit hole that I went down, and hopefully we can get some good learning lessons out of it. But I think that's a fine time to transition, and let's go to the screen. All right, so I am over here inside of the Hack the Box interface, which is looking slick, if I may say. I love kind of the new design here. You can see that laboratory is the machine that is retiring at the time recording, so I wanted to get this out here, and the IP address is 10, 10, 10, 2, 16. I have deployed the machine, it's up and running in the range. I've connected to the VPN, and I have already gone through this, so I gotta let you know, not going through it live. I do have the hindsight 2020 thing, but hopefully we can still showcase some good stuff. So I have a terminal with my Hack the Box little VPN key that I am already connected, but I do need to make a new directory for laboratory with an O there. And let's hop into that, and let's go ahead and take a look at that IP address, which we know is 10, 10, 10, 2, 16. So we get started with an Nmap. Same thing we always do. I'm gonna go ahead and create a directory for Nmap, so I can save all my things in there, and I will use NmapTakSC for default scripts, TAK SV, do enumerate versions, TAKON, to output in just the Nmap format, and I'll call it initial. I will actually tack in a little dash V there for verbose, so I can kind of see everything as it comes by, and we'll add in that IP address 10, 10, 10, 2, 16. All right, there we go. Looks like it's gonna get started, and immediately find some ports 22, likely for SSH, 443, HTTPS, and 84 default HTTP, like a kind of flat classic web server here, but it does have HTTPS, which is good to note. So I have some results here, and I'm actually gonna open that up in Sublime Tech, so it's a little bit more readable. You can see we do have port 22 open that SSH. As we mentioned, port 80 in here, and I would immediately just kind of want to start to run and go look at that web server. Now, I missed something going through this because I did just that, looked at port 80, and wanted to explore the web service, and I didn't fully read probably what I should have out of this 443. Originally, I actually ran this with Rust Scan, which was good, because I was kind of moving quick, but it didn't end up doing all the same scanning that this command would have done with TAKSC, TAK SV, et cetera. So I'm going to avoid that elephant in the room for the moment, just for suspended disbelief, and drive us down the road of looking at just this web page, which is that 10, 10, 10, 2, 1, 6. Now, this redirects us to laboratory.htb, and as we can tell kind of from that end map scan results, it does redirect us to this specific domain. So we need to add this domain name, laboratory.htb, into our, it's that Rehosts file. So let me do that real quick. I'll just use nano, kind of on the command line here, so that way I can trigger all of you VIM fanboys, all your Emacs fanboys, everyone that doesn't use nano, 10, 10, 10, 2, 1, 6, and it is laboratory.hackthebox, dunzo. Okay, so now reaching back to this address here, it brings us and redirects us to HTTPS. Now, this is something that is worth noting because it has a certificate set up for it, and we should probably do our due diligence and actually go look through that certificate. Hey, what is actually in the mix? What does it do, et cetera? Again, in the moment, that's something that I just sped right past. So we're greeted with the laboratory security and development services, kind of a nice little web page here. Well, laboratory provides high quality security and development services at a low price point, and there's some boilerplate stuff in here, identity management, secure development, cryptography services, I like the memes in here. We all know great crypto, like Rot13 and base64. Hey, that's all I know, that's great crypto to me. Threat hunting, cool red teaming, and everything that I seem to find here is a link back to nothing. We got testimonials from Dexter, from Didi, from anonymous hacking. This guy's a good hacker, but he's also a good coder. It's like magic, you never get that combo. So yeah, like hovering over the blog or the coming soon, hopefully links, or even these socials, they bring us to just a octothorpe, little hashtag, so an internal link that doesn't go anywhere. If there's a funny note, hey, if you find a vulnerability in this website, then you're totally lying, we code 100% secure, and I'm sure you can't hack us. If you do, definitely don't let us know. Nice. So yeah, even literally just viewing the source on this, like I hit control you on my keyboard, you could right click and view source. This is all just go into internal stuff, go into static pages and CSS out of the assets folder, using some kind of cheesy boring JavaScript that should just come from the theme and the display of the webpage itself. These elements that are commented out, this little elements.html or generic.html, maybe these would be links, so I tried to go to them, but that returns a little 404 for us, so that wasn't really all that helpful, and there wasn't anything really else to look through. I went to go take a look at that images folder and that assets folder in case there was anything interesting other than those static files that it might end up serving out, but no, we weren't getting any easy wins for this easy box with our easy smooth brain right now, so that didn't seem to work for us. I was kind of banging my head against the wall here, I would fire up Nito, I'd fire up Go Buster, and I would do some stuff, but I really should have taken a little bit more of a better look at this certificate, because if we actually take a look at this thing, I'm pretty sure this will end up telling us, hey, we actually have another subdomain in here. Not only do we have laboratory or laboratory.htb, but you also have a alternative name, git.laboratory.htb, ah, so that, again of course, is another domain name that we need to kind of add into our et cetera host file, so let me go do that, duplicate that line here, add in that git prefix, cool, and as I mentioned, if we were actually reading the output of what our tools gave us, we would notice that, hey, they actually have that right here in the NMAP results, we have a DNS other entry here, git.laboratory.htb, so what are we gonna be looking at if I were to go to git.laboratory.htb? Again, another kind of certificate warning, totally cool, let's breeze right by that, but we're greeted with GitLab, GitLab Community Edition, and immediately I'm like, what do I do? I don't know any username or password, I could try the stupid admin admin, I could try the stupid admin password, I could try the obvious answer every single time, but that still didn't get me through the door, so I thought, well, can I just register an account? I'm like, yeah, I'll create a test user, test, test, at test, at test.com, and username is already taken probably because this instance that I weren't through is still live, so let's just call this John, let's do John at john.com, how about that? John at john.com, and the password minimum length is eight characters, so I just use password anything. Although there is an error, the email domain is not authorized for signup, which I mean, I guess makes sense, john.com isn't exactly a thing, but maybe this is kind of a neat little gimmick, they want us to use laboratory.htb, and again, I'll add the password to anything, so that will log me in, all right, welcome, you've signed up successfully, super cool, here we are, here we are in GitLab, I don't have any projects. If I were to take a look if there were any starred projects or I can explore projects, and this is actually interesting, we ran into Dexter McPherson, their secure website repository, 100% unhackable HTML and CSS based website. I would take a look at this, and I noticed there was only one commit, so there wasn't a whole lot really to dig through, and it was all these static files that we originally saw when we were looking at the webpage, so that was basically useless. I wanted to check just in case, like just in case they were kind of sneaking anything in, if there anything were different from this version, the repository version, and maybe the live production version, but no, it all seemed to me to be the very, very same, and I was cruising through the assets and images directory, but nothing was there, so. Okay. At that point, I was starting to think like, all right, we've got a GitLab instance. It is not uncommon for us to have if there is some accessible like program solution, whether it's a CMS, whether it's GitLab, whether it's another utility that's known out in the world that's public, are there any potential CVEs or publicly known vulnerabilities for this thing that could be exploited and could get us a little bit more access. So when we're looking at GitLab, I want to specifically know the version of GitLab that is running. The way you could track this down, hey, we're kind of logged in, thankfully we are authenticated because we can register a user, but over this little question mark here, there is a help dropdown, and that help dropdown will straight up tell us, yo, this is GitLab Community Edition 12.8.1. So I'm like, all right, that's great. Now we know the software name, GitLab, right? And we know the software version number, 12.8.1. So that will help us narrow our search, especially if you are, hey, trying to work on OSCP, if you're trying to work on any certification exams that is testing your ability to look up and find and research vulnerabilities for a specific software, those are the two ingredients that you might really need. Then we can search through exploit DB or the exploit database and see if there are any known vulnerabilities for this sort of thing. I will use search exploit, which I actually have kind of set up as a inside of my exploit database repository that I've cloned. And actually, as a good thing to do, when you're doing this, try and just pull down like an update your repository. Same thing goes for running Metasploit with the MSF console. Make sure you run MSF update before you're gonna fire something off because if you're doing research and you're looking for a new low-hanging fruit, you're looking for a new vulnerability, you're looking for a new exploit you might be able to throw. Maybe something new is added so it's always a good thing to remember, hey, go update searchploit, go update MSF console, Metasploit and do all that. So let's run searchploit, looking for GitLab, just simply searching for the word in the string GitLab. So I've got some good stuff that immediately pops up. GitLab impersonation, maybe privilege escalation, doesn't have a version attached there, 11.47 RCE authenticated, that's a little too old for us, 11.47 remote code execution. 12.9.0, arbitrary file read, and 12.9.0, arbitrary file read, I'm assuming that's gonna end up being unauthenticated. I'm zoomed in a little bit too much to showcase that. There we go. And there's a Metasploit module, supposedly. Ah, okay. Well, let's take a look at some of these because the 12.9.0 is interesting to me because at 12.8.1, now there is no guarantee when we make this logical conclusion, that a version number that is higher is known to be exploitable. Maybe that vulnerable code was only introduced in that specific version. So maybe it's specific and just that 12.9. But there is the case, hey, maybe that code existed before, it wasn't patched until this version. So maybe potentially this could read GitLab less than 12.9.0. So anyway, let's go ahead and take a look at what this thing is. There is an explanation with a .text file, and there is a 49076.python file, and there's a Metasploit module, so maybe that would be worthwhile to look at. But first, let's play with this code here to kind of get an understanding as to what this exploit does and how it works. So I will hop back over to my directory for this guy, and I'll make a directory exploit, I guess, and I'll use searchploit-tac-m to mirror that or bring that file in here. There we go. Now it's present in this directory, and again, I'll use sublime text to open this up. Exploit title, everything we've already read. Google Doric, back in 2020. Version tested on GitLab version 12.9.0. You can create as many personal access tokens as you'd like from your GitLab profile. Sign in to GitLab in the upper right corner, clicking on it. Okay, do we need to create a token for this to work? I guess so. Oh, you install GitLab in requests. GitLab's like a little API tool. Oh, it would specify a cert here with the session object that's created from requests, or you could set session verified to false. Let's do that because I don't actually have a copy of the cert. And then it runs exploit, little function. Do we have to supply the host? It doesn't look like it takes an arguments. What do I do with this? Exploit takes in a project name, issue title files and tokens, and it creates an issue. No, creates a project, creates two projects, and an issue, and moves it. Okay. Then the main function, we have write files with sensitive files. That's opening it out locally on my machine. It calls exploit. The token isn't even passed in. It doesn't pass in the token that's needed. I'm assuming that's needed. What is this script? Does this work? Oh, gosh. Is there something weird going on? What's up with these spaces that aren't spaces? Some of those just straight up aren't spaces. Let's replace all those with a space. Indentation. Oh, God. These things have extra spaces now. How about that? No module named GitLab. Oh, my gosh. PIP has kind of been weirdly slow for me when it's trying to download stuff. I don't know why. I'm gonna pause the recording just to see if I can let that thing go. All right, GitLab is here. We made it. We installed GitLab with PIP. Now let's run this again and it doesn't have that sensitive files. What is that supposed to be? Like, is that supposed to be something that I want to read? Exploits missing the token. Yeah. I don't get this script. I'll be honest. I'm not exactly positive. How this is kind of supposed to work through it all. And I don't want to end up creating a GitLab token. I mean, I will if I'm supposed to, but like. How does this work? How does this, what is the CVE for this thing? Is there a CVE for this thing? Is there more research and reading that I can do? Let's Google this. exploitDB, exploitDB. Here's a little Facebook entry. This is a link back to Facebook. I don't know what I want to go to that one. What is this showcase? Ah, get out of here. Never mind, never mind. We're not going to Facebook. This is the very same one that we just pulled down. Yep, from exploitDB. This one has a lot more to it. It logs in with our username and password. Grabs the CSRF token. Yeah, yeah. Maybe that one will be worthwhile. What's this GitHub one? GitHub, oh. Oh, they tested it on our exact same version. GitLab 12.81. In a recent engagement, I found a GitLab instance on the target. Proof of concept on exploitDB that uses LDAP for authentication was disabled in this case. So I created this Python script which is authentically using that web GUI. Two projects, an issue in one of the projects with the malicious payload. It moves the issue from one project to another, automatically read the file contents. Ah, oh, this is kind of nice. It asks for the absolute path that you want to read. It will write it, okay, nice. Let's play with this then. Yeah, let's use this. I'm just gonna open this up in raw and slap this into like a little exploit.py. Okay. Reading through this because I don't want the internet to get mad at me for just blatantly running code that I ripped off the internet without reading it. Doesn't look like it's gonna delete any files. So obviously totally safe. I'm just kidding. I'm only half kidding. Let's go ahead and run this. Python, no, no, no, let's run Python three exploit with the username URL username and password. Okay. So we need HTTPS, git.laboratory.hackthebox. John and password is anything. Yeah, yeah. Okay, logged in. Nice. Absolute path to file. Let's see if we can get, can we get it set for password? Well, is this gonna be like local file inclusion and read out, et cetera, password? It did the thing. So root user, of course. I'm looking for users that are like non-standard or would have a user ID, like UID over a thousand because those are probably going to be a regular user. Maybe they have SSH keys or something that I could read but I don't see any of those. Just GitLab, GitLab, GitLab, GitLab stuff. Nine, nine, six. None of those would likely have a, these have like, these have a shell, BNSH, but their home directory I doubt would have actually like a, an SSH can install. Let's try it again. Let's try and get like their home directory SSH ID RSA. Nope. Am I like for whatever reason running as root? Can I just read it's at Richaddo? Probably not. No, access denied. Okay, so that's not exactly helpful. Okay. What do I do with this then? I have local file inclusion. Could we like look at logs? I would wanna do like a log poisoning or like a cash log poisoning thing but it's not gonna end up running or evaluating that code. How could we take this local file inclusion and bring it to RCE remote code execution? Do they talk about anything else like in this post? What did you do for your engagement? The white hat, white hat hacker? What you got here? Dependencies, usage. Are there any examples? No, just credits. Thank you to Vax for finding this bug in GitLab. Pretty sure I've seen Vax in like the open to all CTF team. The hacker one report. Oh, cool. Oh, cool. I like the legit disclosure. It was like the legitimate finding back on hacker one. That's kind of slick. $20,000, okay boys. What are we doing? What are we doing on YouTube doing? I need to jump in this bug bounty bandwagon. Upload's rewriter is the issue allowing arbitrary files to be copied. What a cool bug. There's a video showcasing this file read. Let's check this out. This is just to prove a concept for like reading the file, though, isn't it? Yeah, he moves it to another project. My face is in the way. I'm very sorry. He just moved it to a different project. And then there's the detachment for password, which if you were to open up is et cetera password. Slick. Okay. He did it. And et cetera, et cetera, et cetera. GitLab's like, thanks. Thanks for submitting this. Yep. Nice. That's awesome. It's also possible to turn this into RCE as the cookie serializer is set to hybrid by default. This can be done by first grabbing the secret key base from opt to GitLab embedded service, GitLab Rails config secrets.yml. And then using arbitrary file read. No, using the arbitrary file read, read from this file, right? And then use the experimentation subject ID cookie with a marshal payload. Payload can be generated by changing your own GitLab instances, secret key base to match, then running the following in a Rails console. There's all this code here. Okay. And then there's a little inject as to what commands you want to run. You just send it with curl. That's slick. It's executed. Okay. Well, let's get that secrets file. Let's run that exploit again. Let's pass in this opt to GitLab embedded service, GitLab Rails config secrets.yml. Pull that down. Okay. Get a lot of stuff. Looks like a private key. Okay. That's for open ID connect signing keys. That's not going to be like an SSH key. Let's copy all that and just save it out because the secret key base is present here. Nice. Let's take note of that. Let's do a secrets.yml. What's that called? Secrets, secrets with an S, plural. Slap that in and we have our secret key base. So that should be something we should keep in mind. Okay. Now we would need to marshal this. Set up this payload. This can be done first by grabbing the secret key base. So this says I need my own GitLab instance. Can I get like a GitLab and Docker? GitLab 12.8.1 community CE and Docker. That's a thing. Yeah. GitLab, GitLab CE. I mean, okay, it does it. How do I use it? It's a thing that exists. Is there anything that like showcases this? What do we Google? We get, we Googled for GitLab arbitrary file read. Let's bring it to RCE. Wait an actor has something. Rapid seven has something. Oh, is this the Metasploit thing? Is this what this Metasploit module would do? Let me just experiment real quick. Let me just see if the Metasploit module will work for us. So let me do that MSF update, please. Walk the talk. Talk the, how do you say the, not just talk the talk, but really walk the walk as to what I'm saying here. Let that run with MSF update and then let's see what else we can get. Vimeo, oh, there's a video on this thing. Video hacks. I don't think there's any issues with me playing this. So let's, let's go do it. Let's see what he does. I think, wait, wait, wait. Oh, he set up, he set up a Docker thing. This is super hard to read. And I don't know if you can actually see it. Docker run, RMD, hostname, GitLab, and they're using that specific version. Let's, can I steal that? Can I grab that syntax? I should have created like a read me file. I know I would never use it, but it's just for like the novelty. Syntax, Docker run, tectic, RM, tectd, tect, hostname, GitLab, they use VH, I'll use like JH for John. Ports, 443, 443, 80 to 80. So it's mapping the Docker container ports to my local machine host and the ports that I can actually access. 222, and access SSH. The name of the container can be GitLab and then it should be GitLab slash GitLab, taxie, 12, and this is just the image name that we just saw in that Docker hub when we were Googling. So GitLab, CE 12.8.1, whoa, 78.1, CE.0? Is that a thing? Is that right? Does that work? Let's see if I can do it. Is something going wrong with Metasploit? Maybe we don't need it. Well, let's put that away. Well, let Metasploit do its thing and I'll see if we can get this Docker thing to work for us. Doesn't actually have that image, so right? So it's gonna pull it down, totally fine. Gonna take a little bit and GitLab is usually slow, I think. I just wanna check this video. So they start recording this at 11.17 and then they start their Docker instance and then they go back to the webpage at 11.23, I thought I saw for a second there. Yeah, 11.23 and then 11.35 is when they can finally refresh it. And actually interact with this GitLab instance. So that's gonna be waiting for a while. They log in, they create this account, they have the other repo so they can do the proof of concept to read local files. Yep, okay, I see them with its other password and then they pulled out the secrets file. Okay, so they get their secret key base and then they jump into the container, Docker exec TI, IT GitLab, bin bash, load it up with GitLab Rails console. And okay, okay, and then they can mess with it. But they don't need, they haven't changed the secret key base on their instance because they're just testing it on their instance. But they are running the exact same commands that we saw in that original disclosure. So, okay, can we do that exact same thing? Docker is still pulling it down. There we go, now we have it. Is that actually running? I see GitLab, I'm zoomed in way too much here, I'm sorry. Docker PS, GitLab is running with GitLab, okay. So let's see if I can get into this. Bin bash should be at the very end and GitLab the container should be what we wanted to. Okay, cool, so now I'm in that container. Can I see, I wanna give this a little bit, I wanna give this a little bit to set up because it might be still building. I wanna see if the secrets file has kind of been generated or created already. Hacker one, I'm way too zoomed in. Let's grab this secrets file and let's actually slap this newer readme so we can refer to it later. Does this file exist? It does, okay, but it's going to be different because this is our local instance. This is our own kind of our clone and our dummy test thing to see if we can marshal some of the data but we might need to actually configure the secret key base, how do I do that? Set the secret key base GitLab community. Just Googling around, application secrets. Secrets, where secrets are stored? Omnibus, et cetera, GitLab, GitLab, secrets.json. Is that a thing? I just see this file path here and part of me is wondering if that is that's kind of what I need or not. Let's grab that. Because so I could just sort of nano the secrets.yml file, like I could edit this manually but it does give us this warning, hey this file is managed by GitLab CTL. Manual changes will be erased to change the contents below, edit GitLab, GitLab and run suit or GitLab CTL reconfigure. So I don't know if it'll stick the way that it should. So let's nano that secrets.json and, okay. I see GitLab Rails is here with that same sort of config but we need to grab the secret key base that's present on the target. So I'm gonna nerf this, paste that in, replace it with kind of the target. There's secret key base and then let's try and run that GitLab CTL reconfigure command that they suggested. Let's see if this comes together. It's slow. I can't tell if it's still like setting up the instance and everything. Gosh. All right, I'm gonna wait on this. I'm gonna let this go. And let's see, did Metasploit actually come back at all? It just died, whatever. See Metasploit, what? Excuse me? Oh hey, our reconfigure is working down there. Can I run MSF console please? What? What if I sudo this thing? I know it's weird to like run. Okay, I broke Metasploit, that's fine. I can deal with that later, I suppose. GitLab has reconfigured that on our Docker instance though so let's see what we got. Now I want to check out the secrets file. It has not been changed because our secret key base is different. Did I do that wrong? Did I, oh, I don't have less. I'm in the Docker container, right? Yeah, that's still not, that's still not right. What happened to our JSON file? Let me now know that. Is it the right? That's not. What happened? I'm going to reconfigure all of these just to be safe about it or just to be like kind of anal about this thing. So the DB key base, we can change. Slapping that in the OTP key base. Let's slap that in. Oh, shoot, I did not include, I did not get in the middle of my string quotes. And now we need to actually get that private key in here. Oh, that's going to be a pain because it has new lines and it's all kind of jotted into one line. Actually, we might be able to do that with some sublime text magic. I'm going to take this entry and then bring it into its own document, de-dent it here and let's have Python just create this as a multi-line string. Yeah. So now viewing that out and it's kind of like raw mode returning it out, it has the new line characters in here all for me. So I can copy that and that's done. Easy peasy, all right. So theoretically that will work. Let me make a copy of that just to verify. What do I just edit? I just edited the JSON file. So let's copy that into like temp hours.json and let's run that reconfigure, I suppose, hopefully, maybe. If not, we can just kind of try it and see if we get anything. Just to validate like the RCE or the command code would work. But we'll see, we'll see if this works. Reconfigured, now let's check out our YML. That looks perfect. Okay, great. The three, two, three is kind of what I wanted to see. So that video ran this in GitLab Rails console, right? See if this ever comes back. But we have the syntax for what we should run here in this right here. Okay, I could put this in our read me again, but GitLab Rails console is taking a sweet time. Spooked. We have to keep in mind though, we're likely on the target running inside of a Docker container because we didn't have any users in there when we looked at it said we're password. And if we're in a Docker container, we're probably in something that is just like this Docker container, which means that we probably don't have like Netcat or Ping or Python. So we know we're gonna have Ruby, right? Because a GitLab Rails Ruby, I mean Rails is gonna end up being written in Ruby. So maybe, yeah, we're literally in a Ruby interpreter. So maybe we could try like a Ruby reverse shell. Now I'll add the disclaimer like this is where I was tripping over myself repeatedly because I wasn't thinking. And that is when I had to, I would try to ping, I would try to Netcat and I wouldn't get a callback. But then later when I did something else, I ended up simply noticing and seeing the error messages like, hey, that command is not found. It's not actually retrieving anything. It's not able to execute that. So Ruby I think would work. And Ruby I think did work. So I'm gonna use no SH, so we aren't depending on a, I should really put this in the stinking. Actually, I can just throw it in here, can I? But I need to make sure that these double quotes are escaped out, because this isn't a string on its own. Double quotes, let's double quote that, or escape that, escape that. There's an if with a string there. And also remove or escape out the double quotes on failed. Yeah, okay. I need to know my IP address though. Let's get out of this one. And I am 1425. So, slap that in. Cool. And rather than this little proof of concept, let's see if that will actually execute for us. Let's set up a listener in Netcat Tech LNVP 9001. And I'm going to be kind of anal about this and just copy these commands in one by one, just to like see what happens, just to kind of know what goes down. So, in GitLab console, let's grab the request object, request environment, check out the cookies. And now let's add in this whole long line to create our Ruby command, set as a string or little object. And then define it. Oh, and that actually gets connection, okay, from our testing thing. Oh, okay, that's a shell, let's set up a shell. Then let's try with the cookie. It tries to run it again, but it gets that connection refused because I'm not listening. I wanted to see what this cookie looks like, which is this output. Okay, so now if I were to listen and take this whole cookie, we could use that in the exact same kind of syntax and structure that they use with this curl command. Let's copy that. And we need to change the location that this is going to, because it's not gonna go to a local GitLab VM, it's going to go to git.laboratory.htb and let's add attack K to ignore that certificate. Let's grab this whole syntax to replace it with that big value. And let's see, going back to our terminal, I am listening over here. Now let's try and run that curl command just by slapping it in. We get a connection and commands work. Okay, okay, awesome. This is not a full shell. This would not play well with Pwncat because it's like this weird sub-shell thing out of Ruby. We could try and stabilize this, but I don't think we have Python. We don't have script. Oh, do we have script? But right now we're in like the sub-command of Ruby, which is really weird and messy. What do we have here? I'm gonna look around. This is the Docker. This is the Docker environment. That's super annoying. What else can we do then? We could try and break out of this Docker environment. We could try and get like deep CE in here, but there's not gonna be anything at home. There's not gonna be anything really worthwhile in this. We could try and break out of the Docker container. We might be able to, oh, but I mean, since this is Git, maybe there's something more in that Dexter account. Like when we were looking at the other projects in this GitLab, Dexter has his thing. Maybe we could get into Dexter's account. Is there a way to do that? Like we could probably track it down or find the secrets in here within the Docker instance. GitLab, change a user's password. That's really not gonna come up with anything useful. Can I, are there any secrets that would come out of this arbitrary file read that allow us to do that? We Google this one more time. And then maybe like change password. Exploiting CVE, the CVE that we saw for a default GitLab installation, there were a couple of such files is the, what did, yeah. I guess we don't know the username of that Dexter or that admin account supposedly, but this is showcasing the same thing that we've used thus far. Oh, but that does have a section of changing users password. They use Python GitLab, okay, and that's how they do the same thing originally, the same vulnerability, but production.log, production.log, what is production.log? That's new. Is there a full path for that? Where are they getting production.log? Production.log, oh, GitLab Rails. Okay, the production.log file contains the reset password token values that are generated as a result of requesting a password change for a registered user. These values can be used to drop a user's password. Ooh, okay, so can I read that? Let's go back to run our exploit scripts. Oh, dang it, HTTPS, git.laboratory.hack-the-box, John, anything, go. Great, let's paste in that path to the production.log, and it gets a lot of stuff. Okay, so, now what? You could try and reset a built-in to add some password if it's left default, admin.example.com, is that genuinely the default? Next I'll trigger a password reset for discovered users via the user's password new endpoint. Is that a thing? Let's go back to the git here. Users password new? I'm already signed in. Do I have to sign out to be able to do that? Users password new. Okay, and then the email, we can try to see if we can reset the password for the default, but maybe default admin password, yeah. Okay. Okay. So, after doing that, according to this thing, next you can download production.log to extract that reset password token value. Ooh, okay, so let me try that again. Oh shoot, I lost the production value. I lost that little file path. Slap that in. Now we have a ton of stuff. Okay, so again, just gonna copy and paste all this. We could probably patch this thing, like modify the script to actually give us something that, you know, we'll just write it to a file. There's a lot of output here. I will add the disclaimer. This instance is still running from when I was kind of messing with this previously and trying this kind of on my own. So you can see that my attempts to run ping with that command injection vulnerability for the RCE that we had just done or my attempts to run Netcat. And I think even in here will be the old reset password tokens. So I can need to be cognizant. And we always wanna be looking for that last reset password token. Cause if that's triggered from us just making that request like we just did, then it's going to end up being, hey, something that, okay, how much is thinking? It's gonna end up being the most recent one that we ran, right? So this is like from the very, very top. Oh shoot, jumped out of my VM for a second. Let's make this thing. And this is gonna be humongous and this is actually probably running it twice. But let's look for that reset token, reset password token. What was that thing called? Reset password token. Reset password token, those are all filtered. Let me go to the very, very last one. Filtered, filtered, filtered, filtered. Oh no, is it actually filtered? Are we not gonna be able to see it? What the heck? What the heck? What are they tracking down? What do they get? Reset password instructions. Reset, I'm just looking at their reset password instructions. Let's go to the very, very last one. And now this, I'm assuming, is gonna be the key for us. So that we could use to change their password, yeah? So after we have that, then we can go to users passwords edit with that token. That's just stored in the logs. So let's grab that get laboratory users password edit with that token. Let's see if we can actually hit that and we can. Okay, okay, so let's change our new password. I will make that password dope. Your password has been changed successfully. Okay, so if we were to sign in admin at example.com because it will take an email, now our password is password, can we log in? Yes, all right. Okay, so we have the secure website that we saw previously and we have secure Docker. Confidential secure Docker config for home server. Also some personal stuff. I'll figure that out later. Personal stuff, ooh, as a Dexter folder. Dot SSH, okay, okay, there's a private key in here. There's a private key in here. We can work with this. Let's copy this entire thing. And this, if the username is likely Dexter, right? Hey, get out of here, get out of here, exploit. Let's make a directory SSH, sub old Dexter IDRSA, slap that in. Make sure the new line is there, which it is good. Let's make that 600 for permissions. So that way it's actually going to play nicely when we try to use it with SSH. Dexter is likely the username as we can kind of indicate from seeing that either on the website and that folder in the repository. Laboratory dot hack the box. Always got to remember that, oh, we're in, we're in. We made it, we got user dot text, boom. Okay, user dot text, we could submit that. This is now a retired room, hopefully. Retired machine for us here. But, now what do we do? Now we want to pre-vask. Dexter is seemingly the only user. LXD is in here. Root is the only user. Do I have any suit or permissions? We don't know his password, damn it. Okay. Any weird files, something in opt container D. Not allowed to work in it. Okay, it's owned by Root. How about in the root of the file system? Not in a Docker container. We don't have the Docker ENV file, but we could be like running Limpies or something or use Pwncat if we wanted to. You could actually connect to this SSH with Pwncat. Let's look for some set UID binaries, I guess. Do that kind of manually before we pull out the big guns. There's a lot of snap in here. SSH key gen is kind of normal. I think we see that a lot. Polket agent helper, also D-Bus helper, D-Snap confine. Password is normal, mount is normal. At is sometimes normal. User local bin Docker security? What the heck is that? That, I don't think that's a normal thing. That's not a command, though. That's not normally like a utility. There was like a straight up, there was a straight up like privilege escalation, Google quote, maybe that's a thing. So we could run Limpies, we could run Linenam, we could run any other automated script to detect stuff. And truthfully, I had. Like in the moment, I was trying to understand, okay, am I needing to get some other access within or without of the Docker container? Because we did have access to that Docker container. I saw LXD was in here. Is my group, am I in a group that allows me to do anything? No, I'm not in LXC or Docker groups or anything. Like Docker permission denied. We could upload our own, but it was still kind of error. There wasn't a ton. So I did eventually come to the thought like, oh, I should try and run like PSpy because I wonder what's going on. Like when I was doing some my enumeration, let me get back on the box here. I would check out PSOx to see like what processes are running or I would use netstat tag peanut to see. No, netstat is not installed. So you could use like SS tag L or whatever, but I saw a weird sleep thing being ran by LXD. And the container D that we found in opt was just kind of odd. Looks like a non-standard container D thing. There's our reverse shell. So I was wondering if there's anything else going on because what is running sleep? Like root is running sleep. Why? That makes me want to see what's happening on this file system. Do I actually still have PSpy, PSpy, PSpy, PSpy? I don't crap. All right, let's go get PSpy. PSpy is 64, please. Go, go, go. Let's do it. Download. Save. Let's get into opt. Move from my downloads that PSpy 64 here. Good. I'm gonna run up dog. Just to spin it up. If you haven't heard of up dog, it's really nice. It's essentially, God dang it. What is up dog? And now we get into the meme and the joke. Up dog GitHub is a replacement for Python simple HTTP server. So if I were to try and go ahead and access this, like local host, I think you put it on 90, 90, pretty sure. It allows uploading and downloading via HTTP and HTTPS can set ad hoc as a cell certificates. So it's just a really handy up and down like file transversal thing. Yeah, yeah, yeah, see, check it out. It's like Python simple HTTP server, but much better. So now we can hop over to dev is HM. I like to work out a shared memory. Let's W get, do we have W get in this? I mean, we're on an actual machine now. So we should 10, 10, my face is in the way, 14, 25, 90, 90. Let's get PSpy 64, 64. Download that. Oh, and it's actually everything's still in here from again me doing this earlier. I'm sorry. I'm truly sorry. Let's run PSpy. Let's see what we got. You can see sleep one is happening out here and there's a PEG rep for FL unicorn, but those are all that 998. And that was one of the get values. I did notice CMD UID zero where it's trying to do something as root. And we'll see these every now and again, but a ton, a ton of sleep zeros, excuse me, sleep one. And I'm assuming this root might be coming from the container itself, like this root command because we would still probably have visibility right on the Docker container in the instance there. But that's that, I guess. We can let that run. We can let that keep cruising. I'll zoom out on that to see if anything worthwhile comes by and let's actually get another shell going. Sorry, my terminal just gets extremely messy as I do these things. Where did I put Dexter SSH using that SSH directory? SSH tech, I check it over in that other terminal. You can see that the container is still doing weird things. SSH tech, I home, John, SSG, RSA. No, no, not my RSA. I'm dumb. I was just reading and my mind kind of went blank there. Dexter at lobotomy, Dexter at laboratory.htp. There we go, they were logged in. Okay, you can see me logged in. Sorry. Maybe we should tune back to that set UID binary. We had Limpies, right? So let's go ahead and run Limpies. And again, you could use Updog or any of those methods that we had, maybe Netcat files back and forth or any other file transfer thing to actually get that onto this box. That's kind of what I had done previously and that's how I have a few of these in here. So I will clean up my tracks, but let's run Limpies. I actually use a modified version of Limpies that doesn't check if there's internet connection because it just hangs because we know these hack the box machines don't have internet access. So let's try and let that one go. Oh, PSpy is gonna light up. Whoops. Whoops. See how this thing goes. See if it tracks anything down. Limpies is great because it has that legend and that key that lets you know what could be very, very worthwhile to take a look at, highlighted in red or bright red on yellow. We don't actually have a ton in here. There's a boot file system set up along with our actual hard like slash. We have Python three, we have Netcat, we're on the actual machine here now. But anyway, nothing egregiously sticks out, truth be told, to get that privilege escalation, to get in the root user. But it's checking out service files, installed files. This is kind of something that I just tend to do is like stare repeatedly at the, I don't know what Snap is doing, what these system files are doing. Something that I tend to do is repeatedly drown myself in the Limpies or Linenum output and just keep rereading it. If I'm banging my head against the wall, if I don't know where I'm going next, I will just kind of keep looking. Is there anything here that's weird? Is there anything here that is likely there for a reason? So something that I always take a look at. I'll let this go for just a little bit more, but I don't want to drag this on anymore than I kind of already have because I know we're kind of getting to the end of our attention span. End of my attention span, that's for sure. Nothing sticks out, nothing is immediately noticeable. When we get to the set UID binaries though, they do a good job, right? Because it's Limpies of showcasing the stuff that does stick out, but you can't rely solely on that. And that's kind of why I did that manual find, tack perm, tack 4,000, to look for these set UID binaries without that color coding, because the color coding all we're looking for, all we're trained to look for is like the stuff that's bright red or the stuff that's going to jump out at us. But I will quit beating around the bush, I will kind of bring it home. That user local bin Docker security file that looked really weird is really weird. And it's non-standard. I don't think I've ever seen a Docker security binary. Maybe you have, if you have, please let me know in the comments, if that's like a normal thing that's just trying to latch onto, but it just doesn't. So let's go actually stop, let's stop Limpies and let's take a look at what this Docker security thing is. We know it's a set UID binary because that's how we found it, but it's owned by root. So it's weird and maybe we could abuse this thing. Maybe we could take advantage of it. Can we strings that? Oh, we don't have strings. Well, we could download this thing if we really wanted to. I would actually recommend you do that if you were connecting with Pwncat or something or you had an easy means to download. We could use up.org again, just like Kerler posting it to it to get it onto our own analyzing and attacker machine. But we can also just kind of like gross cat the binary out. And it will kind of still do the same thing for us will have a lot of non-printable characters, but we will end up seeing some potential worthwhile strings in here. Some weird ones that I noticed was this chmod 700 user bin docker and chmod 660 var run docker. Part of me wonders, is it just running those commands? Because if it is, maybe we could take advantage of that. Maybe we could latch onto that if this is a set UID binary. User bin docker has its own full absolute path here, but chmod is not being ran with an absolute path here. So maybe we could do some path hijacking with like our own path variable. So I'll echo out the dollar sign path here. And none of those, sorry, well, have an extreme. Okay, we know we're close to the end of the video guys where I keep clicking everything at random. We don't have anything that might indicate, okay chmod is gonna run otherwise. We can kind of get in the way of it. We can get in the middle of this and have the system, have the program. Once we were to run this user local bin docker security, we can have that execute our own kind of poisoned, masquerade version of chmod rather than the real chmod command. That's kind of the idea behind. Do I have that actually anywhere? Did I leave a chmod in dev shm? And I was just being an idiot. I did. Production quality professionalism, you guys know me. So if I were to do this in temp now, let's create our own chmod. And I'll just make this a script. I'll make it super dumb and super simple. It'll just run bash, maintaining like the set UID bit, bash tag P, that's all I want. That's all I need for me. So I will mark this as a executable file. So now when I run it, I'm in a sub shell of bash, but because I don't have a set UID bit set, that tag P argument isn't gonna do anything. So I'll exit out of this and I'm just back to my original shell. I was in a sub shell for that very single line. But if I were to now say, okay, let's set my path to the temporary directory with the value of path just following it. And then I would try and run chmod. That command has the context following it. Okay, now we're going to run the chmod out of temp rather than the original chmod out of user bin or wherever that actual binary is genuinely stored. So with that, we can go ahead and use that user local bin Docker security and it will run our chmod that will maintain that set UID bit, that tag P argument we're passing to bash and invoke bash as root because we've kept that set UID privilege. So now obviously we're root and that's that. A lot of time I spend kind of banging my head against the wall when this one I think the lesson learned was just really looking through that list. And as I mentioned, sometimes we kind of get caught up in Limpies because it shows us all those nice color coding and we get distracted and all we care about is looking for that. Don't forget about those ones and maybe even looking manually can still, I don't know, ground you to look at some of the odd balls that just don't always fit. So there we go. We've rooted the box and that is the end of laboratory from hack the box or laboratory. Don't forget that. Oh, so I don't know. That was the first time I did some of those cool stuff with GitLab. I think it's incredible to see this vulnerability and kind of leveraging that local file inclusion technique to get your remote code execution. This was very cool. I didn't originally get this to work and I was trying with the Metasploit version. The Metasploit version wasn't working. Once I finally got that Ruby reverse shell and figured out how to do that, I thought that was kind of neat. So that's definitely some good notes for me to take into account and to see later on. So I hope those were some cool takeaways for you and I'm really glad to maybe finally do some a little bit more with hack the box because I know I don't give them as much love as I nearly should, but hopefully we can do a heck of a lot more. So some neat tricks, use an up dog using and of course, if you wanted to, you can connect to this thing with Pwncat. Like, do I have a Pwncat installed? Let's activate that environment. Let's run what branch am I on? I wanna make sure I'm not on the new development. Okay, good. So by the on tack M, Pwncat tack I, that was in home John CTF hack the box, laboratory SSH Dexter, okay? Dexter at that laboratory dot hack the box. And I do not apparently have that set up and installed correctly. So that was a fluke, let it that out. I was using revshelves.com to be able to grab some of that a reverse shell syntax. That's kind of a zero day. Ryan Montgomery over in the try, hack me space when he's putting out really cool stuff. And this is a really handy reference. But first time I had ever heard of this video hacks guy. Looks like he has a lot of other interesting videos that showcase some other exploits and stuff you can do with it. So that might be kind of a cool reference. A lot of stuff, really good for me to finally walk through this box. But man, I have been yapping for quite some time. So I think that's the end of the video. Thank you guys so, so much for watching. I really hope you did get something good out of this one and maybe I can get back to some hack the box stuff again. I super appreciate all the swag. Thank you guys. And I'm so looking forward to that cyber apocalypse CTF getting started on Monday. So hey, you should go play, go register. I hope to see you on the scoreboard. Thanks so much everybody. Please do like the video. Please do all those YouTube algorithm things. And I'll see you in the next video. Bye bye. Bye.