OpenSource HackTheBox Writeup
Scanning
We launch nmap tool with scripts and versions on all ports.
Enumeration
We access the corporate website:
Below, we find a button where we can download the source code of an application.
We unzipped the file and reviewed several of the files, in principle we found no hardcoded credentials or relevant information.
Exploiting
We continued to review the website, found the application and the file upload form:
We see that it allow us to upload at least files with .txt extension:
Result:
We see that if we try to check SSTI it returns an error where it shows trace information of the files used and the current working directory where the files will be hosted.
I tried to upload some webshell, but it was not possible. So I went back to check the code, because if they are providing you with the code it is because there will be some function that we can take advantage of… So I found the same error trace “os.getcwd(), “public…“…” in the “views.py” file, so I tried to upload the file and it didn’t complain about the extension and I thought I could reuse the same file with malicious code to get a reverse shell.
Here I had another problem, it did not allow me to specify the absolute path, after trying different kinds of ways to move recursively in directories I got this valid one, managing to upload and replace the file “views.py” by the malicious one.
We get on the listen with netcat, we update and we see that we gain access to the machine. We see that we are logged in as root, but we are not on the machine as we can see by the IP, so we will be in a docker or other type of container.
As I am premium and it was giving me a lot of problems, I deployed a chisel as a client to maintain persistence and I started to identify ports with nmap from my machine.
Identified ports:
We discovered a service that we already know “Gitea” through port 3000.
We access the service through the web browser, register and check if there is any repository where we can get information, but nothing.
So I went back to previous steps and realized that there was the “.git” folder (hidden OMG!), so we could try to rescue the files to see if we could find some credentials or some information to compromise the machine.
So I extracted all the information with gittools dumper and we found these credentials!
We try to log in via SSH, but we see that we are denied permission.
So we test the credentials in gitea and we see that there is a backup of your home, including the .ssh folder.
Access via SSH with the private key and read the user flag:
Privilege Escalation
We performed an enumeration with the “linpeas.sh” tool and listed a couple of interesting gitlab paths.
There is nothing in the crontab file, so we run pspy to identify possible scheduled tasks. After a few minutes, we see that it is trying to interact with a git by entering a commit.
Searching for information on how to abuse gtfobins, I found a way to run a shell through the “pre-commit.sample” file with hooks:
Curiously we have the file:
Insert the malicious command and rename the file to “pre-commit”:
We put ourselves with a netcat listening, wait for the scheduled task to run and read the root flag.