Port 80 and 22, are open. Visiting 80 we see a gitlab server, I find the credentials
I goto Profile project and upload and commit to repo a php file with reverse shell code inside of it. I then visit http://10.10.10.114/profile/shell.php. Now I get a reverse shell as www-data.
From here there are 2 paths to get root. I First got into the intended path by going to snippets finding a php script there, copying to machine and then adding some more code and find out the password for user clave, after I su and can access user.txt but for root I need to reverse a .exe file.
When logginin as www-data and running
sudo -l I can see that I can run
git pull as root. After a bit of research I read about git hooks, which all they do is run something when a
git pull or
git push is runned.
I copy the repo into /tmp/ and then add a into .git/hooks/post-merge which runs a bash script to give me reverse shell, I make it executable and then go into gitlab and commit a change. Then I run git pull and a merge occurs so my script gets execute, and I get reverse shell as root.