[CSL] Leakage

Leakage is a linux box hosted by CyberSecLabs. Let’s kick it off with an NMap scan in order to check the open ports.

On port 80 (HTTP) there it’s hosted GitLab CE. I ran gobuster to check for additional folders. This was the output:

Gobuster Output

Checking the public directory we’ll see a few projects. The one that seems more interesting is CMS. Taking a look at commits we notice there was a change to the config file.

Config file

Testing for password reuse we successfully login as jonathan. By taking a look at the projects we notice another one that was not public named security. It contains a ssh login key. Download the file and crack it using John the Ripper.

JtR

Since we cracked the password of the file, let’s use it to login to ssh.

Logging in

Running linux smart enumeration we can see that the SUID bit is set to nano.

SUID bit

It’s possible to use nano to read the root flag.

Reading the root flag