Ready HTB Writeup

Hi everyone, this is my writeup for box “Ready” found on HackTheBox .

Overview : GitLab Community Exploit to get reverse shell, SMTP Password in gitlab.rb file, Breaking out of Docker Container to get Root Flag.

IP address of the Machine : 10.10.10.220

Phase 1 : Recon

1. Starting off with an Nmap Scan to get information about the open ports.

nmap -sC -sV -Pn 10.10.10.220

We get the following results from the nmap scan

We have 2 Ports open :

Port 22 : Running OpenSSH 8.2p1 , Port 5080 : Running nginx

Part 2 : Enumeration

The Webpage on port 5080 was hosting a GitLab Community Edition.

Let’s register ourselves and SignIn.

After searching for exploit I found that the version of GitLab was vulnerable to RCE.

Exploit Link : https://www.exploit-db.com/exploits/49334

Following the steps of the exploit you will get a reverse shell.

Part 3 : Getting User Flag

Getting the user flag was quite easy just had to switch directory and get the flag from user dude.

Part 4 : Getting Root Flag

Now I started enumerating the box. I found some interesting file in the /opt/backup directory.

I found a SMTP password in the gitlab.rb file.

I tried using the password to switch to the Root user and BOOM!!! it worked Now I was root.

But we can’t get the root flag because we are in a restricted Docker container. There are several way’s to get out of a restricted docker container. You can read about about them in the below mentioned articles :

https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout

https://betterprogramming.pub/escaping-docker-privileged-containers-a7ae7d17f5a1

Following the methods mentioned in the article to break out of docker we get root flag.

Thanks for reading the Writeup. I hope you liked it. Any type of feedback or suggestions are appreciated. You can reach out to me on :

Twitter : https://twitter.com/Viren2737

LinkedIn : https://www.linkedin.com/in/viren-saroha-3391371a3/