Container Escape

June 12, 2022

OpenSource – HackTheBox Writeup

Thoviti Siddharth HackTheBox, Infosec Container Escape, Docker, Flask, Git, git-hook, Gitea, HackTheBox, HTB, htb-opensource, Infosec, LFI, Linux Box, pspy, Werkzeug, Writeup 0

Machine Name: OpenSource
IP: 10.10.11.164
Difficulty: Easy

Summary

OpenSource like it’s name is all about exploiting information that is openly available. It demands knowledge about LFI, Docker, Flask, understanding source code, and ofcourse, Git. To get the user shell, LFI vulnerability was exploited to get RCE. Then, a docker container needed to be escaped in order to gain the user shell. Knowledge of tunneling helps to connect to the host machine and enumerate further. Ability to access the host machine lets us enumerate further and gain access to user via leaked credentials. Escalating privileges requires understanding the concept of Git hooks to exploit a process running as root. This box is great for someone who is new to programming and learning code/version management tools like Git.