HackTheBox: Ready Machine Walkthrough

Written by darknite -
on February 15, 2021

In this post, i would like to share a walkthrough of Ready Machine.

This room has been considered difficulty rated as a MEDIUM machine

Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV <IP Address> -PN 

Testing

Information Gathering on Ready Machine

I have saved the output of the READY Machine into a text file so that we can read the result anytime in the future

There are multiple ports that have been open but the crucial port that caught my attention

  • 22: OpenSSH 8.2p1
  • 5080: nginx 

We must register as anything here so that we can access the dashboard 

I have registered using my nickname darknite which will lead to GitLab Dashboard

I have run gobuster on the machine by executing the command gobuster dir —url http://ready.thm:5080 -w /usr/share/dirbuster/directory-list-2.3-medium.txt —wildcard 

From the result above, we notice that /help directory appears there.  

We also can verify the directory from the /robots.txt 

Let’s Explore the exploit using google search

The information that we required can be found using the above method

Exploiting the GitLab on the Ready Machine

We found that 49257.py can exploit the machine 

Once I have modified the code based on the information that I gathered, I need to execute the exploit by using sudo python3 49257.py 

We have successfully gained a simple shell on the machine. You can upgrade the shell by executing the command as shown below:

  • python -c ‘import pty; pty.spawn(“/bin/bash”)’
  • Control z
  • Stty raw -echo; fg
  • Export TERM=xterm 

When we access /home/dude directory, we found the user.txt file stored over there.

We have retrieved the user.txt and inserted the flag into the hackthebox’s website

Let’s go to /opt/backup and see if there’s any suspicious file that we use later.

Let’s read the gitlab.rb and we found the username root and password which I need to hide the password

Therefore, let’s google again on the exploit that we can use over here.

Let’s go to the first link that shows Docker Breakout – HackTricks

Now, we need to copy-paste the second PoC into our machine. What we need to modify on the code are the IP and Port

After, we need to transfer the file into the target’s machine using wget functions.

To execute the exploit, we need to use chmod +x <filename> and ./<filename>

Let’s see the shell again and we are already in root@ready shell

Let’s access the /root directory in order to read the root.txt file

We need to read the root flag so that we can insert the flag in the machine

-THE END-

Happy Learning Guys!

Categories:

Medium Machine

Tags:

Challengescookie sessiondocker privileges breakoutGitlabgobusterHackTheBoxLinuxPenetration Testingpython3

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *