The Great Escape Tryhackme Writeup

By Shamsher khan This is a Writeup of Tryhackme room “The Great Escape”

https://tryhackme.com/room/thegreatescape

Room link: https://tryhackme.com/room/malstrings
Note: This room is free

Docker, Networks, and Container Escapes; Oh My!

I wanted to explore the concept of a Docker Escape. Docker is an extremely useful tool which allows us to isolate applications from each other and the host OS without having to resort to virtual machines. Properly configured it can be very secure, though miscommunications can introduce massive security holes, which we shall soon see.

Enumeration

Let’s take a look at the web server for now.

On the homepage, we see an admin section. Clicking into it there’s a login form. Trying something like admin:password calls an api which returns a 401: Unauthorized response. Moreover, trying to register a new user throws an error saying signups are disabled.

Perhaps we can brute force the login?

Brute Force Login

hydra -l admin -P /usr/share/wordlists/rockyou.txt 'http-post://$TARGET_IP/api/login/:{"username"\:"^USER^","password"\:"^PASS^"}:H=Content-Type\:application/json:F=ERROR'

Getting a lot of 503 errors

Directory Scanning

Hint is indicate the file name is “well known” create wordlist

wellknown
well-known
.well-known
.wellknown
WELLKNOWN
Wellknown
WEllknown
WeLlknwn
WELLknown
......
......
etc

Gobuster

So this means that everything we try returns a 200 status.

Armed with this information, we know that 200 response codes are bad, but other response codes (such as a 302) maybe indicate a directory is present. Let’s rerun our Gobuster command, but we’ll specify which response codes we want returned.

Checking the help page, we can see that Gobuster accepts the following response codes; “200,204,301,302,307,401,403”.

Remove status code 200

gobuster dir -u http://10.10.211.97/ -w /usr/share/wordlists/dirb/common.txt -s "204,301,302,307,401,403"

Gobuster didn’t work on http://10.10.207.227/.well-known

so we try dirb

So here we found security.txt file

Using curl, we can get the first flag:

Another common file on servers is the robots.txt file. Our nmap scan showed us the presence of this file with a few disallowed entries, let’s take a closer look:

We already know about the api route, but what’s this exif-util thing? Let’s take a look:

The upload functionality did not helped much.

From URL Checking if the URL parameter is vulnerable to SSRF

Port 8080 was found by brute forcing common ports.

The url called a new route

/api/exif?url=http:%2F%2F127.0.0.1:8080

This also did not lead me to any where so not the another entry in the robots file can be used

/*.bak.txt

I bruteforced the for the well known files and found

exif-util.bak.txt

Now we found a new host api-dev-backup which should be a docker container. Since this is a development backup I tried different injection techniques. At last found a command injection

http://10.10.193.190/api/exif?url=http://api-dev-backup:8080/exif?url=/etc/passwd

Banned words which means there must be some filter going on

Let’s try other commands

Which means something is running. it read id command as file name . Lets try other payloads

And we successfully executed the command. We are root, but just on the docker container.

I tried to get a reverse shell but was unsuccessful. It looks like the all the outgoing traffic is blocked by the firewall. So, I manually started going through the container.

here we found git Let’s enumerate this

We can see that are three commits. So, lets check those out.

We found root Flag

Just knock on port 42,1337,10420,6969,63000

the default docker port is 2375 Let’s check if it is or not

The next 2 steps I give might be unnecessary but I did it anyways where I added the machine IP with the docker port to tell docker to trust this instance and then restarted it

sudo vim /etc/docker/daemon.json

I restarted my docker service by stopping it and then starting it again after waiting for at least 30 seconds.

sudo systemctl stop docker
<Wait 30 seconds>
sudo systemctl start docker

We can successfully list the docker images using the API.

Getting root shell

Here I have created a container from frontend image on an interactive mode executing sh binary. The root file system of the host will be mounted on the /mnt directory of the container and the root of the container is changed to /mnt.

You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher

For more walkthroughs stay tuned…
Before you go…

Visit my other walkthrough’s:-

and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!

Web Application Pen-tester || CTF Player || Security Analyst || Freelance Cyber Security Trainer