Git and Crumpets
starting with nmap, found 2 open ports.
22 : SSH
80 : HTTP
As you can see in the curl command, it redirects when visiting the website to youtube.
I checked the source code using the curl command and got the hostname.
I added that to /etc/hosts
on the browser I got Gitea.
I created an account in Gitea and signed in.
In the Explore tab I found 2 repositories.
1 by the scone.
2 by the hydra.
In the scones repository, I found 7 commits.
In 1 commit I got this comment.
so I downloaded the image and got the password in Description using Exiftool.
Using the username and password I log in to the user account.
By editing the README.md I got shell back to my terminal.
i checked for ssh id_rsa, so I can ssh directly. But I didn’t found any.
For further exploitation, I created an ssh key and added it to Git Hooks,
so when I edit a file in that repo, this ssh key will be written to git’s authorized_keys
By editing a file in that repo I can ssh to git and I got user flag.
For the privilege escalation part, I got a DB file of gitea and it’s a sqlite3 file.
using sqlite3 I started checking the DB.
I got the command which used to view tables and got a bunch of tables from DB.
From these Tables, I used the “user” table to find passwords if any.
From StackOverflow, I got how to check column names
I checked with john for password cracking, But nothing was found for root.
Then I changed the value of “is_admin” to root’s “is_admin” value which is 1.
I got the privilege to view the root’s private backup repository.
In that repository, I found the “dotfiles” branch and 4 commits in that.
I got a commit that adds .ssh file, which is suspicious. so I opened that file and got id_rsa key.
I tried with ssh, But it asks for the password.
I tried with john but didn’t found any password.
After some time, I remember the file name of the .ssh file.
I used that filename as the password and got the root shell and root flag.