Hack The Box — Bitlab Write-up

3 min readJan 11, 2020

--

Hey guys, today Bitlab retired and here’s my write-up about it.

In short: It’s a Linux box from HacktheBox platform.

Let’s start by adding the ip to /etc/hosts as bitlab.htb

PART ONE: USER

Starting with nmap scan :

nmap -p- -sC -oA nmap/bitlab bitlab.htb

I checked /help page and I found a page called Bookmarks

This page has 5 links but none of them has any importance in this case except for the last one: Gitlab Login is a JavaScript snippet.

After cleaning up the code, I used Firefox console and executed it. Doing that will automatically fill out the login form for you.

After logging in with the credentials {clave : 11des0081x}

I found two repositories :

So I decided to check the snippets and I found a code snippet that had the database credentials :

Now, all we need is to upload a shell to retrieve the credentials from the database.

First we add a new file and write our shell :

<?php $db_connection = pg_connect(“host=localhost dbname=profiles user=profiles password=profiles”); $result = pg_query($db_connection, “SELECT * FROM profiles”); $resultArr = pg_fetch_all($result); print_r($resultArr); ?>

And merge it :

All we need now is to curl to our shell to get the creds for the user .

The password looks like a base64 encoded after decoding it, It didn’t work so tried using it as it’s and it worked just fine.

We got the user flag .

PART TWO: ROOT

After enumerating, the only suspicious file RemoteConnection.exe .

So let’s check it

Starting by downloading the file from the machine using netcut.

After getting the file into our machine it’s time for some reverse using X64dbg.
First, let’s run it ,from the cmd on windows
Press enter or click to view image in full size
We got an error message: Access Denied !!
Next, time for X64dbg
After adding a breakpoint on the Access Denied !! and using moving a step forward we got the following :