Summary
Ready, a Linux box created by user bertolis was a medium difficulty box.
Initial foothold was finding a Gitlab instance which was running an old version 11.4.7
which had SSRF and CRLF issue and combining them and redis along with Gitlab workers we can get a RCE.
After we get a shell we find a backup in /opt
which contain a gitlab.rb
file checking that file without comments we find a SMTP
password.
Trying to see if it was used somewhere else we can escalate to root.
But as we are still in docker container of gitlab we had to escape the container.
in the same backup folder we find a docker-compose file which contain that the container is running with privileged
flag Googling around we find a way to escape the container