tl;dr

  • Fuzzing to find the /internal endpoint
  • Chaining CVE-2023–24329 and the SSRF in the /okay endpoint to access the internal docker registry host.
  • Downloading image blobs using the docker registry API.
  • Using CVE-2024-21488 to get RCE on the vec service.
  • As the templates directory of the core service is cross-mounted, we can modify the index.html file from vec service to get RCE on the core service.
  • Hence we can read the flag from the core service.