I've been trying to learn about Docker recently and experiment with it and I thought what would be a better way to test my basics than to make a dockerized boot2root machine, so here we are.
The boot2root machine we'll be implementing is a very simple one
- Find ftp and ssh service are open through nmap
- get user creds from ftp and login via ssh
- and a very simple sudo priv esc
The first thing to do would be install docker which you can install from here and then pull an Ubuntu latest image from docker to work with.
docker pull ubuntu
docker images #gives image ID's for all repos
docker run -cap-add=NET_ADMIN -it <ubuntu image ID> Following the above you'll be inside the docker image with root privileges. One thing you should remember is that this is image is stripped of everything nothing is installed from the start. You have to install the basic needed tools and ones you're gonna use for boot2root manually including sudo
apt-get update
apt-get install -y vsftpd wget curl nano sudo ufw ftp openssh-serverNow you have to manually start all the services that you'll be using in this machine which are FTP and SSH
service ufw start
service ssh start
service vsftpd startNow we have to configure the ports for ftp and ssh to allow traffic through them,
sudo ufw allow 20/tcp
sudo ufw allow 21/tcp
sudo ufw allow 22/tcp Without setting the root directory for the ftp it'll just show empty when you connect to it.
We need to make a ftpuser and also make a directory in /var for the ftp server and give it appropriate permissions.
sudo useradd <username>
sudo mkdir -p /var/ftp/pub
sudo chown nobody:nogroup /var/ftp/pubWe also need to edit the vsftpd.conf file to allow anon login and also set the root directory.
{% code title="/etc/vsftpd.conf" %}
anonymous_enable=YES
local_enable=YES
anon_root=/var/ftp/pub/
hide_ids=YES{% endcode %}
Now just add a file with user creds you wanna give for ssh or any other hint
nano /var/ftp/pub/creds.txtAt the end you have to restart the service for the changes to take place
service vsftpd restartsudo cp /etc/ssh/sshd_config /etc/ssh/sshd_config.factory-defaults
sudo chmod a-w /etc/ssh/sshd_config.factory-defaults
service ssh restartThese commands make a backup copy of our config, and gives it permissions so that it cant be tampered with and restarts the service with all the implemented changes.
Make lower privilege user for the user flag
useradd -m <username> #creates user with home directory
usermod --shell /bin/bash <username> #sets bash as shell for the user
passwd <username> #set the password for the userFor privilege escalation I thought of letting the user run cat and ls meaning he can list and read the files in the root directory.
To do this we have to edit the sudoers file, run the below command as root
visudoand add the following to your user
{% code title="/etc/sudoers" %}
<username> ALL=(ALL) NOPASSWD:/bin/cat, /usr/bin/ls
{% endcode %}
add your root flag to root.txt in the /root directory and then we just have add appropriate permissions to the user and root flags and we are good to go
sudo chown <username>:<username /home/<username/user.txt
sudo chmod u+rx /home/<username/user.txt
sudo chmod u-w /home/<username/user.txt
sudo chmod go-rwx /home/<username
sudo chown root:root /root/root.txt
sudo chmod u+rx /root/root.txt
sudo chmod u-w /root/root.txt
sudo chmod go-rwx /rootDon't forget to restart all the services before doing the sanity check
service ufw restart
service ssh restart
service vsftpd restartDo a sanity check to see if everything you restarted and updated is working perfectly. We need to get the ip-address of the container to test it out. We can do this by
docker container ls
docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' <container-id>After you get the ip you can do your checks with the ftp server and ssh with the accounts you created. If everything is working fine we can move on to commit the image and push it to docker hub.
After all this the one thing we need to do is make your docker container available to the whole world wide web. To do this we have to commit your docker container.
Exit your container after making all the changes and testing it.
docker ps -aUse the above command to get the container-id of the container you just exited.
docker commit <container-id> <image-name>You can now check your new image using
docker imagesTo upload this onto docker hub, you first need to make an account on Docker Hub. Click on your profile image and go to account settings. Click on Security in the left navigation and add New Access Token. Copy your access token and back in your terminal do the following
docker login -u <username>you'll be prompted to enter the access token.
Now to upload on to docker hub you need to tag it and then push it.
docker image tag <image-name> <username>/<image-name>:latest
docker image push <username>/<image-name>:latestThe docker-compose file for this image is very simple
- We'll be pulling the image from docker hub
- adding the additional capability to it
--cap-add=NET_ADMIN - run a command to restart the services
ufw,vsftpdandssh - add a tails command to keep the container from exiting in detached mode
{% code title="docker-compose.yaml" overflow="wrap" lineNumbers="true" %}
version: '2'
services:
app:
cap_add:
- NET_ADMIN
image: <username>/<image-name>
command: sh -c "service ufw restart && service vsftpd restart && service ssh restart && tail -f /dev/null"{% endcode %}
you just need to run the below command in the same directory as the file for the container to be up and running
docker-compose upIf you make any changes to to .yaml file make sure to take the container down before running it again
docker-compose down
docker-compose upHope you learnt something about docker or about configuring boot2root machines, If you're interested check out my other blogs too.