Laboratory

Enumeration

Ports and Services

Software Installed:

• GitLab Community Edition 12.8.1

Nmap Scan Results:

Gobuster Scan 443:

Nikto Scan:

SSLScan:
Found alternate Name-

Initial Foothold

Added git.laboratory.htb to /etc/hosts and regisered account. Need to gerister email with @laboratory.htb domain

Registration:

Using Metasploit to read the keypass file and obtain RCE:

Shell:

Have access to the rails console. Changed Dexter’s password to password:

Logged into Gitlab as Dexter and found some ssh keys:

##

User.txt Proof Screenshot

##
Privilege Escalation

/usr/local/bin/docker-security has suid.
Seems like this is a user made binary as I could not find any information on it.
Strings not installed but ltrace is:

Seems it is changing security using chmod but they forgot to hardcode the path.

put a file called chmod in /tmp and made it executable. Contents of file is simply /bin/bash
Added /tmp to front of path:

RootScreenshot Here:

Other Findings:

Roots private ssh key was in .ssh: