Docker Container
Lateral Movement was made to a Docker container as the root user, hosting the ChangeDetection application
root@ae5c137aa8ef:~# $ ll
ll
total 36K
4.0K -rw------- 1 root root 405 Sep 16 15:34 .bash_history
4.0K drwxr-xr-x 1 root root 4.0K Sep 13 12:24 ..
8.0K drwx------ 1 root root 4.0K Sep 13 12:24 .
8.0K drwxr-xr-x 1 root root 4.0K Sep 13 12:24 .local
4.0K -rw-r--r-- 1 root root 254 Apr 10 04:57 .wget-hsts
4.0K -rw-r--r-- 1 root root 571 Apr 10 2021 .bashrc
4.0K -rw-r--r-- 1 root root 161 Jul 9 2019 .profileInterestingly, the .bash_history file is populated in the home directory of the root user
root@ae5c137aa8ef:~# $ cat .bash_history
cat .bash_history
apt update
#YouC4ntCatchMe#
apt-get install libcap2-bin
capsh --print
clear
capsh --print
cd changedetectionio/
ls
nano forms.py
apt install nano
nano forms.py
exit
capsh --print
nano
cd changedetectionio/
nano forms.py
exit
nano changedetectionio/flask_app.py
exit
nano changedetectionio/flask_app.py
exit
nano changedetectionio/flask_app.py
nano changedetectionio/static/js/notifications.js
exitThere is a CLEARTEXT credential of the root user; #YouC4ntCatchMe#
The credential might have been reused.
Validating..