Hi all, i pwned this box long time ago but i totally forgot to do a writeup haha ! :D It is a really interesting box, let’s start!
You can find the machine there > infovore
Enumeration/Reconnaissance
Let’s start always with nmap.
1 |
|
Let’s run a gobuster on it.
1 |
|
Nothing interesting, i decided to do fuzz the parameter on index.php
using wfuzz:
1 |
|
LFI + phpinfo = RCE - shell as www-data
We have LFI:
1 |
|
Nothing interesting.. and LFI seems like it allows only /etc/passwd
, after some google-fu i find out a really interesting tool LFI+phpinfo=RCE
We have LFI + phpinfo (info.php) let’s download & edit the exploit:
1 |
|
1) We have to add our ip & port for the reverse shell:
1 |
|
2) We have to edit this:
1 |
|
3) And finally this to add our LFI parameter:
1 |
|
Save & close and execute it:
1 |
|
We have shell!
1 |
|
www-data -> root
Now we’re into a docker container, i’ll show you some ways to understand if you’re inside a docker container.
An easy way to understand is from the container ID on the command prompt -> www-data@e71b67461f6c
Another way is under root directory you can see this:
1 |
|
.dockerenv contains the environment variables.
And the last way is by cgroup
(control groups):
1 |
|
Let’s continue. Under root directory we can see .tgz
file, let’s extract it.
1 |
|
Let’s crack it.
1 |
|
Now we can login as root, we will do a trick here to spawn a PTY (pseudo-terminal):
1 |
|
We’re not done yet! :)
Escaping the dockerland - admin -> root
Now we have to escape the docker and jump to the main host. We can see under .ssh
a ssh private/public key. Public key provide us a username/IP.
1 |
|
Let’s connect to main host:
1 |
|
Here we go now privesc to root is simple, user admin is in docker group let’s run this and get root shell:
1 |
|
1 |
|
That was an awesome box! :D