Leakage is a linux box hosted by CyberSecLabs. Let’s kick it off with an NMap scan in order to check the open ports.
On port 80 (HTTP) there it’s hosted GitLab CE. I ran gobuster to check for additional folders. This was the output:
public directory we’ll see a few projects. The one that seems more interesting is
CMS. Taking a look at commits we notice there was a change to the config file.
Testing for password reuse we successfully login as jonathan. By taking a look at the projects we notice another one that was not public named
security. It contains a ssh login key. Download the file and crack it using John the Ripper.
Since we cracked the password of the file, let’s use it to login to ssh.
Running linux smart enumeration we can see that the SUID bit is set to nano.
It’s possible to use nano to read the root flag.