CTF WriteupsVulnhub Writeups

SP: Harrison vulnhub walkthrough

Vulnhub vulnerable machines

SP: Harrison vulnhub walkthrough

 

Today I will share with you my write-up for the new published vulnhub machine called “SP: harrison”. You can download it from the following URL : https://www.vulnhub.com/entry/sp-harrison,302/

In this article you will learn the following:

  • Using nmap to find opened ports & running services.
  • Enumerate SMB service using enum4linux tool.
  • Connecting to SMB shared folders using smbclient tool.
  • Connecting to SSH service using a private key.
  • Escaping the restricted shell.
  • Privilege escalation using misconfigured docker container.

The first thing to do is to find the target IP address and this can be done using many way but I will use nmap ping scan over the whole network. The scan results show me that the IP address for this target is : 10.0.2.20

After that, I start a full port scanning on the target and I found that there are only two open tcp ports (22 for SSH service and 445 for SMB service).

By enumerating the SMB service using enum4linux tool I found that there is a folder called “Private” which can be viewed by logging anonymously (without a password). Also, the script found a valid user in the target machine called “harrison”.

After that, I start using smbclient to login into the shared folder and discover the objects inside it. I found that it contains a directory called “.ssh” and this directory contains many files. The most important one is id_rsa which is the one used to connect to the machine without the need for a user (harrison in our case) password. I downloaded it to my Kali Linux machine and changed its permissions to 4000. Then I used it to login to SSH service.

After logging in to the SSH service, I found that the shell is restricted shell. So, to bypass this restriction I run this command “echo && ‘bash'”.

By moving to the root directory I found a file called flag.txt, but this file did not contain the flag. From the text in the file I know that I’m not in the target machine which means that I’m in a docker container and that can be shown in the image below. After a lot of research, I found that there is a technique used for privilege escalation the host machine from docker container if the docker container uses docker socket (docker.sock file exists in the container).

To do the privilege escalation, firstly I run the following command which allows us to get information about all running containers in the host OS. The command shows that there is only one container running in the host.

Then, I used this feature to create a new docker container in the host which mounts the /root directory in the host machine to the /os_root in the docker side and then I started it.

The last thing to do is to access the newly created docker container. This can be done by using nc tool as follows:

Note: I tried to get a reverse shell to my Kali Linux machine using the same procedure but I failed, so I will try this and update the article once done 😀

Please, don’t miss to share it with your friends and provide us with your feedback in the comments.

Wait us for the next walkthrough 😀 ..

Tags

Mohammed Khreesha

I'm a Computer Engineer with 13 years of experience in Computer and Information Technology fields, specially in Info-sec field. Also, I have 13 years of experience as a freelance instructor in Ethical Hacking, Secure Web Development, Penetration Testing and Security Awareness. I have the following certificates : CEH, CHFI, ECSA, LPT Master, & ISO 27001 LI. #Co-Founder of Technawi[dot]net blog March 2014. #Founder of Jordan Info-sec Days periodic events August 2015, February 2016. #Founder of Jordan Info-sec CTF hacking competition April 2017, March 2018, & November 2018.

Related Articles

4 Comments

  1. Great Article friend , Please can you write an article about your OSCP certificate and how was your experience with it and how we can prepare for it ?

  2. Could you write this command, it’s hard to copy it char by char.
    ” new docker container in the host which mounts the /root directory in ”
    thank you.

Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button
Close