This is Git and Crumpets from THM. It’s Medium rated. For the avoidance of any doubt: I generally don’t publicise my writeups, and this is no exception.
Well; hard to say. SSH and HTTP certainly; rustscan doesn’t like it and nmap isn’t super keen either - the box has ‘countermeasures’. Let’s assume those are the only open ports.
The webpage redirects to Rick Astley on youtube, because of course it does. But we can see this in the page source:
So we edit our /etc/hosts and go take a look.
Once we arrive at git.git-and-crumpets.thm, it’s Gitea: “A painless self-hosted Git service”. The exploit is explained here. It’s arguably not really an exploit, since if you explicitly allow your users to execute code, then yeah, they can execute code.
We can sign up, and then ‘explore’ the repos using the web interface. At /scones/cant-touch-this/commits/branch/master we find this:
I kept the password in my avatar to be more secure.
And we can download the avatar and run exiftool on it:
Description : My ‘Password’ should be easy enough to guess
So yes, it’s scones:password. We log out as our registered user and then back in as scones, and then we can create a repo and add a hook as described in the linked article. We need to make a commit to the repo from our attack machine. I don’t follow the article exactly; instead I clone the repo, add a file, commit and push back to remote, this is enough:
The privesc is reading the root account SSH key from a repo on Gitea. Apparently there are multiple ways to do it; what I did was:
Find out who the admin user is
Change his password (amazing we can do this)
Disable 2FA on his account by deleting entries from the Gitea sqlite two_factor table
Look through the web interface as the admin and find the prize
SSH in and done.
Here’s what some of that looked like. Learn who is admin:
And that was about that. I also did harder, which I tried before and couldn’t get through. Even this time I had to check a write-up. I found the subdomains and dumped the git repo, but was stuck at the exploit. It’s explained here:
The code stems from a vulnerability that was encountered in the wild.
The THM room says:
The machine is completely inspired by real world pentest findings. Perhaps you will consider them very challenging but without any rabbit holes. Once you have a shell it is very important to know which underlying linux distribution is used and where certain configurations are located.
I’m sure that’s true for the foothold but the privesc felt contrived to me; not sure if that’s fair or not. I certainly haven’t seen one of these with Alpine as the host OS before though.