craft from hackthebox.eu is an easy machine with couple of interesting technologies implemented. needs a little bit RTFM’ing for rooting. Enjoy 🙂
- initial page at craft.htb contains link to gogs.craft.htb. clone the only repo available.
- thorougly check source of api/brew/endpoints/brew.py
- when you’ll see something insecure, check script at repo’s tests/ folder. author was so kind to put it for us.
- combining 2nd and 3rd steps you should have root shell on host which runs python app.
- discover some users in mysql db. check their private stuff @ gogs. now thoroughly check their private stuff.
- gilfoyle reuses same password for different things. spoiler: no pivoting needed.
- gilfoyle also has access to vault daemon, which can provide you with root access. use vault’s ssh with mode otp and root_otp role.