Wow you don’t know yet what Docker is? 🤔 Let me introduce you this beautiful containerization tool!

So I came up with this basic concept: TL;DR. But what is it exactly? The TL;DR series The main idea is to share some knowledge in a quick and concise way, such as a RUMP but written on a file. It is like a writeup speedrunning-ish style of writting. And maybe because I am kind of lazy sometimes. The goal here is to write small articles about a subject I like, a new technique learnt, or anything that is not worth a full and detailed article.

Recently I wanted to run a MySQL Docker container and encountered a tragical error: 1 2 3 4 5 6 7 simple_db | 2021-03-25 10:54:04+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql' simple_db | 2021-03-25 10:54:04+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 5.7.31-1debian10 started. simple_db | 2021-03-25 10:54:04+00:00 [Note] [Entrypoint]: Initializing database files simple_db | 2021-03-25T10:54:04.578298Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).

Cool box, maybe too easy for a medium? Got reverse shell in minutes, but stuck for root’s password for hours 😅 TL;DR Gitlab RCE, get reverse shell. Privesc with cleartext root password, escape Docker to own the box. Footholds nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-14 16:00 UTC Nmap scan report for 10.

Some weeks ago I created a trainning lab for SQL injections called SQLi lab. And I will go through all levels in this blog post, explainning the expected way to solve each of them. The lab currently contains 5 levels, and I will update this post as I add more of them 👍 Installation The GitHub repository is at https://github.com/OxNinja/SQLi-lab if you want more information. First I clone the lab in a folder, add its IP to my hosts file for conveignance, and then build it with the given script:

TL;DR HTTP redirect bypass (unintended 😁), PHP code execution through file upload to get a reverse shell. User with hardcoded SQL credentials on server, privesc with custom binary with no $PATH check. As I am an idiot, I reinstalled my distribution without making a backup of my files 🙈 So I don’t have any screenshot or payloads I used for this box to show you Footholds With a basic nmap we found only two ports: 22 and 80.

Obscurity is my first medium box so I was very happy when I got that root.txt :D TL;DR Custom Python web server, get source code, get revserse shell, crack user password for custom encryption system, use john to privesc. Footholds To make things easier, I added the box to my /etc/hosts. Recon Let’s start with nmap to discover the open ports : 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 > nmap -A obscurity.