# HackTheBox-Ready ## Rustscan ``` rustscan -a 10.10.10.220 -- -A -sC -sV .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- Nmap? More like slowmap.🐢 [~] The config file is expected to be at "/root/.rustscan.toml" [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers [!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'. Open 10.10.10.220:22 Open 10.10.10.220:5080 PORT STATE SERVICE REASON VERSION 22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) 5080/tcp open http syn-ack ttl 62 nginx |_http-favicon: Unknown favicon MD5: F7E3D97F404E71D302B3239EEF48D5F2 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-robots.txt: 53 disallowed entries (40 shown) | / /autocomplete/users /search /api /admin /profile | /dashboard /projects/new /groups/new /groups/*/edit /users /help | /s/ /snippets/new /snippets/*/edit /snippets/*/raw | /*/*.git /*/*/fork/new /*/*/repository/archive* /*/*/activity | /*/*/new /*/*/edit /*/*/raw /*/*/blame /*/*/commits/*/* | /*/*/commit/*.patch /*/*/commit/*.diff /*/*/compare /*/*/branches/new | /*/*/tags/new /*/*/network /*/*/graphs /*/*/milestones/new | /*/*/milestones/*/edit /*/*/issues/new /*/*/issues/*/edit | /*/*/merge_requests/new /*/*/merge_requests/*.patch |_/*/*/merge_requests/*.diff /*/*/merge_requests/*/edit | http-title: Sign in \xC2\xB7 GitLab |_Requested resource was http://10.10.10.220:5080/users/sign_in Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port OS fingerprint not ideal because: Missing a closed TCP port so results incomplete Aggressive OS guesses: Linux 2.6.32 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Adtran 424RG FTTH gateway (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%) No exact OS matches for host (test conditions non-ideal). ``` ## PORT 5080 (HTTP) I tried to use metasploit exploit for gitlab but found it was not vulnerable to because that was for version 12.8.x something and the version that was running on the site was 11.4.7 so looked for an exploit Ran the exploit And got a shell Stabilized the shell We can see the users on gitlab with id Using gitlab-rails shell to reset a user's password Going to `/opt` folder found a directory called "backup" Reading the docker.yml it seems that we are in a privileged container also found `root_pass` it had a password but it didn't worked Also I found another password We got root for the container But still we need to breakout from this docker conatiner so use `fdisk -l` Now we can see that system is mounted on `/dev/sda2` so following hacktricks for docker escape we can mount this on a folder Transfer the `id_rsa` key you can find on the host machine's root folder And we have a proper root on the box