Hack The Box — Bitlab Write-up
Hey guys, today Bitlab retired and here’s my write-up about it.
In short: It’s a Linux box from HacktheBox platform.
Let’s start by adding the ip to /etc/hosts as bitlab.htb
PART ONE: USER
Starting with nmap scan :
nmap -p- -sC -oA nmap/bitlab bitlab.htb
I checked /help page and I found a page called Bookmarks
This page has 5 links but none of them has any importance in this case except for the last one: Gitlab Login is a JavaScript snippet.
After cleaning up the code, I used Firefox console and executed it. Doing that will automatically fill out the login form for you.
After logging in with the credentials {clave : 11des0081x}
I found two repositories :
So I decided to check the snippets and I found a code snippet that had the database credentials :
Now, all we need is to upload a shell to retrieve the credentials from the database.
First we add a new file and write our shell :
<?php $db_connection = pg_connect(“host=localhost dbname=profiles user=profiles password=profiles”); $result = pg_query($db_connection, “SELECT * FROM profiles”); $resultArr = pg_fetch_all($result); print_r($resultArr); ?>
And merge it :
All we need now is to curl to our shell to get the creds for the user .
The password looks like a base64 encoded after decoding it, It didn’t work so tried using it as it’s and it worked just fine.
We got the user flag .
PART TWO: ROOT
After enumerating, the only suspicious file RemoteConnection.exe .
So let’s check it
Starting by downloading the file from the machine using netcut.
After getting the file into our machine it’s time for some reverse using X64dbg.
First, let’s run it ,from the cmd on windows
We got an error message: Access Denied !!
Next, time for X64dbg
After adding a breakpoint on the Access Denied !! and using moving a step forward we got the following :
“-ssh root@gitlab.htb -pw \“Qf7]8YSV.wDNF*[7d?j&eD4^\””
We can now ssh as root with those credentials
and Voila! We owned root !!
Bitlab was a fun box a lot of new things to learn and a variety of different challenges.
And with that, the box is complete!