In this post, i would like to share a walkthrough of Ready Machine.
This room has been considered difficulty rated as a MEDIUM machine
Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN
Information Gathering on Ready Machine
I have saved the output of the READY Machine into a text file so that we can read the result anytime in the future
There are multiple ports that have been open but the crucial port that caught my attention
- 22: OpenSSH 8.2p1
- 5080: nginx
We must register as anything here so that we can access the dashboard
I have registered using my nickname darknite which will lead to GitLab Dashboard
I have run gobuster on the machine by executing the command gobuster dir —url http://ready.thm:5080 -w /usr/share/dirbuster/directory-list-2.3-medium.txt —wildcard
From the result above, we notice that /help directory appears there.
We also can verify the directory from the /robots.txt
Let’s Explore the exploit using google search
The information that we required can be found using the above method
Exploiting the GitLab on the Ready Machine
We found that 49257.py can exploit the machine
Once I have modified the code based on the information that I gathered, I need to execute the exploit by using sudo python3 49257.py
We have successfully gained a simple shell on the machine. You can upgrade the shell by executing the command as shown below:
- python -c ‘import pty; pty.spawn(“/bin/bash”)’
- Control z
- Stty raw -echo; fg
- Export TERM=xterm
When we access /home/dude directory, we found the user.txt file stored over there.
We have retrieved the user.txt and inserted the flag into the hackthebox’s website
Let’s go to /opt/backup and see if there’s any suspicious file that we use later.
Let’s read the gitlab.rb and we found the username root and password which I need to hide the password
Therefore, let’s google again on the exploit that we can use over here.
Let’s go to the first link that shows Docker Breakout – HackTricks
Now, we need to copy-paste the second PoC into our machine. What we need to modify on the code are the IP and Port
After, we need to transfer the file into the target’s machine using wget functions.
To execute the exploit, we need to use chmod +x <filename> and ./<filename>
Let’s see the shell again and we are already in root@ready shell
Let’s access the /root directory in order to read the root.txt file
We need to read the root flag so that we can insert the flag in the machine
Happy Learning Guys!