HackTheBox | Runner
Initial Foothold Hint:
- Don't get stuck in rabbit holes
- Can you find the CVE for the vulnerable software?
- Most public exploits don't work as documented, due to conditions on the target. How else might you be able to exploit the vulnerability to get into the vulnerable service?
- There is another public exploit to facilitate this, but just plain old
curl
can get you in depending on your comfort level with APIs and source code review.
- There is another public exploit to facilitate this, but just plain old
Privilege Escalation Hint:
- Did you find any interesting files that point to any other interesting "names"?
- You may already have some credentials to get you into the service
- This service is just a front-end for managing Docker
- With Docker we can mount a folder from the host file system and read privileged files, how might you do this with this particular service managing Docker?
Nmap Results
# Nmap 7.94SVN scan initiated Wed Apr 24 17:57:49 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.10.11.13
Nmap scan report for 10.10.11.13
Host is up (0.013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_ 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://runner.htb/
8000/tcp open nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 24 17:58:25 2024 -- 1 IP address (1 host up) scanned in 35.78 seconds
We can see the redirect to http://runner.htb
on tcp/80
, so let's go ahead and add that to our /etc/hosts
file.
echo '10.10.11.13 runner.htb' | sudo tee -a /etc/hosts
⛔
This box is still active on HackTheBox. Once retired, this article will be published for public access as per HackTheBox's policy on publishing content from their platform.