Nmap Scan
We start with nmap to find open ports on the machine.
nmap -sC -sV -oA thenotebook 10.10.10.230
Nmap scan report for 10.10.10.230
Host is up (0.11s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 86:df:10:fd:27:a3:fb:d8:36:a7:ed:90:95:33:f5:bf (RSA)
| 256 e7:81:d6:6c:df:ce:b7:30:03:91:5c:b5:13:42:06:44 (ECDSA)
|_ 256 c6:06:34:c7:fc:00:c4:62:06:c2:36:0e:ee:5e:bf:6b (ED25519)
80/tcp open http nginx 1.14.0 (Ubuntu)
|_http-server-header: nginx/1.14.0 (Ubuntu)
|_http-title: The Notebook - Your Note Keeper
10010/tcp filtered rxapi
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.20 seconds
We have Two open ports, ssh on port 22 and http on port 80 and they don’t have any serious vulnerabilities (just google the service version followed by “exploit”) . Nothing to do with ssh as we don’t have any credentials, so lets check port 80.
Enumeration
I checked the page source code but nothing there, i also ran gobuster and found /admin directory that returns 403 forbidden.
Lets register an account and launch our proxy (ZAP or Burp suite) to understand the request being sent.
Then i intercepted the request and found a cookie “auth” which is a JWT token.
Cookie: auth=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6Imh0dHA6Ly9sb2NhbGhvc3Q6NzA3MC9wcml2S2V5LmtleSJ9.eyJ1c2VybmFtZSI6ImVtYm8iLCJlbWFpbCI6ImVtYm9AZW1iby5jb20iLCJhZG1pbl9jYXAiOjB9.DRA8EpL1uaL7OtGuN-mBu3vibT-vJ0UoImc48pwmhzd5IhWUScg1rcj0r2jCjhmyNORJ4Ec0kOpGOoEFi94sVAtbzbd5AYWfO5nHWr87UU88sfjZrGJWtldX1VVTcQ_Yg9nHZwkD4YkbiQZXKaqkhe3n0Kl7hUQ5QV7Jyfn2N6pTEK27dN46HcgaaL8H-wowfsKp0As-HcTuFf6Y2TjfhwYbye7pdzcDXa9v9rzMAXgh4t4P7kyd2JaGP3SRcCKCpYicdZ_awvSdIrH7bf68ljZW0s0-myNiFEI2yjRqYhPBs0YUn5U_Fp932rD-T7QMssUK0hcT3wd-Oqv7JJXltHh6VVNanrWDXZVb2HJaFal-zpIx5ORBRfAqErl9aGesUP-vD0cHuKGErUDjlC_mwgh8RPlOq1hMqBW0UdPjePpB6m_xJGv07gwkVn6WrmPvK_vspuU7qrsDan7lhTgKLb7Jk7yEHzFsryYQH1Xsuposkm3DsvM0rmd11mXXgHUqPQVpkfkcAQvpjb242qoQNK0-nfs1qfiU1AOfQBm6EdBubbbY8HGRqbcJsXk2n1BmGWhrB2EKis_F-fSZM6oKYuOtchmSEbpsQBx09wPeQyMtFdfOM6Z5SKIFaKZ1anxqEocXDobB_W8CaheJZ-wMVXm9iM9YWhkNKxqSChSgOVk; uuid=08bc057c-18c8-4661-b8f8-d3227d0fc4a7
So i opened jwt.io and pasted the token to decode it.
The key in kid parameter is used to secure the token header. So i am going to host a new private key on my server and create a new token based on that key.
openssl genrsa -out privKey.key 2048
python3 -m http.serverInitial Foothold
Now lets change the kid parameter value to my private key path and also paste the private key in verify signature section and change admin_cap to 1.
Then copy the token and replace it with ZAP (or firefox developer’s tool) and try to visit /admin.
And we got access to /admin. There is View Notes and Upload Files.
There is a note from the admin says that they have an issue where PHP files are being executed :/. This can be a potential security issue for the server.
Lets try to upload a php reverse shell and run a netcat listener. And the file has been uploaded successfully, now click view.
And we got a shell on the box as www-data.
Lateral Movement
While enumerating the box, i found .bash_history in /var/www/
The owner of the box just did cd /var/backups/ and ran a web server on this directory.
Going to /var/backups/, there is a file that has read permission for anyone home.tar.gz.
So lets do the same as he did, lets download the file to our machine and extract it tar -xzvf home.tar.gz. It is the home directory of user noah, so lets get noah's ssh private key and login with it.
-----BEGIN RSA PRIVATE KEY-----
MIIEpQIBAAKCAQEAyqucvz6P/EEQbdf8cA44GkEjCc3QnAyssED3qq9Pz1LxEN04
HbhhDfFxK+EDWK4ykk0g5MvBQckcxAs31mNnu+UClYLMb4YXGvriwCrtrHo/ulwT
rLymqVzxjEbLUkIgjZNW49ABwi2pDfzoXnij9JK8s3ijIo+w/0RqHzAfgS3Y7t+b
HVo4kvIHT0IXveAivxez3UpiulFkaQ4zk37rfHO3wuTWsyZ0vmL7gr3fQRBndrUD
v4k2zwetxYNt0hjdLDyA+KGWFFeW7ey9ynrMKW2ic2vBucEAUUe+mb0EazO2inhX
rTAQEgTrbO7jNoZEpf4MDRt7DTQ7dRz+k8HG4wIDAQABAoIBAQDIa0b51Ht84DbH
+UQY5+bRB8MHifGWr+4B6m1A7FcHViUwISPCODg6Gp5o3v55LuKxzPYPa/M0BBaf
Q9y29Nx7ce/JPGzAiKDGvH2JvaoF22qz9yQ5uOEzMMdpigS81snsV10gse1bQd4h
CA4ehjzUultDO7RPlDtbZCNxrhwpmBMjCjQna0R2TqPjEs4b7DT1Grs9O7d7pyNM
Um/rxjBx7AcbP+P7LBqLrnk7kCXeZXbi15Lc9uDUS2c3INeRPmbFl5d7OdlTbXce
YwHVJckFXyeVP6Qziu3yA3p6d+fhFCzWU3uzUKBL0GeJSARxISsvVRzXlHRBGU9V
AuyJ2O4JAoGBAO67RmkGsIAIww/DJ7fFRRK91dvQdeaFSmA7Xf5rhWFymZ/spj2/
rWuuxIS2AXp6pmk36GEpUN1Ea+jvkw/NaMPfGpIl50dO60I0B4FtJbood2gApfG9
0uPb7a+Yzbj10D3U6AnDi0tRtFwnnyfRevS+KEFVXHTLPTPGjRRQ41OdAoGBANlU
kn7eFJ04BYmzcWbupXaped7QEfshGMu34/HWl0/ejKXgVkLsGgSB5v3aOlP6KqEE
vk4wAFKj1i40pEAp0ZNawD5TsDSHoAsIxRnjRM+pZ2bjku0GNzCAU82/rJSnRA+X
i7zrFYhfaKldu4fNYgHKgDBx8X/DeD0vLellpLx/AoGBANoh0CIi9J7oYqNCZEYs
QALx5jilbzUk0WLAnA/eWs9BkVFpQDTnsSPVWscQLqWk7+zwIqq0v6iN3jPGxA8K
VxGyB2tGqt6jI58oPztpabGBTCmBfh82nT2KNNHfwwmfwZjdsu9I9zvo+e3CXlBZ
vglmvw2DW6l0EwX+A+ZuSmiZAoGAb2mgtDMrRDHc/Oul3gvHfV6CYIwwO5qK+Jyr
2WWWKla/qaWo8yPQbrEddtOyBS0BP4yL9s86yyK8gPFxpocJrk3esdT7RuKkVCPJ
z2yn8QE6Rg+yWZpPHqkazSZO1eItzQR2mYG2hzPKFtE7evH6JUrnjm5LTKEreco+
8iCuZAcCgYEA1fhcJzNwEUb2EOV/AI23rYpViF6SiDTfJrtV6ZCLTuKKhdvuqkKr
JjwmBxv0VN6MDmJ4OhYo1ZR6WiTMYq6kFGCmSCATPl4wbGmwb0ZHb0WBSbj5ErQ+
Uh6he5GM5rTstMjtGN+OQ0Z8UZ6c0HBM0ulkBT9IUIUEdLFntA4oAVQ=
-----END RSA PRIVATE KEY-----chmod 600 id_rsa
ssh -i id_rsa noah@10.10.10.230
Getting root
Running sudo -l we can run docker exec -it webapp-dev01* as root
Also checking the docker version (18.06.0-ce)
Looking for an exploit for this version, found this github repo.
https://github.com/Frichetten/CVE-2019-5736-PoC
How do i run it?
Modify the code however you see fit and compile it with
go build main.go. Move that binary to the container you'd like to escape from. Execute the binary, and then the next time someone attaches to it and calls/bin/shyour payload will fire.
Running the exploit on the docker as described in the repository…
we got that error when trying to run /bin/sh on the docker, and successfully wrote /tmp/shadow.
Now lets modify the main.go to give us a reverse shell instead of copying the shadow file and recompile it again.
Running the exploit again and listening with netcat for incoming connection…
Got a root shell !
