HackTheBox Writeup — Ready

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is 10.10.10.220

Port Scan

Running NMAP full port scan on it , we get

We have only two open ports, Port 22 for SSH and Port 5080 for the Web

Way To User

Checking the Web, we see that we have GitLab

Registering a new user so that we can login and see what we have

Checking the GitLab version, it has GitLab Community Edition 11.4.7 installed which has a famous vulnerability explained by LiveOverflow

After following the article by him, link down below in the References section, we have to create our payload to get RCE, so here I am trying to get a reverse shell after intercepting the request for import a new project through URL and then doing the changes as shown below

Now checking back to the netcat listener, we have our reverse shell successful

Checking the home directory, we have a user named dude which has the user flag readable by the current user

Way To Root

Checking the /opt/ directory, we have a directory named backup which had three files

The docker-compose file has the details of the current docker container and we can see that it tell us that the current docker is in privileged mode which is a security risk factor

Looking for passwords in these other files, we get a SMTP password

Using this password for root user on the container, we get root on the container

Now running the DeepCE docker script to exploit the privileged docker container

Now we connect to our new user through SSH

We got in as user with root privileges as we can confirm that

We have our root flag too

References

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store