We covered the solution of Docker VulnHub lab where we performed a penetration testing for a Docker container running a WordPress website.

Act as video summariser expert and summarise the video below in detail and with a conversational human tone without the timestamps. Perform proper formatting with detaield explanations. Extract any technical commands written on the terminal. Make the summary using the pronoun “I” instead of “this video” or “the host

Initial Steps & Reconnaissance

I began by identifying the IP address of the vulnerable machine, which was hosting a WordPress website. I then used WPScan to gather information about the WordPress site. The command I used was something like: WPScan --url <IP_ADDRESS> --enumerate p --enumerate t --enumerate u. This command helps enumerate plugins, themes, and users.

WPScan identified the WordPress version as 4.8.2, which has a known vulnerability related to password reset and mail server injection. However, I decided to skip exploiting this particular vulnerability because I didn’t have a mail server set up. WPScan also helped me discover a username: “Bob.”

Gaining Access to WordPress

With the username “Bob” in hand, I performed a brute-force attack using WPScan and a wordlist. I successfully found the password, which was “welcome1.” Using these credentials, I was able to log into the WordPress admin panel.

Exploiting WordPress to Get a Shell

My next goal was to upload a web shell to gain access to the underlying server. I used a regular PHP reverse shell. I copied the PHP reverse shell code and pasted it into the hello.php plugin file, replacing its original content.

While preparing the shell, I set up a listener on my attacking machine using Netcat. The command would be something like nc -lvnp <PORT_NUMBER>, and I used port 9138 for this. Once the listener was ready, I browsed to the modified hello.php plugin file on the WordPress site. This action triggered the reverse shell, and a connection was immediately established back to my listener, granting me shell access to the vulnerable machine.

Post-Exploitation on the Vulnerable Machine

Once I had shell access, I performed some basic checks on the user and system information. I used the command whoami, which showed my user as www-data. I also used ls to list the directories.

Through further investigation, using a command like ifconfig to view network interfaces and IP addresses, I identified another internal network. This was the network specifically designated for the Docker containers.

Preparing for Pivoting (To Be Covered in the Next Video)

To prepare for scanning this internal Docker container network, my plan is to:

  • Use a tool called “reGeorg” (or a similar tunneling tool) to establish a SOCKS proxy or tunnel into the target machine’s network.
  • Upload a new version of nmap or netcat to the compromised machine.
  • Then, I’ll use the uploaded nmap to scan the internal network and identify the IP addresses of the Docker containers.

The video concluded by stating that the next part would delve into how to exploit these newly identified Docker containers.

Video Walkthrough | Part 1

In the second part, we demonstrated Linux privilege escalation through the unzip command.
About the Author

Mastermind Study Notes is a group of talented authors and writers who are experienced and well-versed across different fields. The group is led by, Motasem Hamdan, who is a Cybersecurity content creator and YouTuber.

View Articles