Let's start casually with our nmap scan and also check the website
In our nmap scan we don't see anything out of ordinary, so let's take a closer look at the website, we have a login system, the intercepted request in burp looks pretty "ugly"
I googled about that csrf_magic, found the script on github, but nothing vulnerable about it, but I took a close look at our login prompt
and I saw that version 1.2.22, and I googled about it and managed to find an exploit
Now let's set-up our netcat listener and run the exploit
Looks like we managed to get in the server as "www-data", tried to look for user.txt but nowhere to be found. I found some interesting script in "/" called "entrypoint.sh", we don't have execution privileges, but we still can see the contents.
Let's play around with the first mysql command, to see if we can get anything valuable from the database, the output of "show_tables" showed me one very interesting table called "user_auth"
As you can see, we have 2 hashes for 2 users, admin and marcus, I had put them both into a "hashes" file to brute force them wih john, but only marcus's hash seemed to be valid
the hash was cracked in a terms of a few seconds, the password is "funkymonkey", let's login using ssh on the user marcus
As we got the user, we move on to the privilege escalation phase
"sudo -l" doesn't output something to make us smile, but the docker version is vulnerable to
this CVE
As I didn't set anything to the docker, I move back on it, I tried to find the files i can execute from that low-privilege user
I googled a lil bit about those scripts in /bin and /sbin, and I found something interesting
here about /sbin/capsh
alright, now we're "root", I tried to cd in the root directory, it worked but nothing to be found, nor any useful hidden files, let's move back on our ssh shell with marcus and run our exploit
let's go in that directory, and execute "./bin/bash -p". Now let's get our root.txt
and we did it.
