HTB is an excellent platform that hosts machines belonging to multiple OSes. It also has some other challenges as well. Individuals have to solve the puzzle (simple enumeration plus pentest) in order to log into the platform and download the VPN pack to connect to the machines hosted on the HTB platform.  

The walkthrough

Note: Only write-ups of retired HTB machines are allowed. The machine in this article, named Gitlab, is retired. ‌ Let’s‌ ‌start‌ ‌with‌ ‌this‌ ‌machine.‌ ‌

Download‌ ‌the‌ ‌VPN‌ ‌pack‌ ‌for‌ ‌the‌ ‌individual‌ ‌user‌ ‌and‌ ‌use‌ ‌the‌ ‌guidelines‌ ‌to‌ ‌log in‌‌to‌ ‌the HTB‌ ‌VPN.‌ ‌ The Gitlab‌ ‌machine‌ ‌IP‌ ‌is‌ ‌10.10.10.114. We‌ ‌will‌ ‌adopt‌ ‌the‌ ‌same‌ ‌methodology‌ ‌of‌ ‌performing‌ ‌penetration‌ ‌testing as we’ve previously used.‌ ‌Let’s‌ ‌start‌ ‌with‌ ‌enumeration‌ ‌in‌ ‌order‌ ‌to‌ ‌gain‌ ‌as‌ ‌much‌ ‌information‌ ‌about‌ ‌the‌ ‌machine‌ ‌as‌ ‌possible.‌ ‌ As‌ ‌usual,‌ ‌let’s‌ ‌start‌ ‌with‌ ‌the‌ ‌nmap‌ ‌scan‌ ‌to‌ ‌gather‌ ‌more‌ ‌information‌ ‌about‌ ‌the‌ ‌services‌ ‌running‌ ‌on‌ ‌this‌ ‌machine.‌ ‌[CLICK IMAGES TO ENLARGE] «nmap‌ ‌-sC‌ ‌-sV‌ ‌-oA‌ ‌Gitlab‌ ‌10.10.10.114»‌

As we can see, ports 20 and 80 are opened from the initial enumeration. Let’s start enumerating with port 80. On port 80, we got a login page, which means we have to start enumeration directories.

Before we start using tools, there are some default Gitlab directories that we can also look at. Looking at the help directory reveals a bookmark.html.

Looking into the bookmark.html and clicking Gitlab login, nothing happened.

Let’s look into the source code. Doing so, we found some hex-encoded strings.

Cleaning that a bit and an online decoder reveals the following content.

We got a user named “clave” and their password. Using that, we can log into the Gitlab portal.

Once we are in, we can start enumerating the projects and other resources.

After initial enumeration, it was found that the index.php file was editable by the user. So now we can deposit the reverse shell into it, as shown below.

Submit the merge request into the main branch.

The below screen shows that our request has been successfully merged into master.

Let’s open a listener and browse to the index.php URL. We get a reverse shell back, as shown below.

Let’s grab the user.txt. Unfortunately, we cannot, because we need to elevate the creds.

Let’s start elevating the creds. We are running sudo -l lists that we can run the git pull as root.

Let’s create a directory under tmp and copy the existing git profile directory to create a new hook, as shown below. «cd /tmp» «cd lhm» «cp -rf /var/www/html/profile .» «echo ‘reverse shell’ > .git/hooks/post-merge»

Let’s create a listener as well on our attacking system as well. After that if we can run the command git pull, which will effectively be git fetch + git merge, it should execute the above and create a hook to give the reverse shell back. Executing sudo git pull did execute it, giving the reverse shell back.

We browse the directory to grab the root.txt file.

This is a straightforward box and very easy if you know how to use git pull escalated permission to spawn a new shell. We will continue this series on interesting HTB machines.