Shubham Kumar

Hackthebox - Ready 2021-05-15|htbmachinesretired|linux-retired-hackthebox-medium-ssrf-gitlab-crlf-smtp-container-escape

Summary

Ready, a Linux box created by user bertolis was a medium difficulty box.
Initial foothold was finding a Gitlab instance which was running an old version 11.4.7 which had SSRF and CRLF issue and combining them and redis along with Gitlab workers we can get a RCE.
After we get a shell we find a backup in /opt which contain a gitlab.rb file checking that file without comments we find a SMTP password.
Trying to see if it was used somewhere else we can escalate to root.
But as we are still in docker container of gitlab we had to escape the container.
in the same backup folder we find a docker-compose file which contain that the container is running with privileged flag Googling around we find a way to escape the container

Hackthebox - Monitors 2021-05-02|htbmachinesretired|retired-lfi-sqli-htb-machines-spritz cve-cacti-executable directory-ofbiz-rce-docker-escape-SYS_MODULE

Summary

Monitors was a Hard difficulty Linux box created by TheCyberGeek. Initial foothold on the box was to find a vulnerable wordpress plugin with a LFI, using which we can read file descriptor and read apache logs. From the logs we get a new subdomain (Host) on the box for cactic, Also using the LFI we can read wp-configs.php which contained a credentials. Using Credentials Spraying we find that is the admin Credentials for cactic. Checking the Version for exploits we find that version of cactic is Vulnerable to SQLi which can be converted to RCE. Using which we get a shell on the box as www-data. Enumerating the box we find a service from crontab, following that we find credential for the user of the box. Enumerating the box as user marcus we see a notes.txt in his home directory. Following that hint we find a weird local only service running. port forwarding that service we discover that is an apache ofbiz. Trying a msf module for that give us a root shell in an docker container. Enumerating that we see we have CAP_SYS_MODULE capability and following Hacktrick docker escape we can get a root shell on the box.

Hackthebox - Bucket 2021-04-24|htbmachinesretired|linux-writeup-retired-hackthebox-medium-aws-enumeration-pd4ml

Summary

Bucket,a Linux box created by HackTheBox user MrR3boot, was an overall medium difficulty box. Initial foothold was finding credentials in dynamo-db and using that to use that credentials on aws s3 cli. and then we upload a php shell and we get a shell as www-data and using another credential. we get roy(user). for Privilege Escalation we find another internal service running on 8000 and checking the code we see it is using pd4ml to convert an html to pdf. so we can inject and attach some files and download the result.pdf, using that we can download root .id_rsa with that we can ssh and we have pwned the box.

Hackthebox - Laboratory 2021-04-16|htbmachinesretired|linux-writeup-retired-hackthebox-easy-lfi-suid-binary-git-gitlab-ltrace

Summary

Laboratory an easy box created by Hackthebox user 0xc45.
Initial Foothold was finding a CVE for gitlab which gave us Arbitrary file read Later checking the hackerone thread for this issue we find that this can be converted to an RCE, using which we get the initial shell in a docker container as git.
Enumerating the box i decided to take a gitlab-backup and saw it contain a securedocker repository.
Extracting that we get user ssh key and get user shell.Enumerating the box again as dexter we see an interesting SUID binary.
docker-security So I ran ltrace to see what it is doing and saw it was using chmod but without absolute path. So using PATH hijacking we get a shell as root.

Hackthebox - Time 2021-04-01|htbmachinesretired|cve-linux-writeup-hackthebox-active-medium-fasterxml-systemtimer

Summary

Time,a Linux box created by HackTheBox user egotisticalSW & felamos was a medium difficulty box. Initial foothold was finding an exploiting a CVE in fasterxml.jackson and using that we get a shell as pericles which was the user of the box, and we can grab user.txt. Running Linpeas we find timer_backup.sh editing that we can get code-execution as root.