Table of contents

  1. Dockerlabs - Obsession
  2. Obsession
  3. ✌️ Introduction
  4. 🔎 Initial Scan
  5. 📝 Fuzzing
  6. 👊 SSH Brute-Force Attack
  7. 🔑 Privilege Escalation
  8. 🏁 Conclusion
Dockerlabs - Obsession Dockerlabs - Obsession

Dockerlabs - Obsession

6/29/2025 / 6 minutes to read / Tags: Dockerlabs, Fuzzing, Login Cracker, Binaries

Obsession

✌️ Introduction

We will solve the Obsession machine from Dockerlabs, which will allow us to achieve the following learning objectives:

•Execute an exploit to attack the FTP service.

•Use fuzzing on a website to find vulnerabilities.

•Perform a brute-force attack to compromise SSH.

•Escalate privileges using binaries.

🔎 Initial Scan

First, we will deploy the machine with Docker and obtain the target machine’s IP address.

Deploy Machine

We will use Nmap to scan open ports and gather information about them.

Initial Scan

The scan results show three open ports: port 21 (FTP), port 22 (SSH) and port 80 (HTTP).

We will first focus on the FTP port, as the scan indicates that the service is unprotected and can be accessed without a password.

FTP

Once inside the FTP, we find two text files, which we download to our machine for review.

FTP text files

After reviewing the files, we have possible usernames that we could use. But before proceeding, we check the website to see if there is anything useful.

FTP text files 2

📝 Fuzzing

When we check the webpage, we see that it has content, so we first inspect the page’s source code and find a line that mentions the same user is being used for all services.

Web

Web source's code

We conducted a web fuzzing attack to gather more information, and the results revealed two interesting directories that we reviewed.

Fuzzing attack

In the backup directory, we find a text file that provides the username used for the services.

Backup directory

Backup directory1

In the important directory, there is a manifest that does not provide useful information for the attack.

Important directory

Important directory1

👊 SSH Brute-Force Attack

Once we are sure of one of the usernames, we proceed to perform a brute force attack with Hydra, successfully finding the password for the user russoski:iloveme.

Hydra

We log in via SSH with the obtained credentials and immediately look for misconfigured permissions, as mentioned in one of the text files. We find that we can run the VIM binary.

SSH

Find VIM binary

🔑 Privilege Escalation

We go to GTFOBins to find the right command to use the VIM binary for privilege escalation.

GTFOBins

Finally, after executing the command, we have managed to escalate privileges and verify that we are the root user.

Root user

🏁 Conclusion

By exploiting weak configurations, we gained access to sensitive information through FTP and web fuzzing. After cracking a password with Hydra, we used the VIM binary to escalate privileges and ultimately gained root access. This demonstrates the importance of proper service and permission management.

← Back to Write Ups