Docker Container
After successfully exploiting the Bolt CMS instance via SSTi, I found myself inside a Docker container
docker-compose.yml
www-data@2f9b5795d152:/var/www/talkative.htb/bolt$ cat docker-compose.yml | grep -v '^#'
version: '3.4'
services:
db:
image: mysql:5.7
environment:
- MYSQL_DATABASE=bolt
- MYSQL_USER=bolt
- MYSQL_PASSWORD=!ChangeMe!
- MYSQL_ROOT_PASSWORD=!ChangeMe!
volumes:
- db-data:/var/lib/mysql:rw
# You may use a bind-mounted host directory instead, so that it is harder to accidentally remove the volume and lose all your data!
# - ./docker/db/data:/var/lib/mysql:rw
ports:
- target: 3306
published: 3306
protocol: tcp
php:
build:
context: ./
target: php
healthcheck:
interval: 10s
timeout: 3s
retries: 3
start_period: 30s
depends_on:
- db
- mailcatcher
volumes:
- ./:/srv/bolt:rw,cached
- ./docker/php/conf.d/bolt.dev.ini:/usr/local/etc/php/conf.d/bolt.ini
# if you develop on Linux, you may use a bind-mounted host directory instead
# - ./var:/srv/bolt/var:rw
nginx:
build:
context: ./
target: nginx
depends_on:
- php
volumes:
- ./public:/srv/bolt/public:ro
ports:
- target: 80
published: 8080
protocol: tcp
h2-proxy:
build:
context: ./docker/h2-proxy
depends_on:
- nginx
ports:
- target: 8443
published: 8443
protocol: tcp
mailcatcher:
image: schickling/mailcatcher
ports:
- target: 1080
published: 1080
protocol: tcp
volumes:
db-data: {}The docker-compose.yml file contains a SQL connection string that includes the DB credential; bolt:!ChangeMe!
It also shows the information regarding port-mapping with the host
Unfortunately, it doesn’t appear to be a privileged Docker container.
Network
www-data@2f9b5795d152:/$ netstat
bash: netstat: command not found
www-data@2f9b5795d152:/$ ss
bash: ss: command not found
www-data@2f9b5795d152:/$ ifconfig
bash: ifconfig: command not found
www-data@2f9b5795d152:/$ ip
bash: ip: command not foundThe environment is very much limited.
There are some alternative ways to check the current IP address
www-data@2f9b5795d152:/$ hostname -I
172.17.0.13
www-data@2f9b5795d152:/$ cat /etc/hosts
127.0.0.1 localhost
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
172.17.0.13 2f9b5795d152
www-data@2f9b5795d152:/$ cat /proc/net/fib_trie
main:
+-- 0.0.0.0/0 3 0 5
|-- 0.0.0.0
/0 universe UNICAST
+-- 127.0.0.0/8 2 0 2
+-- 127.0.0.0/31 1 0 0
|-- 127.0.0.0
/32 link BROADCAST
/8 host LOCAL
|-- 127.0.0.1
/32 host LOCAL
|-- 127.255.255.255
/32 link BROADCAST
+-- 172.17.0.0/16 2 0 2
+-- 172.17.0.0/28 2 0 2
|-- 172.17.0.0
/32 link BROADCAST
/16 link UNICAST
|-- 172.17.0.13
/32 host LOCAL
|-- 172.17.255.255
/32 link BROADCAST
local:
+-- 0.0.0.0/0 3 0 5
|-- 0.0.0.0
/0 universe UNICAST
+-- 127.0.0.0/8 2 0 2
+-- 127.0.0.0/31 1 0 0
|-- 127.0.0.0
/32 link BROADCAST
/8 host LOCAL
|-- 127.0.0.1
/32 host LOCAL
|-- 127.255.255.255
/32 link BROADCAST
+-- 172.17.0.0/16 2 0 2
+-- 172.17.0.0/28 2 0 2
|-- 172.17.0.0
/32 link BROADCAST
/16 link UNICAST
|-- 172.17.0.13
/32 host LOCAL
|-- 172.17.255.255
/32 link BROADCASTThe IP address is 172.17.0.13
cat /proc/net/fib_trie is new. It shows the routing information.
SSH
www-data@2f9b5795d152:/$ apt list --installed
WARNING: apt does not have a stable CLI interface. Use with caution in scripts.
[...REDACTED...]
libssh2-1/stable,now 1.9.0-2 amd64 [installed]
openssh-client/stable,now 1:8.4p1-5 amd64 [installed,automatic]
[...REDACTED...]There is SSH installed within the container. I should test those credentials earlier against the host SSH