Simple easy box, perfect to warmup before the FIC 2021 and get more confidence in 1337 h4ck1n9 TL;DR Find PCAP file on server, get SSH credentials, execute code as root with Python. Footholds I did not even use nmap here, as we had a web server serving on port tcp:80. This website looked like this: It seems to be a security dashboard for a server, we don’t have any info about that.

The famous packet manager for Archlinux

Maybe the most used tool when it comes to network discovery and port knocking.

Wow you don’t know yet what Docker is? 🤔 Let me introduce you this beautiful containerization tool!

So I came up with this basic concept: TL;DR. But what is it exactly? The TL;DR series The main idea is to share some knowledge in a quick and concise way, such as a RUMP but written on a file. It is like a writeup speedrunning-ish style of writting. And maybe because I am kind of lazy sometimes. The goal here is to write small articles about a subject I like, a new technique learnt, or anything that is not worth a full and detailed article.

Recently I wanted to run a MySQL Docker container and encountered a tragical error: 1 2 3 4 5 6 7 simple_db | 2021-03-25 10:54:04+00:00 [Note] [Entrypoint]: Switching to dedicated user 'mysql' simple_db | 2021-03-25 10:54:04+00:00 [Note] [Entrypoint]: Entrypoint script for MySQL Server 5.7.31-1debian10 started. simple_db | 2021-03-25 10:54:04+00:00 [Note] [Entrypoint]: Initializing database files simple_db | 2021-03-25T10:54:04.578298Z 0 [Warning] TIMESTAMP with implicit DEFAULT value is deprecated. Please use --explicit_defaults_for_timestamp server option (see documentation for more details).

Cool box, maybe too easy for a medium? Got reverse shell in minutes, but stuck for root’s password for hours 😅 TL;DR Gitlab RCE, get reverse shell. Privesc with cleartext root password, escape Docker to own the box. Footholds nmap 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-14 16:00 UTC Nmap scan report for 10.