Machine Synopsis

Extension is a hard difficulty Linux machine with only `SSH` and `Nginx` exposed. Enumeration reveals a multitude of domains and sub-domains. An exposed API endpoint reveals a handful of hashed passwords, which can be cracked and used to log into a mail server, where password reset requests can be read. The application's underlying logic allows the attacker to brute-force the reset tokens, forfeiting access to an admin account and by *extension* API credentials for another vHost running `Gitea`. A repository hosted there is vulnerable to Cross-Site Scripting (XSS) and can be leveraged to make API calls to download a private repository, containing an SSH key for a user account on the target system. Moving laterally using re-used credentials reveals another Git repository, where we find source code that is vulnerable to Remote Code Execution by command injection. Exploitation of the vulnerability requires a hash length extension attack to deliver the payload. Obtaining a reverse shell makes it clear that the shell is in a docker container, which features a Unix socket that the user can access. This misconfiguration means that the host's file system can be mounted to a new docker container, from where a root SSH key can be acquired.