Dockerlabs - Trust Dockerlabs - Trust

Dockerlabs - Trust

Trust

✌️ Introduction

We will solve the Trust machine from Dockerlabs, which will allow us to achieve the following learning objectives:

•Use fuzzing on a website to find vulnerabilities.

•Perform a brute-force attack to compromise SSH.

•Escalate privileges using binaries.

🔎 Initial Scan

First, we will deploy the machine with Docker and obtain the target machine’s IP address.

Deploy MAchine

We will use Nmap to scan open ports and gather information about them.

Initial Scan

The scan results show two open ports: port 22 (SSH) and port 80 (HTTP).

We will focus on port 80. When we enter the IP address in the browser, we see the default Apache service page.

📝 Enumeration

Default Apache

Since we don’t find anything useful there, we will use Gobuster to enumerate hidden directories and files on the website.

After running the scan, the tool reveals an interesting result: a PHP directory called /secret.php. We proceed to check this section of the website to see what’s there.

Results Gobuster

In the secret.php file, we find only a message. This message includes a name, which could be a username.

PHP directory

👊 SSH Brute-Force Attack

Remembering that port 22 (SSH) is open, we will attempt a brute-force attack using the username “Mario”.

For this, we will use the Hydra tool to try and obtain the user’s password.

Hydra tool

🔑 Privilege Escalation

After completing the attack, we find that the password for user Mario is “chocolate.”

We then log in via SSH with the credentials we obtained. We successfully connect, but we are not the root user yet.

Results Hydra

To escalate privileges, we check if the user Mario can execute commands with sudo privileges.

We discover that Mario can run /usr/bin/vim as the root user.

Check privileges

💣 Exploitation

We will exploit this to escalate our privileges. To do this, we use the gtfobins page, which provides us with a command to exploit the execution of the VIM binary.

Search Binary

After running the command, we get a shell, and upon checking, we see that we are now the root user.

Search Binary

🏁 Conclusion

Through this process, we successfully completed the Trust machine challenge from Dockerlabs. By using fuzzing, a brute-force attack, and exploiting a misconfiguration in sudo permissions, we gained full control over the system. This exercise is valuable for learning exploitation techniques and how to identify common vulnerabilities.


← Back to Write Ups