Hi. I’m Rahmos. Here is my Ready — HackTheBox — Writeup. Check it out!
First, deploy the machine and nmap for opened ports:
nmap -A -T4 -p- v<ip>
Ok so there’re 2 ports opening: 22(SSH) and 5080(HTTP).
Let’s access the website:
It’s a GitLab website. Using dirbuster to find hidden dirs, I’ve found these:
After going through all these dirs, I’ve found 2 potential users: world and test
Moreover, access /help and I found out that the version of GitLab is very old. The newest version(up to now) is 13.8.
So go ahead and search for CVE and I found this RCE exploit on Github, written in Python 3. Download the exploit code and run!
The white-box is your OpenVPN IP. Follow the instruction and I’ve got the reverse shell!
2/ User Flag
Getting the user flag is quite easy. cd to /home and I saw a user named “dude”. cd to his home and get the user flag:
3/ Root Flag
Transfer the LinEnum script to the machine and run, I’ve known that user git is in docker. Which means, I need to escape from it!
There’re 2 ways to get root.
The 1st way, you can follow the instruction here and get the root flag!
The 2nd way, which I considered easier.
First, you can check the .dockerenv to see if it exists, if yes, you’re in a docker. After that, run cat /proc/cmdline to get the uuid of the hard disk, then mount uuid /tmp/mntpoint to mount the hard disk to a temporary mount point, which is /tmp/mntpoint. Finally, chroot to this mountpoint and you’ll be root!