Bitlab HTB

Port 80 and 22, are open. Visiting 80 we see a gitlab server, I find the credentials http://10.10.10.114/help/bookmarks.html at this url, and when I click Github Login, I see obfuscated javascript. I copy the code and paste it to javascript console, run it, and the get the variable content. And I get the login credentials.

Login Creds

I goto Profile project and upload and commit to repo a php file with reverse shell code inside of it. I then visit http://10.10.10.114/profile/shell.php. Now I get a reverse shell as www-data.

Intended to Root

From here there are 2 paths to get root. I First got into the intended path by going to snippets finding a php script there, copying to machine and then adding some more code and find out the password for user clave, after I su and can access user.txt but for root I need to reverse a .exe file.

Unintended to Root

When logginin as www-data and running sudo -l I can see that I can run git pull as root. After a bit of research I read about git hooks, which all they do is run something when a git pull or git push is runned.

Git Hooks

I copy the repo into /tmp/ and then add a into .git/hooks/post-merge which runs a bash script to give me reverse shell, I make it executable and then go into gitlab and commit a change. Then I run git pull and a merge occurs so my script gets execute, and I get reverse shell as root.

The quieter you become, the more you are able to hear.
DHT4tMDxN34WgmtcX9em8AGMeqMpSechq4