Initial Foothold Hint:

• Don't get stuck in rabbit holes
• Can you find the CVE for the vulnerable software?
• Most public exploits don't work as documented, due to conditions on the target. How else might you be able to exploit the vulnerability to get into the vulnerable service?
  • There is another public exploit to facilitate this, but just plain old curl can get you in depending on your comfort level with APIs and source code review.

Privilege Escalation Hint:

• Did you find any interesting files that point to any other interesting "names"?
• You may already have some credentials to get you into the service
• This service is just a front-end for managing Docker
• With Docker we can mount a folder from the host file system and read privileged files, how might you do this with this particular service managing Docker?

Nmap Results

# Nmap 7.94SVN scan initiated Wed Apr 24 17:57:49 2024 as: nmap -Pn -p- --min-rate 2000 -sC -sV -oN nmap-scan.txt 10.10.11.13
Nmap scan report for 10.10.11.13
Host is up (0.013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
|_  256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
80/tcp   open  http        nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://runner.htb/
8000/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 24 17:58:25 2024 -- 1 IP address (1 host up) scanned in 35.78 seconds

We can see the redirect to http://runner.htb on tcp/80, so let's go ahead and add that to our /etc/hosts file.

echo '10.10.11.13        runner.htb' | sudo tee -a /etc/hosts