📔
Hack World
  • Welcome to Hack World
  • Writeup
    • Proving Grounds - Practice
      • AuthBy
      • Jacko
      • UT99
      • Sirol
      • Twiggy
      • Bratarina
      • Internal
      • Algernon
      • Metallus
      • Kevin
      • Helpdesk
      • Slort
      • Shenzi
      • Pelican
      • Walla
      • Zino
      • Nibbles
      • ZenPhoto
      • Wombo
    • CyberSecLabs
      • Lazy
      • Red
      • Shock
      • CMS
      • Debug
      • Leakage
      • Simple
      • Shares
      • Unroot
      • Outdated
      • Fuel
      • Pie
    • Vulnhub
      • Linux
        • BTRSys2.1
        • CyberSploit1
        • SunsetNoontide
    • HackTheBox
      • Cap
Powered by GitBook
On this page
  • nmap
  • Web enumeration
  • Exploitation
  • Post Exploitation

Was this helpful?

  1. Writeup
  2. CyberSecLabs

Leakage

PreviousDebugNextSimple

Last updated 3 years ago

Was this helpful?

nmap

mdkir nmap
sudo rustscan -a 172.31.1.6 --ulimit 5000 -- -T4 -A -oA nmap/all-ports-service-scan

A web server on port 80 is open

Upon checking, looks like it has GitLab installed

Web enumeration

First, create a GitLab account, and log in. Once logged in, check the projects section. You will notice there's a public repository of Jonathan.

The CMS repository sounds interesting, let's take a look and check the commit logs.

Click at the third commit, you will see credentials that have been removed.

Take note the SQL_LOGIN and SQL_PWD of user jonathan then use this credential to log in on GitLab.

Upon logging in, there's an interesting repository called security.

Right out of the bat, you will see the shiny gold called id_rsa. Let's copy it to our local machine.

Exploitation

Looks like the private SSH key has a password.

Let's perform a dictionary attack using john

ssh2john jonathan_id_rsa > jonathan_id_rsa.ssh2john 
john jonathan_id_rsa.ssh2john -w=/opt/wordlist/rockyou.txt

After a few seconds, we got the password. Sweet :D

Now we can log in using the private SSH key, the password, and the username we have found.

Post Exploitation

First, let's transfer linpeas.sh from our machine to the target machine

You can find the machine IP address by executing the following.

Then transfer the script using wget

And run linpeas.sh

After quite some time, looks like the SUID of /bin/nano is set. We can use this to gain root by writing a new user on /etc/passwd.

First, execute nano /etc/passwd to get to editing mode. And at the very bottom, paste the following and hit save.

root2:WVLY0mgH0RtUI:0:0:root:/root:/bin/bash

Now we can log in, as root with password mrcake

jonathan@leakage:~$ su root2                                                                                                                                                                                       
Password: mrcake                                                                                                                                                                                                          
root@leakage:/home/jonathan#

Thanks, and enjoy!