HackTheBox Writeup — Ready
--
Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.
The IP of this box is 10.10.10.220
Port Scan
Running NMAP full port scan on it , we get
We have only two open ports, Port 22 for SSH and Port 5080 for the Web
Way To User
Checking the Web, we see that we have GitLab
Registering a new user so that we can login and see what we have
Checking the GitLab version, it has GitLab Community Edition 11.4.7 installed which has a famous vulnerability explained by LiveOverflow
After following the article by him, link down below in the References section, we have to create our payload to get RCE, so here I am trying to get a reverse shell after intercepting the request for import a new project through URL and then doing the changes as shown below
Now checking back to the netcat listener, we have our reverse shell successful
Checking the home directory, we have a user named dude which has the user flag readable by the current user
Way To Root
Checking the /opt/ directory, we have a directory named backup which had three files
The docker-compose file has the details of the current docker container and we can see that it tell us that the current docker is in privileged mode which is a security risk factor
Looking for passwords in these other files, we get a SMTP password
Using this password for root user on the container, we get root on the container
Now running the DeepCE docker script to exploit the privileged docker container
Now we connect to our new user through SSH
We got in as user with root privileges as we can confirm that
We have our root flag too
