Hack The Box — Bitlab Write-up

Hey guys, today Bitlab retired and here’s my write-up about it.

In short: It’s a Linux box from HacktheBox platform.

Let’s start by adding the ip to /etc/hosts as bitlab.htb

PART ONE: USER

Starting with nmap scan :

nmap -p- -sC -oA nmap/bitlab bitlab.htb

I checked /help page and I found a page called Bookmarks

This page has 5 links but none of them has any importance in this case except for the last one: Gitlab Login is a JavaScript snippet.

After cleaning up the code, I used Firefox console and executed it. Doing that will automatically fill out the login form for you.

After logging in with the credentials {clave : 11des0081x}

I found two repositories :

So I decided to check the snippets and I found a code snippet that had the database credentials :

Now, all we need is to upload a shell to retrieve the credentials from the database.

First we add a new file and write our shell :

<?php $db_connection = pg_connect(“host=localhost dbname=profiles user=profiles password=profiles”); $result = pg_query($db_connection, “SELECT * FROM profiles”); $resultArr = pg_fetch_all($result); print_r($resultArr); ?>

And merge it :

All we need now is to curl to our shell to get the creds for the user .

The password looks like a base64 encoded after decoding it, It didn’t work so tried using it as it’s and it worked just fine.

We got the user flag .

PART TWO: ROOT

After enumerating, the only suspicious file RemoteConnection.exe .

So let’s check it

Starting by downloading the file from the machine using netcut.

After getting the file into our machine it’s time for some reverse using X64dbg.

First, let’s run it ,from the cmd on windows

We got an error message: Access Denied !!

Next, time for X64dbg

After adding a breakpoint on the Access Denied !! and using moving a step forward we got the following :

“-ssh root@gitlab.htb -pw \“Qf7]8YSV.wDNF*[7d?j&eD4^\””

We can now ssh as root with those credentials

and Voila! We owned root !!

Bitlab was a fun box a lot of new things to learn and a variety of different challenges.

And with that, the box is complete!

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mohamed smidi

Mohamed smidi

Cyber Security Engineer | Researcher