Triskel 4 : Going deeper

Pentest & Misc, 20 points


Well done, you broke it! I guess it's really the end of your journey this time haha!

by Remsio


From Triskel 3, we have a stable reverse shell on the Werkzeug machine. We need to go deeper.

At first, we thought to discover other machines and maybe exploit some CVE as the challenge was tagged with the pentest tag. We got a RCE on a few machines via PHP-FPM with this exploit and injecting some code this way:

root@kontammadur_klanvour:/app# python -c code IP /usr/local/lib/php/System.php

Ẁe didn't find anything interesting with this path.

Then we thought to attack the production machine from within the internal network, from the dev machine. We found nothing interesting too.

We were asking ourselves why is there a misc tag to this challenge. We noticed at the very beginning that we were in a Docker container, but didn't went down this path.

Finally, after reading some documentation (cf., we tried to escape our Docker container to get access to the host file system. Among other approaches, we tried the capabilities. We listed the host capabilities easily as we were root with the following command:

root@kontammadur_klanvour:/app# capsh --print | grep cap_sys_admin

We are able to mount the file system with a simple mount command then. Also, we knew from a linPEAS analysis (cf. that the container was launched with the privileged attribute, this is why we are able to see the host drive with fdisk -l command. Thereby, we know that we have to mount dev/sda1. Let's do it:

root@kontammadur_klanvour:/app# mount /dev/sda1 /mnt

Bingo! - we got it, we can access the host file system. This way, we finish this series of Triskel challenges with the final flag:

root@kontammadur_klanvour:/app# cat /mnt/root/flag

results matching ""

    No results matching ""