Introduction
Ready is a Medium ‘CTF’ style box from HTB and created by bertolis. It showcases problems in older versions of GitLab community edition and how they can be used to escalate privilege. Once we get on the box we realize we are in a docker container and use a docker escape to escalate to root. I begin every scan using RustScan; once it completes it runs NMAP filters and exports to HTML
for easy reading:
The initial scan only came back with Port 22
open which is SSH
. By default SSH
will not be your first point of entry (unless your doing a challenge). Also by default RustScan only scans the top 1000 ports; because of these factors I initiated a full port scan:

RustScan showing Port 5080
open.
Port 5080
was open and when visiting the port via a web browser I could see GitLab running. I registered for GitLab and signed into the environment.

GitLab Community Edition running on Port 5080
.
Upon logging into the GitLab environment I looked around for Active Projects. ready-channel which was an active Drupal install was present. It was also a false flag. After spending time finding credentials HERE and trying to find the ‘ghost install’ I took a step back. Eventually I noticed the version of GitLab was severely outdated.

GitLab Community Edition running 11.4.7
User Escalation
Keeping up to date on security related news and using GitHub products I was aware of the vulnerability available to older version of GitLab community edition. I read through a few articles and eventually found a script by dotPY-hax. It was super straight forward to configure and provided a low-priv shell.

Running the gitlab_rce.py for shell.
Once the shell popped I upgraded the shell to be interactive and grabbed the user flag. I checked around the opt/var
directories to find the GitLab install. Eventually I noticed a backup directory and this file – /opt/backup/gitlab.rb
. After clearing up the clutter I found a password which I used to escalate my privilege to root.

Finding the password to escalate to root.
After checking the root directory and (unsuccessfully) finding the flag I realized I was inside a docker container. I am very familiar with docker as I use it in my personal network. I was able to follow the following two guides HERE and HERE to get to root.
AttackMachine
Host
AttackMachine

Root flag for the Ready machine by HTB.