This challenge was certainly the most complex out of the entire room. The general objectives were to exploit a vulnerable machine and pivot to a docker container to exfiltrate data.
I first enumerated my target with nmap and found some framework information on the webpage. This led me to a vulnerability I could exploit. Once I knew my exploit I could use it with the Metasploit framework.
I was required by THM to use meterpreter and Metasploit for this challenge. Something I did not know is that when pivoting, meterpreter can find IP addresses for the routing tables
Combining this information and the .env information, I am able to add the proper routing table to my meterpreter session.
Once I knew what my targets were, I could begin exfiltrating database information.
I would use these credentials to ssh in and receive the root flag.
Deploy the attached VM, and wait a few minutes. What ports are open?
80
What framework is the web application developed with?
Laravel
What CVE is the application vulnerable to?
cve-2021-3129
What command can be used to upgrade the last opened session to a Meterpreter session?
sessions -u -1
What file indicates a session has been opened within a Docker container?
/.dockerenv
What file often contains useful credentials for web applications?
.env
What database table contains useful credentials?
users
What is Santa's password?
p4$$w0rd
What ports are open on the host machine?
22,80
What is the root flag?
THM{47C61A0FA8738BA77308A8A600F88E4B}