August 13, 2021•449 words
The scan doesn't give you much to choose from, two open ports and no reasonable way of interacting with SSH, so let's start from HTTP.
The web server seems to be a waiting queue, what for is unknown. How does the page determine your position in queue every time you reload the page? Cookies, indeed. The cookie is not immediately clear to decode, but you can easily spot some SQL injection possibility by adding a single quote at the end of it. Besides enumerating the DB, there is a serious misconfiguration allowing you to write a file on the web server. The injection looks like this:
<cookie>' UNION SELECT 1,<hexcode> INTO OUTFILE '/var/www/html/shell.php'-- -
where <hexcode> is the hex of the classic PHP web shell that receives a "cmd" GET parameter. It can be anything you want of course, just stating clearly what I put there. Now that you have some basic RCE, let's make it a little more bearable. I retrieved the full php-reverse-shell using wget and activated it by browsing to its location, thus gaining a remote shell.
The shell belongs to user www-data. Nonetheless, you can still access user dylan's home. There is an interesting file that is readable, it seems to be a log containing SSH accesses. Check it thoroughly as dylan seems to have put his password where his username should go, meaning you can now SSH into the box as dylan.
Retrieve the first flag and examine the box. There is a service running on port 3000, port forward using SSH. There is a Gitea server running, but logging in as dylan requires a 2fA step we cannot bypass right now. Look for the folder where this server keeps its data and you will find its DB as well. Check it out (either copy it to your machine or use python's sqlite3 module to interact with it): you can completely disable 2fA by deleting the relative table, thus gaining access as dylan.
Now you can modify dylan's repo git hooks. Just add a bash reverse shell line at the end of the pre-receive hook, then make a modification to one of the files and commit, causing its execution and, thus, gaining a reverse shell as user git.
Now git runs in a different environment, but the /data/gitea directory seems to be shared among environments. As you can run commands as root of this environment (sudo -l to notice this is indeed the case) just copy a suid version of /bin/bash here and run it in dylan's environment, gaining root access to the box. Get your second flag, your job here is done.