Pires: My name is Filipi Pires. We’re going to talk about pivoting and exploitation in a Docker environment.
I’m a security researcher at senhasegura. Senhasegura is a global company providing some products with privilege access management, PAM. I’m an advocate of the Hacking is NOT a Crime project. Hacking is NOT a Crime is an awesome project that we started in the U.S., but we have many advocates around the world. The idea of this project is to talk more about this concept called hacking. The idea behind this concept is when you’re using your creative mind, when you’re using your knowledge to help the companies. Because when you talk about the leaks, the exposure of information, the ransomware, it’s not a hacker. It’s a threat actor. It’s an attacker. It’s a cyber-criminal. When you talk about the hacking, we talk about how you can apply your creative mind in some technology, not only in technology, but it depends on your area that you work in, when you’re using your creative mind, you’re using this concept called hacking. I’m a part of the coordinating team of the DEFCON Groups here in Sao Paulo. I’m an instructor of the HackerSec. It’s a Brazilian company providing some trainings. I’m an instructor of the malware analysis course. This specific course is in Portuguese language. I’m an instructor, and writer, and reviewer of these three magazines in Europe. I’m instructor of the malware attack types with the kill chain methodology in the English language.
What Is Pentesting
I would like to explain a few concepts about what is pentesting, just to clarify about when you can put these techniques inside of this action called pentesting. Pentesting is a simple definition. It’s just when you perform a similar attack. It’s a simulation of the real attacks, when you talk about the same threat actors or attacker happening in some companies. Basically, the penetration test, it happens when you have some security guys, and they simulate some exploitations. Again, the simulation on the real world attacks to define method, or what strategy is used by the attacker.
Types/Services – Pentesting
Types and/or services about the pentests, you can find in the black box. It’s real similar when you talk about the cyber-criminal, because you just have information about the name of the company, for example, Filipi Company, and you need to execute some steps, like reconnaissance steps. You need to investigate this company in the internet. You need to find some possible credentials on GitHub about some projects, for example, but you don’t have any knowledge about the infrastructure, about the IP address, about the network IP address. Of course, if they’re using for example, cloud environment, if they have some on-premises. If they have, for example, infrastructure as code. You don’t know any information about the company. You just know the name of the company, for example. It’s the simple definition about the black box.
When you talk about the white box, it’s different. It’s another approach. You have some specifically in the finite approach, or another approach scoped to perform this test. You have inside of the company, some part of the code, for example that you can use in some code review, or you can explore some IP API Gateway port for example, or some specific application. Or when you have some specific range of the IP address, or when you know about the infrastructure. You know about the architecture. You know when you have some specific scope defined by the customer, for example, by the client, so it’s the white box, when it’s closed scope. It is a specific scope.
When you talk about the gray box, you have two ways, similar, the mix of the black box and the white box. The gray box, you have for example, the name of the company, you know about some information, but you have another specific. Of course you can use this scoping in these three types of pentesting. What is the exact object when you perform this pentest? When you talk about the gray box, you have some information about the internal environment, because obviously you’re using the mix you’ve been using in the code review, in some applications, for example. Sometimes the strategies come outside the company.
Let me execute this pentest, in this test I performed in 2020, when I did some activities in Hack The Box. Hack The Box is a platform which we can perform some penetration test or simulate some penetration test. Of course, this test is executed in some machine, that machine is not available to execute in. Just to explain the more important here, is explain the techniques used in this penetration test. This is the first idea. First of all, it is very important you perform some scanning. Usually when the attacker has some IP address or a host, for example, in this case, I have the IP address, but I could register the domain name for example. In this case, specifically, I have the IP address. I perform some scanning to see if I can find, for example, some services running, some ports. It’s a standard port or non-standard port. What kind of services? If I can find, for example, some information about the services running, for example, we have some Apache, or Tomcat, or NGINX, or another web server running in this application. First of all, I perform this scan. After that I put the IP address on the internet because I knew when I perform this test that this application, it was a web application. I put here in the domain. After that, I started to see more information about the blog, about the website. We have some pages, and I put the mouse above the words to see if we have some redirections. This is very important.
Another page, or many pages inside of this application, is the blog. Sometimes you have some articles inside that. Sometimes you can use some SQL injection or cross-site scripting in this part of the web page. I see here, the information about Facebook, Twitter, and Google pages. I put the mouse to see about the redirections, if I can see some information about that. Another important page is about the contact. As you can see here, sometimes you have the form in contact. It’s very useful to try executing some SQL injection, cross-site scripting, or other techniques in this form usually. When some professional guys are executing some penetration test, just to understand.
This is the first answer that I received from this Nmap scan. We found some OpenSSH using the 22 port, 80 port using HTTP, as I access now, and using Apache. You can see the version and the server is Ubuntu. We can find another web service running, maybe in a similar environment. It’s another port. The second I paste here, and I try to open this application, take a look at what happens now. I put the port 8080. It is Apache Tomcat, it is different from another Apache. Here you can see open authentications of this page. It’s very similar. If you think about for example OWASP Top 10, one of the many OWASP Top 10, one of the 10 important vulnerabilities, the main vulnerabilities is misconfiguration. It’s many times when the developer or the security guys applied some spellings about these applications, and the professional or the person didn’t use the best practices recommended to apply the security steps in this application. We are using basically the full username and password. Take a look at what happened now. Are we putting the admin and admin path? I gain access in the simple web page. This is another web page inside maybe in the same environment, because I didn’t know exactly where I am, so I just have the access in one maybe a virtual machine because I have here the main IP address. This is the first IP address, 10.10.10.101. One of the servers is running in the 80 port, and another server is running in the 8080 port. Maybe I can have both of them in the same server, maybe yes or maybe no. I don’t know exactly. I’m investigating.
Maybe this is the advertisement company, because I can upload something like an image. Again, I’m seeing about the pages, about us, services. Take a look at what I found here? I can upload something. This is another important thing when you talk about a penetration testing, because sometimes when you’ve found some upload part of the applications, it means that you can upload something in the server side. When you can upload something in the server side, if you know about what is exactly path, maybe you can use some techniques like a file upload, to try to gain access remotely of this web server. This is the point when you’ve found some uploads, are usually when the penetration test perform this test, usually they like to see about that, and to try using this vulnerability. Here, we can upload just the image and the Zip file. Two options that I can upload that. I can’t upload, for example, the PHP because I didn’t know if have some PHP or another programming language here. This is a portfolio page. Another is contact. Maybe I can see here some form to try explore more about that. I can perform some test. We have many possibilities to explore using these penetration tests.
The next steps is to use some WFuzz tools. It’s a web fuzzing application. It’s a tool to execute some fuzzing. I will try to discover new possible directories that I found here. For example, if I register a domain name, for example, affiliate.com, I can try using to investigate if I find some subdomain. Sometimes when you perform some penetration tests, you can find some subdomains and sometimes the subdomain is vulnerable. Let me go here. Let me check here, ok, WFuzz -w, just to set the word list that we will be using here, in this case. We’re using the word list from dirbuster. In this case, it’s another fuzzing tool. I set here the IP address, and it starts high end channel specifically, because I want to see, actually, these results, 404. When you try to connect that, because it’s referring that you don’t have this page exactly in the website. I found other directories in the web server. I found the image, archives, upload, users, CSS, and others.
Let me check if I found here some information in this specific directory, as you can see here, in this folder, in the server, I will try to access. Take a look at what I found here, it’s a forbidden. We have this page inside of this website, we can find this directory inside of the web application, but I don’t have permission to access that. This is different when you talk about the 404, it means you don’t have this page in the web server. The results are different, basically the results from the web page, and the web application actually. Take a look, there are other very common misconfigurations. You can see here the version of the server. The server is running Apache and the specific version running in this web server, in this case 2.4.29. For example, another possibility is I can pick up this information and I can put in the Internet to try and find some exploit from this specific version. Another is I have here Ubuntu. It’s a Unix platform server. When you think about the attacker perspective, so how they think about that.
Let’s continue to see other folders, it is archives. You can use, for example, uploads and users to investigate more information about that. Let’s see what we’ve found now. I put here the image. Take a look at that, and the same equal, forbidden. I don’t have access to the environment. Of course, I recorded that to explore in an easy way. Take a look at that one, I put users I found here a possible page from the support team, Aogiri Tree Members login. It’s a web page from this guy. I try using the same login, admin, admin, and [inaudible 00:15:06] the logins. I use root, root to try again, and the same problem here is invalidate login in this case. I have more information that I can try explore.
When I perform some tests I like to use more than one tool. In this case, I’m using WFuzz, but I like to use other tools, for example, dirbuster. Here is the result of the dirbuster. Here, as you can see some directories found during the testing. This is a similar directory: images, archives, uploads, users. I found another, as you can see here, and users again. I found here others like index, blogs, contacts, I’ve already seen these in the web application. I found here the -secrets.php. Let’s see what we can see in this page specifically. Take a look at that. This is a possible conversation about the support team. Take a look at that, Aogiri Tree secret chat. If you remember, we have an application when the users can access they need to have the actor inside of this environment, but we didn’t have the password and username. Here we can see there’s some PrintScreen from this conversation. Probably, this happens sometimes, I’m supposing of course, for some audit logs. The chat is unavailable at this moment.
Here, it’s an interesting conversation. We have here four users: Tatara, Noro, and Kaneki, and Eto. Take a look at the conversation. For example, Kaneki is telling Tatara about some possible RCA, remote code execution happened inside of the environment, and they need to investigate more about that, because they found some user.txt inside of the desktop. This is a rapid rule if you play for example, Hacking the Box, probably you try putting this user.txt as a flag. In this case, it’s not a flag, because it’s a rapid rule. It is a simple conversation, and some bio the user found inside of the environment. Another point here, it’s impossible to get into our server, but before CCG tries I will check the IP logs and eat them. Probably Noro is responsible for network sec, because if they have some access in all those IP address probably they can investigate more about that. Noro tells, “By the way Kaneki, I needed the access for your remote servers.” This is an interesting request to Noro for Kaneki. Probably Kaneki has some privilege access. Why? Because as you can see here, Noro requests specific access in the remote server. The first answer is ILoveTouka, because they request the access, so probably Noro has the IP address because probably he’s responsible for network sec, but they don’t have the access, the password. Here we can see, Kaneki tells about the password.
Filipi, how do you know that is a password? Because I investigate. I am giving you some spoiler here. After that, Kaneki tells Eto, “Eto started the X servers, I wish to connect and update the WordPress too,” so some actions to update the information. It’s important conversation. Usually, when the penetration tester is executing something they can think more about that.
Demo – Giving Access inside the Environment
Let’s go to another demo. How we can give the access inside of the environment, that’s the good point here. First of all, I create a simple PHP file to try explore this file upload but using another vulnerability called command execution. First of all, I created this simple shell PHP to gain the access, but in that time when I was performing this investigation, I remembered that and that time that I read some information in the internet about the same vulnerability called Zip Slip vulnerability. The possibility to use this as some Zip file to explore some virtual machines. This is the vulnerability. Zip Slip is a widespread critical archive extraction vulnerability, allowing attackers to write arbitrary files on the system, typically resulting in remote code execution. This is the idea in this exploitation.
I needed to create some evil file to upload inside the virtual machine. That’s the idea. After that, I can set some traversal of that vulnerability, so I can use in more than one possibility to explore this virtual machine. First, I needed to upload this file inside of the virtual machine. This is the exploitation. Take a look at the traversal bat exploitation. That’s the idea. The next step is I needed to find some exploit, or I can create some exploit. I found the evilarc.py, it’s a python exploit to use in this case. Here I can see python 2.7. I call the script in Python, and after that I chose my shell.php. I chose the system operations, in this case Unix. I set here the path that I can upload this path, this file inside of the virtual machine when I explore the virtual machine. I set the file, and I create some evil.zip.
I will upload my shell inside of the root of the web page, var/www/html. If I gain the access, if this application has exactly the same vulnerabilities called the Zip Slip, I could upload my file inside there. Now I upload my shell here, and I can set here some command execution in the browser. I set ifconfig to see the IP address, so we can see here, we have another IP address, 172. In this case, it’s a class B from the network. Remember, when I gained the access, I have the class A 10.10. It is two different classes in the same environment. I have the command execution in the server, so I can manipulate some commands in the server. I don’t have yet the reverse shell, but I can set some commands in the server.
The next step is just to open some port in my machine. I am an attacker, and after that I receive this callback. Here is my shell reverse. Now let’s go there. I open the Netcat, and I set here my open port, and again, the reverse shell. I have the access, and this is specifically user, www-data. I have some docker env, so probably I have some container, some Docker in my environment. I need to investigate more about that, because I gained the access, and this is specifically users, it’s that www-data user. How I can gain the access more deeply, how I can escalate privilege in this environment. Here is my shell reverse. Here, it’s another tentative as you can see, basically, but this is the main reverse shell, the shell actually that I can use to execute commands by the browser. I try, and after that I gain the access reverse, so I have a session to execute a certain command execution inside of this environment. We can see all those images inside of the web page.
The next step, if I can upload my file there, I can generate another thing like this. I saw my specific permission that I had when I upload something and I saw that I can upload as a root, or with permission. After that I generate my keygen, specifically SSH, my public key. After that I set here the key called hacker, and as you can see here, the hacker. After that, I pop my public key, and I use the same evil.zip file to upload my key inside of the virtual machine. You know how this danger is when you’ve found something in the authorization. I set the evilarc.py. I set -0 to show the operating system. I set the path here. I parsed my public key inside of the virtual machine. After that, I gain the access as a root using SSH. I now need more remote code execution because I put my private key inside of the virtual machine, and now I have the access there.
Let’s talk about the pivoting techniques. It’s so simple. It’s a part of the technique used in many different penetration tests. I have the complete article about that in this publication. Basically, the pivoting techniques is the use of the first compromised system, as I gain access in this environment, in conjunction with the routing techniques at the protocol or application level to allow and even help to compromise other systems present in the same network or a different network. It’s a kind of jumping that you can use to explore different networks, but first, you need to compromise some system. In the other hand, you can say that it is the techniques that open the way for an attacker to move laterally. Inside the corporate, let’s suppose I have the class B, so the IP address, 172, but I have inside of the environment class A 10.10. I can have something outside of the environment, another class like a class C 192.168, for example, so I have three different classes. If you have more than one Docker environment or container in my environment, that’s the idea about the pivoting. I can put in four IPs in the network. That’s the point here.
Let’s go to the first idea about that. I gain the access here. I have the access to Kaneki, so I can access the environment, because I gain the access to the root, and after that I can collect all those SSH private key to access the environment. Now I have here the Kaneki access. I can see the ifconfig, take a look at that, 172.20.10. This is the first container that I have inside of the environment. Another point is some information in the main page here. Let’s read about the notes, and take a look at that, the information is interesting. Vulnerability in Gogs was detected. Kaneki has the information, and that the Gogs was detected. We have the Gogs application inside the environment. This is the good information here. We didn’t know exactly where is the place that we need to install these Gogs. Where is exactly the directory of the Gogs application?
“I shut down the registration function on our server, please ensure that no one gets the access to the test account.” Here is another information. Let’s suppose that you are a developer or you manage this server, so many times we open some text notes to write something. If you’re suffering some attack, the attacker can read this information that you wrote. That’s the point here. Kaneki has some test account, so we can try to collect this information in some place. Let’s try to see more information about that, because we saw that we had Gogs detected, and we have the access in some test account.
Take a look at the secret.jpg page, so remember about these pictures. Exactly, if Kaneki has a privilege. Let’s see another, “I’ve set up file server into the server network, Eto if you need to transfer file to server, can you use my PC, DM me for the access.” Take a look at that. Kaneki has a test account, and this test account probably is specifically Kaneki PC. Here is the key from the Kaneki PC. Take a look, there’s two different SSH key. If you see here, Kaneki it’s really the administration guy, this guy has the privilege to access them. They have access in two different environments. This is one of the Docker. We have the main Docker, and this class, class B, 172, IP address. Kaneki has access to another container, but I didn’t know exactly what this IP address should be.
Let’s see another demo about these pivoting techniques, because I need to investigate how many Dockers or information I have inside this environment. Remember, I gained the access here in the Kaneki, and take a look at that about another failure here, the keys inside of the backup directories. Unfortunately, we can find here many information. Take a look at that, I set here the Kaneki.backup. It’s interesting. I set here the Kaneki_pub. What is this exactly? This is the test account. This is the test account that Kaneki wrote in the note, telling the people that no one had to access this specific test account, because probably we have some important information inside of this test account. It’s a Kaneki PC. As you can see here, another IP address. Let’s see, I tried connecting SSH using this kaneki.backup. Take a look at that. Now I have the access in kaneki-pc, it’s a test account. I gain the access in this specific server. Take a look that, now we have another thing, 172.20, this is the class B, but here we have another network, 172.18. Take a look at that, this is the third container in the same environment. How can I use this pivoting technique if it’s necessary in this environment? For example, I am an attacker, and I’m using the class C, 192.178. How it’s possible to connect in this network, if I don’t have a channel to get there, that’s the point here. I can’t have the access in this network. How I can gain the access, just using pivoting techniques. You need to use this specific user to gain the access or using a forward channel to get there. These are the techniques used here.
Let me explain. I have here my page. I have here the hacker. Remember, this is my SSH using the root. I will open in my environment the port. Are you using this port 2020, and are you listening now this 77 port? Are you using this port opened in my environment to listen to something in this channel? I need to receive some information in this specific channel. Let’s see in my VPN that I’m using, so I’m in class A in this case. I will try to connect in this other IP address, but I would like to access another IP address, 172.18. It’s another channel. Take a look at that. I set here the Kaneki pub, it’s a test account. I set here to my local services, because I will be putting as my environment, we have some server. I will open this, I will be using this port, remember there’s a new port, 77, because I open here this port. I will set here another IP address, 172.18.0.2. I will open another port here, the 3000. I will be using basically this port to establish this communication. I’m using this port because I’m opening here in my environment, we establish this. This is the port forward that I can open to use in these pivoting techniques. I try to connect, and here is the password, ILoveTouka, as I mentioned. I try to connect, request the password from Kaneki. Now I have total control in this environment. Take a look at 172.18, I am here in this network. How is it possible? Using this port forward, using these pivoting techniques through the SSH. That’s the point here.
I have access in this entire network using my personal machine, as I am the attacker. If I don’t have this possibility to open and to use this port forward using SSH, it’s impossible to connect in this specific port. Because of this, I’m using the pivoting techniques to jump. I am here in this class, in this specific machine. Many times the attacker or the penetration tester use these techniques to manipulate more commands the penetration has in front of their own computer. Because of this, they’re using techniques. That is the purpose.
Take a look at what I found here in the end. I put here the IP address, 172, this is my localhost. Then I insert here the port 3000. Take a look at what I found here, the Gogs application. In my machine, I tried to connect in this environment, and now I have another privilege application to try explore in this environment. This is just possible because I open this port forward using the pivoting techniques. If I hadn’t used this technique, it was impossible to connect inside of the Gogs. Gogs is vulnerable because we read the message in the Kaneki machine.
See more presentations with transcripts