Hackthebox — Ready Walkthrough

Atalay Samet Ergen

4 min readMay 15, 2021

Firstly, let’s run nmap scan to see which ports are open and which services are running on those ports.

-sC : run default nmap scripts

-sV : enumerate service versions

The result shows that three port are open.

Port 22 running OpenSSH 8.2p1

Port 5080 running http service

We visit the page and see that there is Gitlab sign page.

We create an account.

A welcoming page.

We see the Gitlab version after clicking Help tab on the right. “Update asap” seems definitely interesting.

Let’s search the vulnerabilities for 11.4.7 of Gitlab on searchsploit.

We review the exploit script.

We download the script by adding “-m” (aka copies).

Some parameters need to be specified.

We start listening port 7070 before run the script.

And run the script.

Afterwards, we get the reverse shell.

Let’s upgrade the shell to a stable one.

We go to dude’s directory and get the user flag successfully.

Time to escalate our privileges. Let’s download the linpeas.sh to enumerate the box.

We get the script and run it on the target machine.

We find a password.

The output also states that we are in a docker container.

We switch the user as root with the password we found.

There is no root flag.

Well, we are in a docker container and need to escape from it to get the flag.

A post about escaping from a docker container on HackTricks is key of solving this issue.
https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout

We check the capabilities of the container. As mentioned on the post; we might be able to escape from it if it has any of the following ones.
CAP_SYS_ADMIN - CAP_SYS_PTRACE - CAP_SYS_MODULE - DAC_READ_SEARCH - DAC_OVERRIDE

Well configured docker containers won’t allow command like fdisk -l. However on missconfigured docker command where the flag -privileged is specified, it is possible to get the privileges to see the host drive.
https://book.hacktricks.xyz/linux-unix/privilege-escalation/docker-breakout#i-own-root