# Ready ~ Hack The Box

* * *

### Prerequisite

![Ready ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985535868/653c8fdf-a074-4d32-a0f6-35eaceb83171.jpeg)

Just to make life easier I usually add an entry in my hosts file for easier access of the target machine.

    echo "10.10.10.220	ready.htb" >> /etc/hosts

hosts file entry

![Ready ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985536955/36fe597d-3284-47ae-8eaf-0e92db217795.png)

Okay now onto the hacking!

* * *

### Reconnaissance

As always, I started off with an NMAP scan against the machine.

     nmap -Pn -sC -sV -oN initial ready.htb

    Nmap scan report for ready.htb (10.10.10.220)
    Host is up (0.0078s latency).
    Not shown: 998 closed ports
    PORT     STATE SERVICE VERSION
    22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
    |   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
    |_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
    5080/tcp open  http    nginx
    | http-robots.txt: 53 disallowed entries (15 shown)
    | / /autocomplete/users /search /api /admin /profile 
    | /dashboard /projects/new /groups/new /groups/*/edit /users /help 
    |_/s/ /snippets/new /snippets/*/edit
    | http-title: Sign in \xC2\xB7 GitLab
    |_Requested resource was http://ready.htb:5080/users/sign_in
    |_http-trane-info: Problem with XML parsing of /evox/about
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

### Scanning & Enumeration

Based on the scan that was run, I realized that port 5080 was running a web server. This was the web app that was being served!

![Ready ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985538229/f69e58b3-d01c-4970-a097-4f3ddb0d4b02.png)

After registering for an account, I headed to the help page which gave away the version of Gitlab that was being used.

![Ready ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985539481/d38321ca-bd06-4e43-9f33-70e9e62c2c0b.png)

Couple google searches revealed that there was a public RCE exploit available for this version of Gitlab.

### Exploitation

I made use of [this](https://github.com/dotPY-hax/gitlab_RCE) script to exploit the existing vulnerability uncovered in the previous stage.

![Ready ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985540627/a0962d23-f584-4edf-bf74-1227fdeb5289.png)

![Ready ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985541683/1d62005d-fc77-4052-8746-8fee06e65c32.png)

![Ready ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985542789/31c44b2e-647b-4c06-8f7b-6b238d3d265b.png)

### Lateral Movement

Getting the user flag was as straight forward as heading into the only other user's directory and reading the file.

![Ready ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985543819/817a4741-a554-4d62-bf09-91edef5b81c8.png)

![Ready ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985544896/84a23f53-6a45-4773-a3f2-95287015ae72.png)

### Privilege Escalation

This was the most frustrating section for me. I spend so much time looking for ways to get into the root user. But the session I was in turned out to be a docker container. I have had some experience with escaping docker containers but I had to be root on the machine first.

After enumerating around the machine for awhile, I ran the following command in directories to find for any possible passwords.

    cat * | grep -e 'root\|password'

![Ready ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985546460/0ae085d8-be67-461a-afd1-31874b47ab57.png)

![Ready ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985547523/ca5fc117-09be-4e88-9e13-f2e68cbf718b.png)

Eventually, I was able to get the root user password. However, there was no files in the root directory as this was a container. Thus, I executed a simple container escape!

I first ran `fdisk -l` to find out all the possible partitions the machine had.

![Ready ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985548506/e044b0b7-b072-44e1-84ad-f8166f9da7c5.png)

This revealed to me that the Linux FS was mounted on `/dev/sda2`. Thus, I mounted that whole partition onto a directory that I created in the container. Followed by that I read the root flag and finished the box!

![Ready ~ Hack The Box](https://cdn.hashnode.com/res/hashnode/image/upload/v1680985549577/8a64152f-93d6-43ab-a25a-99b70e77a73f.png)

Interesting box!~
