Home Bitlab Writeup
Post
Cancel

Bitlab Writeup

first we do the usual nmap scan

desktop

We find that ports 22 and 80 are open. Let’s browse to port 80 and see what we find.

desktop

A GitLab installation! We need a username and password to login though but we don’t have one!

After some browsing through the site we see that we can click on help at the bottom of the page which takes us to

desktop

and then when clicking on bookmarks.html to this

desktop

When we hover the mouse on “Gitlab Login” you can notice this piece of code at the bottom of the browser

desktop

desktop

We need the bits between the [ and ]. It looks a lot like hex but we first need to strip away the \x and now we can put that into a hexdecoder and then we are left with the following.

desktop

You will notice a username and password. clave:d11des0081x

We can now use this to login to GitLab.

desktop

After browsing around for a while I found the following under the snippets tab on top.

desktop

desktop

Connect details to the Postgres database. We cannot access it directly and only within the machine. We need to try find a way into the machine with a shell.

Being able to upload files to the repository we can try upload a reverse shell with PHP. I created a PHP file with the following code.

desktop

Just remember to use your IP otherwise you will not get a reverse shell back to your machine as I have done on a couple of occasions.

desktop

In the profile repository, click on the + icon and select upload file and upload your file, in my case it was cake.php.

desktop

Then click Submit merge request and then Merge on the next screens.

desktop

desktop

Once that is done, we now have to listen for connections coming into our box with the nc command.

desktop

We can now browse to our reverse shell PHP file to initiate the reverse connection by browsing to http://10.10.10.114/profile/cake.php

You should now see a reverse shell on your nc window

desktop

We are connected BUT we kinda have a useless terminal which is not interactive meaning you cannot create or edit files easily. We can fix this though with the following steps:

  1. python -c 'import pty; pty.spawn("/bin/bash")'
  2. ctrl + z (put's the nc into the background)
  3. echo $TERM (this gets what your term is set as)
  4. stty -a (this gets your windows size)
  5. stty raw -echo (NOTE: you will not see any output after this)
  6. fg (go back to the nc)
  7. reset (this resets the terminal settings on the remote machine
  8. In the Terminal type, type in the $TERM output you got, in my case it was xterm-256color.

desktop

then enter the following:

  1. export SHELL=bash
  2. stty rows 29 columns 147 (this matches what yours is upbove)

desktop

I then created a new file under /tmp/cake

desktop

and then ran it

desktop

Oh look, could that be clave’s SSH details?

desktop

yes it was!

Now for root.

Copy RemoteConnection.exe to your machine. I just scp’d it to my machine.

We now have to reverse engineer (debug more like it). I use a tool called OllyDBG.

Once opened we can try run the program but we get a “Access Denied !!”

We have to debug it and see how we can bypass that. Right click on the left and search for all text strings.

desktop

We actually see the “Access Denied !!” part.

desktop

Double click it and you will be take to the portion of the program where it executes. Right click and then select fill with NOPs. This will cause the program to bypass that function.

desktop

Now run the program again.

Focus on the bottom right window.

desktop

Scroll down and you will see the following

desktop

Could that be???

desktop

Indeed!

This post is licensed under 0x3n0 by the author.

-

Postman Writeup