Hackfail.htb -

Gitea is the primary vector for gaining a foothold on this machine. Identifying the Vulnerability

Older versions of Gitea are susceptible to various vulnerabilities, including through Git hooks. If you can gain administrative access to a repository, you can often execute commands on the underlying server. The Attack Path

Add a command to one of the scripts (like iptables-multiport.conf ) that creates a SUID binary or sends a reverse shell. hackfail.htb

Once you have a shell, you will likely find yourself inside a . Escaping the Container

Browse through public repositories. Look for configuration files (like .env or config.php ) that might contain secrets. Exploit Git Hooks: If you find a repository you can edit: Navigate to Settings > Git Hooks . Edit the pre-receive or post-update hook. Gitea is the primary vector for gaining a

On HackFail, the path to root often involves , an intrusion prevention framework. If a user has write access to the Fail2Ban configuration or its custom action scripts, they can achieve code execution as root. Locate Action Scripts: Check /etc/fail2ban/action.d/ .

Enumeration inside the container reveals that it has access to specific files or the Docker socket. The Attack Path Add a command to one

If /var/run/docker.sock is accessible, you can use it to spawn a new container that mounts the host's root filesystem. 👑 Phase 4: Privilege Escalation to Root

Check /mnt or other unusual directories for files belonging to the host system.