Machine Synopsis

Vessel is a hard Linux machine that begins with directory enumeration which reveals a `.git` source for a web application running on port 80. After extracting the contents of the web application using a tool called `git-dumper` , we find out that the application is using the `MySQLJs` NPM library which is vulnerable to SQL injection. Using SQL injection, an attacker can bypass authentication and get admin access on `vessel.htb`. In the admin dashboard of `vessel.htb` we discover a subdomain called `openwebanalytics`. The `openwebanalytics.vessel.htb` is hosting `Open Web Analytics` version 1.7.3 which is vulnerable to [CVE-2022-24637](https://devel0pment.de/?p=2494) which allows the attacker to reset the admin's password and alter configurations to inject PHP code into a log file leading to remote code execution. After getting RCE there is a binary file named `passwordGenerator` and a password-protected PDF file in the `steven` user's home directory. Reverse engineering `PasswordGenerator` with `Uncompyle6` reveals a hashing algorithm that is used to compose our brute force to crack the previously found PDF which contains the password for the `Ethan` user. Running `LinPEAS` on the machine shows that there is an unknown SUID binary named `pinns` that it's related to CRI-O engine. Additional investigation reveals a [recent vulnerability in CRI-O](https://www.crowdstrike.com/blog/cr8escape-new-vulnerability-discovered-in-cri-o-container-engine-cve-2022-0811/), which leads the attacker to gain code execution as the `root` user.