Machine Synopsis
Toby, is a linux box categorized as Insane. The initial foothold on this box is about enumeration and exploiting a leftover backdoor in a Wordpress blog that was previously compormised. Eventually, a shell can be retrivied to a docker container. Enumerating the Docker environment, we can identify more Docker containers on the same internal network. Having access to the internal network a pivot can be made on an exposed MySQL server to extract some password hashes. Upon cracking the password hashes and testing for password re-use on previously exposed services the source code for a web application running on the internal Docker network can be found. The source code exposes a way to make the MySQL server connect back to a local machine. Using a rogue MySQL server and monitoring the inbound traffic a MySQL network authentication hash can be constructed and then cracked to reveal a plain text password. Testing for password re-use on the internal network containers, with SSH enabled, results in a valid authentication. Then, monitoring for interesting process shows a way to read a private SSH key for the user `jack` on the host machine. For the privilige escalation step, a malicious PAM module should be identified. Upon reversing it, it becomes clear that a time based bruteforce can be implemented to extract a hardcoded password character-by-character and then use this password to get `root`.
Machine Matrix