Intro
Hi, after some time, I write again a small WriteUp. Today it's about the CTF "Umbrella". This CTF-Challenge can be found at the platform TryHackMe. You have to find 3 flags in this challenge.
I changed for consitency, the ip addresses to 10.10.201.66 because I had to reset the box, after crashing it. If there is the ip address 10.10.53.46 this in some screenshots it's the old crashed box 😅
Discovery
The first thing what I do is to fire up Kali Linux and run an nmap scan on that host.
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-03 10:15 CET
NSE: Loaded 156 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:15
Completed NSE at 10:15, 0.00s elapsed
Initiating NSE at 10:15
Completed NSE at 10:15, 0.00s elapsed
Initiating NSE at 10:15
Completed NSE at 10:15, 0.00s elapsed
Initiating Ping Scan at 10:15
Scanning 10.10.201.66 [4 ports]
Completed Ping Scan at 10:15, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:15
Completed Parallel DNS resolution of 1 host. at 10:15, 0.05s elapsed
Initiating SYN Stealth Scan at 10:15
Scanning 10.10.201.66 [65535 ports]
Discovered open port 8080/tcp on 10.10.201.66
Discovered open port 22/tcp on 10.10.201.66
Discovered open port 3306/tcp on 10.10.201.66
Discovered open port 5000/tcp on 10.10.201.66
Completed SYN Stealth Scan at 10:16, 27.83s elapsed (65535 total ports)
Initiating Service scan at 10:16
Scanning 4 services on 10.10.201.66
Completed Service scan at 10:16, 37.23s elapsed (4 services on 1 host)
Initiating OS detection (try #1) against 10.10.201.66
Retrying OS detection (try #2) against 10.10.201.66
Retrying OS detection (try #3) against 10.10.201.66
Retrying OS detection (try #4) against 10.10.201.66
Retrying OS detection (try #5) against 10.10.201.66
Initiating Traceroute at 10:17
Completed Traceroute at 10:17, 0.05s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 10:17
Completed Parallel DNS resolution of 2 hosts. at 10:17, 0.04s elapsed
NSE: Script scanning 10.10.201.66.
Initiating NSE at 10:17
Completed NSE at 10:17, 2.10s elapsed
Initiating NSE at 10:17
Completed NSE at 10:17, 0.65s elapsed
Initiating NSE at 10:17
Completed NSE at 10:17, 0.02s elapsed
Nmap scan report for 10.10.201.66
Host is up (0.050s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 f0:14:2f:d6:f6:76:8c:58:9a:8e:84:6a:b1:fb:b9:9f (RSA)
| 256 8a:52:f1:d6:ea:6d:18:b2:6f:26:ca:89:87:c9:49:6d (ECDSA)
|_ 256 4b:0d:62:2a:79:5c:a0:7b:c4:f4:6c:76:3c:22:7f:f9 (ED25519)
3306/tcp open mysql MySQL 5.7.40
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_5.7.40_Auto_Generated_Server_Certificate
| Issuer: commonName=MySQL_Server_5.7.40_Auto_Generated_CA_Certificate
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-12-22T10:04:49
| Not valid after: 2032-12-19T10:04:49
| MD5: c512:bd8c:75b6:afa8:fde3:bc14:0f3e:7764
|_SHA-1: 8f11:0b77:1387:0438:fc69:658a:eb43:1671:715c:d421
| mysql-info:
| Protocol: 10
| Version: 5.7.40
| Thread ID: 4
| Capabilities flags: 65535
| Some Capabilities: SupportsLoadDataLocal, ConnectWithDatabase, DontAllowDatabaseTableColumn, SupportsTransactions, ODBCClient, IgnoreSigpipes, LongColumnFlag, IgnoreSpaceBeforeParenthesis, SwitchToSSLAfterHandshake, Speaks41ProtocolNew, FoundRows, InteractiveClient, LongPassword, Support41Auth, SupportsCompression, Speaks41ProtocolOld, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
| Status: Autocommit
| Salt: :\x19\x01'k[zOJmbr-nuMv m\x01
|_ Auth Plugin Name: mysql_native_password
5000/tcp open http Docker Registry (API: 2.0)
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Site doesn't have a title.
8080/tcp open http Node.js (Express middleware)
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Login
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=2/3%OT=22%CT=1%CU=37510%PV=Y%DS=2%DC=T%G=Y%TM=65BE0492
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=107%GCD=1%ISR=10A%TI=Z%CI=Z%II=I%TS=A)OPS(
OS:O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST11
OS:NW7%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(
OS:R=Y%DF=Y%T=40%W=F507%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS
OS:%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=
OS:Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=
OS:R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T
OS:=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=
OS:S)
Uptime guess: 15.539 days (since Thu Jan 18 21:21:21 2024)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=263 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 443/tcp)
HOP RTT ADDRESS
1 45.67 ms 10.11.0.1
2 45.98 ms 10.10.201.66
NSE: Script Post-scanning.
Initiating NSE at 10:17
Completed NSE at 10:17, 0.00s elapsed
Initiating NSE at 10:17
Completed NSE at 10:17, 0.00s elapsed
Initiating NSE at 10:17
Completed NSE at 10:17, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 80.39 seconds
Raw packets sent: 65983 (2.907MB) | Rcvd: 65651 (2.630MB)
Nmap has discovered 4 ports. The first port is port 22, which 22 and we look later to it. The second port is 3306, which is MySQL and looks firstly very intended. The third port ist port 5000 where nmap says if is a docker registry (API version 2.0), which sounds interesting. The last port is port 8080 which look like a web application based on NodeJS (Express).
Well the first what I've done was looking for the application running on port 8080, but there was only a login window, with no hints, which brought me directly to port 5000 the docker registry.
Initial access DB
The docker registry sounds interesting because I can login to this registry for example with admin:admin
. Well, when I enter
docker login 10.10.201.66:5000
I got the error message that, the HTTPS client got a HTTP response which means after some investigation, I had to configure an insecure registry in my docker daemon config file.
I created the file /etc/docker/daemon.json
, and added the following to it.
{
"debug": true,
"insecure-registries": [ "http://10.10.201.66:5000"]
}
Then I had to restart the docker serice that I can try to login into that registry, and viola, I'm logged in.
Ok the next thing what could be done is searching for all images or listing all images with:
curl -X GET http://10.10.201.66:5000/v2/_catalog
{"repositories":["umbrella/timetracking"]}
Well, now I can pull this image and may I find someting interesting in it.
After some time of analyzing the contents of this image I realized that the credentials of the database which is MySQL are given via environment variables. Therefore I had to look into the manifest of this image may I can find the credentials there.
Well, it worked with this credentials and we have the first Flag (DB-Password)
DB Password: NXXXXXXXXXXXXXXXXX5
Now let's take look what databases are existing and what information I can get from it. Uhh, that looks pretty neat 😃
Let's crack it on CrackStation!
Initial access host
After logging in, I tried to run some service side template injection to get a shell, but no luck, I thought about what if the registry accept pulling images? Could i build my own special image based on CVE-2024-21626 and push it back to the registry in the hope that it will automatically redeploy the container with preinstalled reverse shell, and the trigger for this CVE? Also no luck! Well, I had nothing excluding bruteforcing ssh with all credentials I got.
I fired up hydra and thought, that couldn't be the intended way but you see, it is.
I logged in with the ssh credentials and year grabbed the user flag.
user.txt: THM{0000000000000000000000000000000}
Getting root
Now I had to do some privilege escalation, and i thought on running docker with host file system mounted. I looked into the docker-compose.yml file and yeah the logs folder is mounted. The logs and the content of it is also visible for the host as for the container. What if, when I copy a bash shell into it and set it with SUID to root? Then I should get root?
Well, my root shell is there, now I've to grab the root flag and I'm done 😄
root.txt: THM{0000000000000000000000000000000}
That concludes the challenge.
This challenge was fun to do as I found it very refreshing. So for beginners this is definitely recommended 😄
I hope you enjoyed it and see you next time 😄