Barrier is a Linux box with GitLab, Authentik, and Apache Guacamole. I’ll exploit a SAML signature bypass vulnerability in GitLab’s Ruby SAML library to forge a SAML assertion and log in as admin. From GitLab’s CI/CD variables, I’ll recover an Authentik API token and use it to create an admin account. With Authentik admin access, I’ll impersonate a user in Guacamole to get an SSH shell. From there, I’ll find database credentials for Guacamole’s MariaDB backend and extract an SSH private key and passphrase for another user. That user’s bash history contains a password that works with sudo to get root.

0xdf hacks stuff

A detailed walkthrough of the HackTheBox 'Barrier' Linux machine involving multiple chained vulnerabilities. The attack path starts with exploiting CVE-2024-45409, a SAML signature bypass in GitLab's Ruby SAML library, to forge a SAML assertion and gain admin access to GitLab. From there, an Authentik API token stored in GitLab CI/CD variables is used to create an admin account in Authentik. With Authentik admin access, user impersonation in Apache Guacamole yields an SSH shell as user 'maki'. Database credentials from Guacamole's MariaDB backend expose an SSH private key and passphrase for another user, whose bash history contains a password enabling sudo to root.

HTB: Barrier