Ready — HackTheBox — Writeup

Hi. I’m Rahmos. Here is my Ready — HackTheBox — Writeup. Check it out!

1/ Enumeration

First, deploy the machine and nmap for opened ports:

nmap -A -T4 -p- v<ip>

Ok so there’re 2 ports opening: 22(SSH) and 5080(HTTP).

Let’s access the website:

It’s a GitLab website. Using dirbuster to find hidden dirs, I’ve found these:

After going through all these dirs, I’ve found 2 potential users: world and test

Moreover, access /help and I found out that the version of GitLab is very old. The newest version(up to now) is 13.8.

So go ahead and search for CVE and I found this RCE exploit on Github, written in Python 3. Download the exploit code and run!

The white-box is your OpenVPN IP. Follow the instruction and I’ve got the reverse shell!

2/ User Flag

Getting the user flag is quite easy. cd to /home and I saw a user named “dude”. cd to his home and get the user flag:

3/ Root Flag

Transfer the LinEnum script to the machine and run, I’ve known that user git is in docker. Which means, I need to escape from it!

There’re 2 ways to get root.

The 1st way, you can follow the instruction here and get the root flag!

The 2nd way, which I considered easier.

First, you can check the .dockerenv to see if it exists, if yes, you’re in a docker. After that, run cat /proc/cmdline to get the uuid of the hard disk, then mount uuid /tmp/mntpoint to mount the hard disk to a temporary mount point, which is /tmp/mntpoint. Finally, chroot to this mountpoint and you’ll be root!

The end.

HAPPY HACKING

I’m Groot