Reconnaissance
We begin by conducting an Nmap scan to gather crucial information about the target, such as open ports and potential vulnerabilities.
Ports 80, 222, 1337, 3000 and 8080 are all websites. Upon exploring the “CatPictures 2” Lychee website on port 80, we stumble upon an album of cat pictures. Clicking the info button in the top right reveals some metadata.
Downloading the images and examining the full metadata of them, we find a hidden file stored on the port 8080 site.
Inside the file, we come across the username and password for an admin account on Gitea, along with the knowledge that Ansible is running on port 1337.
Using the obtained credentials, we successfully log into Gitea. Within the application, we uncover the first flag.
Exploiting Ansible for a Reverse Shell
In the same place that flag1 is, we also find a playbook.yaml file. When ansible is run on port 1337, it executes this playbook.yaml file. With some slight modifications, we can spawn a reverse shell.
Executing the modified playbook grants us access to the target system, establishing a reverse shell connection. In the home directory we find our second flag.
Privilege Escalation
Now all we need to do is get root. A linpeas scan reveals that there’s a vulnerable version of sudo.
Using CVE-2021-3156, we sent over the exploit.
Now all that’s left to do is make, list targets with sudo-hax-me-a-sandwich and then run the exploit… and BAM now we have root! Moving to the /root/ directory we find the third and final flag, completing the room!
No responses yet