Git and Crumpets


Git and Crumpets is a medium based Linux machine in TryHackMe by hydragyrum

User Part

starting with nmap, found 2 open ports.

22 : SSH

80 : HTTP

As you can see in the curl command, it redirects when visiting the website to youtube.

I checked the source code using the curl command and got the hostname.

I added that to /etc/hosts

on the browser I got Gitea.

I created an account in Gitea and signed in.

In the Explore tab I found 2 repositories.

1 by the scone.

2 by the hydra.

In the scones repository, I found 7 commits.

In 1 commit I got this comment.

so I downloaded the image and got the password in Description using Exiftool.

Using the username and password I log in to the user account.

Then I checked for the exploit and I got recent this exploit.

For further exploitation, I used the Reverse shell from PayloadsAllTheThings.

And I added payload to Git Hooks.

By editing the I got shell back to my terminal.

i checked for ssh id_rsa, so I can ssh directly. But I didn’t found any.

For further exploitation, I created an ssh key and added it to Git Hooks,

so when I edit a file in that repo, this ssh key will be written to git’s authorized_keys

By editing a file in that repo I can ssh to git and I got user flag.

Root Part

For the privilege escalation part, I got a DB file of gitea and it’s a sqlite3 file.

using sqlite3 I started checking the DB.

I got the command which used to view tables and got a bunch of tables from DB.

From these Tables, I used the “user” table to find passwords if any.

From StackOverflow, I got how to check column names

I checked with john for password cracking, But nothing was found for root.

Then I changed the value of “is_admin” to root’s “is_admin” value which is 1.

I got the privilege to view the root’s private backup repository.

In that repository, I found the “dotfiles” branch and 4 commits in that.

I got a commit that adds .ssh file, which is suspicious. so I opened that file and got id_rsa key. 

I tried with ssh, But it asks for the password.

I tried with john but didn’t found any password.

After some time, I remember the file name of the .ssh file.

I used that filename as the password and got the root shell and root flag.

Share on facebook
Share on twitter
Share on linkedin