# Hack The Box - Bitlab

## Quick Summary

Hey guys, today Bitlab retired and here’s my write-up about it. It was a nice CTF-style machine that mainly had a direct file upload and a simple reverse engineering challenge. It’s a Linux box and its ip is 10.10.10.114, I added it to /etc/hosts as bitlab.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services:

We got http on port 80 and ssh on port 22, robots.txt existed on the web server and it had a lot of entries.

## Web Enumeration

Gitlab was running on the web server and we need credentials:

I checked /robots.txt to see if there was anything interesting:

Most of the disallowed entries were paths related to the Gitlab application. I checked /help and found a page called bookmarks.html:

There was an interesting link called Gitlab Login:

Clicking on that link didn’t result in anything, so I checked the source of the page, the href attribute had some javascript code:

I took that code, edited it a little bit and used the js console to execute it:

Then I printed the variable _0x4b18 which had the credentials for Gitlab:

## File Upload –> RCE –> Shell as www-data

After logging in with the credentials (clave : 11des0081x) I found two repositories, Profile and Deployer:

I also checked the snippets and I found an interesting code snippet that had the database credentials which will be useful later:

Back to the repositories, I checked Profile and it was pretty empty:

The path /profile was one of the disallowed entries in /robots.txt, I wanted to check if that path was related to the repository, so I checked if the same image (developer.jpg) existed, and it did:

Now we can simply upload a php shell and access it through /profile, I uploaded the php-simple-backdoor:

Then I merged it to the master branch:

I used the netcat openbsd reverse shell payload from PayloadsAllTheThings to get a shell, had to urlencode it first:

## Database Access –> Clave’s Password –> SSH as Clave –> User Flag

After getting a shell as www-data I wanted to use the credentials I got earlier from the code snippet and see what was in the database, however psql wasn’t installed:

So I had to do it with php:

I executed the same query from the code snippet which queried everything from the table profiles, and I got clave’s password which I could use to get ssh access:

We owned user.

## Reversing RemoteConnection.exe –> Root’s Password –> SSH as Root –> Root Flag

In the home directory of clave there was a Windows executable called RemoteConnection.exe:

Then I started looking at the code decompilation with Ghidra. One function that caught my attention was FUN_00401520():

It looked like it was checking if the name of the user running the program was clave, then It executed PuTTY with some parameters that I couldn’t see:

This is how the same part looked like in IDA:

I copied the executable to a Windows machine and I tried to run it, however it just kept crashing.
I opened it in immunity debugger to find out what was happening, and I found an access violation:

It happened before reaching the function I’m interested in so I had to fix it. What I did was simply replacing the instructions that caused that access violation with NOPs.
I had to set a breakpoint before the cmp instruction, so I searched for the word “clave” in the referenced text strings and I followed it in the disassembler:

Then I executed the program and whenever I hit an access violation I replaced the instructions with NOPs, it happened twice then I reached my breakpoint:

After reaching the breakpoint I could see the parameters that the program gives to putty.exe in both eax and ebx, It was starting an ssh session as root and I could see the password:

And we owned root !
That’s it , Feedback is appreciated !