Dockerlabs - HedgeHog Dockerlabs - HedgeHog

Dockerlabs - HedgeHog

HedgeHog

✌️ Introduction

We will solve the HedgeHog machine from Dockerlabs, which will allow us to achieve the following learning objectives:

•Use a brute force attack to compromise SSH.

•Use the tac tool to reverse a text file.

•Use the sed tool to clean a text file.

🔎 Initial Scan

First, we will deploy the machine with Docker and obtain the target machine’s IP address.

Deploy Machine

We will use Nmap to scan open ports and gather information about them.

The scan results show two open ports: port 22 (SSH) and port 80 (HTTP).

Initial Scan

📝 Service Investigation

We visit the website and see a simple word: ‘tails’.

Website

Since we didn’t find anything else that could help us with the machine, we’ll see if the word we found is a possible user.

💣 Exploitation

So, using Hydra, we ran a brute-force attack to find a password associated with ‘tails’ for SSH.

After a while, the application still hasn’t found a possible password. So, considering that the word ‘tails’ could mean something else, we reverse the rockyou word list so Hydra starts from the bottom up.

To do this, we’ll use the tac tool and save the result as rockyou_invertido.txt.

tac tool

We check the file and notice that there are unnecessary spaces that might affect the password.

rockyou_invertido

We use the sed tool with the following parameters to remove extra spaces.

rockyou_invertido_clean

We run Hydra again with the inverted file, and this time it quickly obtains the password. It tells us that it is ‘3117548331’.

Using Hydra

👊 SSH Access

Now, we’ll use the obtained credentials to try accessing SSH.

We’ve successfully logged into the system using the ‘tails’ user credentials.

Log in

🔑 Privilege Escalation

We checked to see if we could find anything that would help us escalate privileges and discovered that the user ‘sonic’ can execute any command.

Find user

So, we escalate privileges for ‘sonic’ by getting a bash shell.

Sonic bash shell

Once again, we searched and found that any user can run any command, so we escalated to root to get a bash shell.

Root bash shell 1

Root bash shell 2

After running the command, we get a shell, and upon checking, we see that we are now the root user.

Root bash shell 3

🏁 Conclusion

By solving this machine, you learn to use tools like Hydra, sed, and tac to perform brute-force attacks and manipulate files. You also get familiar with identifying users and credentials, as well as escalating privileges, like when you gain root access through a bash shell. Overall, it helps strengthen key skills in penetration testing and security.


← Back to Write Ups