search

Matrimony

hashtag
Gaining Access

Nmap scan:

$ nmap -p- --min-rate 3000 -Pn 192.168.201.196
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-15 14:46 +08
Nmap scan report for 192.168.201.196
Host is up (0.17s latency).
Not shown: 65530 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
22/tcp    open     ssh
53/tcp    open     domain
80/tcp    open     http

DNS is open, so we likely need to find a domain name somewhere.

hashtag
DNS Enum

Port 80 just shows us a static site:

There wasn't anything interesting about this site, so I went back to DNS. Similar to HTB, some machines from PGP tend to have domain names we just enter into our /etc/hosts file. I entered a few like matrimony.pg, matrimony.offsec and matrimony.off.

Then, I tested each domain with dig to see which exists. matrimony.off reveals the most information:

It also finds another subdomain at prod99.

hashtag
Matrimonial Website -> RCE

The prod99 domain shows us this marriage website:

I created an account on the website and found that it runs on PHP. I checked around for exploits for 'matrim':

Tons of exploits, and there is one script out of all of them. I tried that first, and it worked:

From here, we can easily get a reverse shell:

hashtag
Privilege Escalation

hashtag
Docker.Sock -> Root

If we check ifconfig, we can find some Docker instanceis running since the IP of this machine is 172.17.0.1:

We can ssh into 172.17.0.2 as root:

We can find the docker.sock file in both machines:

This machine doesn't have docker, so we can download the binary itself from our machine. This takes a while. When it's done, we can check the images present:

We can mount back onto the first image:

To get a root shell, simply run chmod u+s /mnt/bin/bash. Exit the docker container back onto the host machine and run bash -p:

Rooted!

PreviousMariaNextMegavolt

Last updated