Ready machine is a vulnerable machine with Linux operating system among retired machines. It is expected to obtain user and root flags by exploiting these vulnerabilities.
To recognize the target machine, we perform a network scan with nmap.
Full Port Scan
As a result of the network scan, 22/tcp ssh OpenSSH 8.2p1, 5080/tcp http nginx ports are open.
When there is no vulnerability on the ssh port, we continue to enumerate the 5080/tcp port.
On port 5080, gitlab service is provided. Here we looked through wepanalyzer and developer mode and we did not find any findings.
We registered a user in the registr field and logged in.
Let’s see if there’s an exploit for the older version here.
After googling it, it seemed that this exploit code on github would work
Download with git clone
When we ran the exploit code, it told us to listen to the port, we listened to the port and we were able to get the shell
When we don’t have root access, we provide local enumeration with the linpeas.sh tool.
Backup directories are always interesting, after reading the file mentioned let’s look at the files under this directory
The content of the Gitlab.rb file is very long, so let’s try to simplify it
gitlab_rails[‘smtp_password’] = “wW59U!ZKMbG9+*#h”
and using this password, we have root privileges.
But we couldn’t find the root.txt file 🙂
We know that docker is running here, let’s look at the pertionas received and try to mount it.
Let’s mount it as Loop6 and look at its content
We enter the root directory and see our root flag.