craft @ hackthebox, walktrhough-style

craft from hackthebox.eu is an easy machine with couple of interesting technologies implemented. needs a little bit RTFM’ing for rooting. Enjoy 🙂

  1. initial page at craft.htb contains link to gogs.craft.htb. clone the only repo available.
  2. thorougly check source of api/brew/endpoints/brew.py
  3. when you’ll see something insecure, check script at repo’s tests/ folder. author was so kind to put it for us.
  4. combining 2nd and 3rd steps you should have root shell on host which runs python app.
  5. discover some users in mysql db. check their private stuff @ gogs. now thoroughly check their private stuff.
  6. gilfoyle reuses same password for different things. spoiler: no pivoting needed.
  7. gilfoyle also has access to vault daemon, which can provide you with root access. use vault’s ssh with mode otp and root_otp role.

Leave a reply