HackTheBox Ready Writeup

Hello, i want to share how i solve HackTheBox Ready machine. this box is kind need more research to analyze and fun.

First step as usually use nmap payload “nmap 10.10.10.220 -sV -sC — script=vuln -O -oN detail.txt” that nmap will execute simple vuln script for all command port and output to detail.txt then open port 22 ssh and 5080 http run on nginx

i register user as asd that show above then i found gitlab version 11.4.7 then i found exploit for that version from this website https://www.exploit-db.com/exploits/49334 then i analyze that python file, that is reverse shell and i listen on local machine with command “nc -nlvp 1234” will listen on port 1234

then i run that payload, the payload will create project on our gitlab account then will give connection to our local machine that show below

then i got user.txt, luckily i can read file cause we on same group

then i try to create new ssh pub key on local machine then copy to box machine on /var/opt/gitlab/.ssh directory but still cant access through SSH without password

then i realize that is docker container

then i found interesting file on /opt/backup/gitlab.rb then i try grep word that contain password then found smtp_password, then login as root use that password but i can’t find root.txt and i struggle then research more than we found that can privilege escalation on docker container on this website https://betterprogramming.pub/escaping-docker-privileged-containers-a7ae7d17f5a1?gi=22eeaf6c1d60

then i make tmp file then mount on their local box then we got root.txt