TryHackMe - The Great Escape (Medium)

TryHackMe - The Great Escape (Medium)

A medium level room showcasing Docker container escape.

![logo2](/assets/images/write-ups/tryhackme/the_great_escape/logo2.png) * Enumeration {:.toc} # Intro Welcome to my first write-up on a medium-level box by TryHackMe. This is the sixth one on the series `Road to OSCP`, where I showcase known topics seen whilst preparing for the certification. We will see Docker containers, escaping such containers, command injection, and more! Find the room here: [TryHackMe - The Great Escape](https://tryhackme.com/room/thegreatescape) # Reconnaissance Let's start off with an nmap scan: ``` nmap 10.10.72.178 -sC -sV Starting Nmap 7.91 ( https://nmap.org ) at 2021-02-19 07:23 EST Nmap scan report for 10.10.72.178 Host is up (0.028s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh? |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) 80/tcp open http nginx 1.19.6 | http-robots.txt: 3 disallowed entries |_/api/ /exif-util /*.bak.txt$ |_http-server-header: nginx/1.19.6 |_http-title: docker-escape-nuxt 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port22-TCP:V=7.91%I=7%D=2/19%Time=602FADC6%P=x86_64-pc-linux-gnu%r(Gene SF:ricLines,5,"8!M\r\n"); Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 185.76 seconds ``` *Note the 185 seconds, what the...?* Also error in port 22. I did a further scan in port 22 and took forever to come back, but the one I did for only 80 came back really quick. That SSH smells as fishy as the honeypot I've got set up in my Raspberry Pi... Let's jump ahead to the website. # Port 80 ***UNDER CONSTRUCTION***

© 2021 Subtle Labs. All rights reserved. Made with love and coffee from Edinburgh, UK.