Machine Synopsis

Sink is an insane Linux machine that features an application which is vulnerable to HTTP Desync attack. Exploiting this vulnerability gives access to a high privileged user on the application. This privilege gives access to Gitea service. Enumeration of repositories lead to a private key leak which can be used to gain a foothold on system. Enumerating SecretsManager service reveals credentials which assists in moving laterally. System access can be obtained by decrypting a file using the KMS service.