# Leakage
## nmap
```
mdkir nmap
sudo rustscan -a 172.31.1.6 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan
```
A web server on port 80 is open
Upon checking, looks like it has GitLab installed
## Web enumeration
First, create a GitLab account, and log in. Once logged in, check the projects section. You will notice there's a public repository of Jonathan.
The CMS repository sounds interesting, let's take a look and check the commit logs.
Click at the third commit, you will see credentials that have been removed.
Take note the `SQL_LOGIN` and `SQL_PWD` of user `jonathan` then use this credential to log in on GitLab.
Upon logging in, there's an interesting repository called `security`.
Right out of the bat, you will see the shiny gold called `id_rsa`. Let's copy it to our local machine.
## Exploitation
Looks like the private SSH key has a password.
Let's perform a dictionary attack using `john`
```
ssh2john jonathan_id_rsa > jonathan_id_rsa.ssh2john
john jonathan_id_rsa.ssh2john -w=/opt/wordlist/rockyou.txt
```
After a few seconds, we got the password. Sweet :D
Now we can log in using the private SSH key, the password, and the username we have found.
## Post Exploitation
First, let's transfer `linpeas.sh` from our machine to the target machine
You can find the machine IP address by executing the following.
Then transfer the script using `wget`
And run `linpeas.sh`
After quite some time, looks like the SUID of `/bin/nano` is set. We can use this to gain root by writing a new user on /etc/passwd.
First, execute `nano /etc/passwd` to get to editing mode. And at the very bottom, paste the following and hit save.
```
root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash
```
Now we can log in, as root with password `mrcake`
```
jonathan@leakage:~$ su root2
Password: mrcake
root@leakage:/home/jonathan#
```
Thanks, and enjoy!
