Pentesting Lab using docker

###### tags: `docker` ![](https://i.imgur.com/2fS0uim.png) # Pentesting Lab using docker ###### by leonuz #### 0. [whats its docker](https://youtu.be/iqqDU2crIEQ) {%youtube iqqDU2crIEQ %} ##### 0.1. [Instaling Docker](https://docs.docker.com/engine/install/debian/) Just Begin whit the networking of dockers #### 1. List available networks ``` bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$docker network ls NETWORK ID NAME DRIVER SCOPE f9b24ce95506 bridge bridge local 51d655520585 host host local d8713935ea94 none null local ``` #### 2. View the most relevant information of the "bridge" network ``` bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$docker network inspect bridge [ { "Name": "bridge", "Id": "f9b24ce955067fa526360e91951674d9cc16de73917d079470587272c6f0127c", "Created": "2022-08-01T17:13:17.266757822-04:00", "Scope": "local", "Driver": "bridge", "EnableIPv6": false, "IPAM": { "Driver": "default", "Options": null, "Config": [ { "Subnet": "172.17.0.0/16", "Gateway": "172.17.0.1" } ] }, "Internal": false, "Attachable": false, "Ingress": false, "ConfigFrom": { "Network": "" }, "ConfigOnly": false, "Containers": {}, "Options": { "com.docker.network.bridge.default_bridge": "true", "com.docker.network.bridge.enable_icc": "true", "com.docker.network.bridge.enable_ip_masquerade": "true", "com.docker.network.bridge.host_binding_ipv4": "0.0.0.0", "com.docker.network.bridge.name": "docker0", "com.docker.network.driver.mtu": "1500" }, "Labels": {} } ] ``` #### 3. Install kali image ``` bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$ docker pull kalilinux/kali-rolling Using default tag: latest latest: Pulling from kalilinux/kali-rolling c44a5498bf98: Pull complete Digest: sha256:f2ed86a0504055c6920915decc2be75cc3ecc836b255bb0a34263a7e39cfb24f Status: Downloaded newer image for kalilinux/kali-rolling:latest docker.io/kalilinux/kali-rolling:latest ``` #### 4. Create a container based on the kali image and access it. **NOTE:** To identify the containers, we give a name to each one of them during the execution, in this case we will call it "Container_Kali": ``` bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$docker run -ti --name Container_Kali kalilinux/kali-rolling /bin/bash ┌──(root㉿ba54ccb86aeb)-[/] └─# uname -a Linux ba54ccb86aeb 5.18.0-kali5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.18.5-1kali6 (2022-07-07) x86_64 GNU/Linux ``` #### 5. Upgrade kali ``` bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$sudo apt update && apt dist-upgrade ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$sudo apt autoremove & apt clean ``` #### 6. Installing packages to Kali ```bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$apt install kali-tools-top10 #Install the top 10 kali apps ...... ..... REDACTED ..... ...... Setting up burpsuite (2022.7.1-0kali1) ... Setting up hydra (9.3-3+b1) ... Setting up kali-tools-top10 (2022.3.10) ... Processing triggers for ca-certificates (20211016) ... Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done. Running hooks in /etc/ca-certificates/update.d... done. Processing triggers for libc-bin (2.33-8) ... Processing triggers for libgdk-pixbuf-2.0-0:amd64 (2.42.8+dfsg-2) ... Processing triggers for ca-certificates-java (20220719) ... done. ``` **NOTE:** To install more packages and binaries [here](https://www.kali.org/tools/kali-meta/) #### 7. List containers ``` bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$docker container ls -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES ba54ccb86aeb kalilinux/kali-rolling "/bin/bash" 14 minutes ago Exited (127) 5 seconds ago Container_Kali ``` #### 8. Start the container (using the name) ```bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$docker start Container_Kali Container_Kali ``` #### 9. Enter the container ```bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$docker exec -it Container_Kali /bin/bash ┌──(root㉿ba54ccb86aeb)-[/] └─# ``` #### 10. Save the updated and customized image ```bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$docker commit Container_Kali imagen-kali sha256:b5bb0ecd3c673411638e8c7588b455ef7a914ec73de7e4d3d60d259987eb97f8 ``` #### 10.1. You can save the image to export it and use it again in another station with docker, using the following command ```bash ┌──(leonuz㉿sniperhack)-[~/DOCKER-IMG] # let's first go to where we want the image to be stored └─$ docker save -o kali-top10.tar imagen-kali ┌──(leonuz㉿sniperhack)-[~/DOCKER-IMG] └─$ ls -la total 3552068 drwxr-xr-x 2 leonuz leonuz 4096 Aug 1 18:13 . drwxr-xr-x 50 leonuz leonuz 4096 Aug 1 18:12 .. -rw------- 1 leonuz leonuz 3637301760 Aug 1 18:13 kali-top10.tar ``` #### 10.2 To load the image saved on disk, we use the following: ```bash ┌──(leonuz㉿sniperhack)-[~/DOCKER-IMG] └─$ docker load -i kali-top10.tar Loaded image: imagen-kali:latest ``` #### 11. Run the container (with all updates and applications installed) ```bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$docker run -ti imagen-kali /bin/bash ``` #### 12. Install images of vulnerable machines - Container 1 [OWASP juice-shop](https://hub.docker.com/r/bkimminich/juice-shop) - Container 2 [Security Ninjas](https://umbrella.cisco.com/blog/security-ninjas-an-open-source-application-security-training-program) ```bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$ docker pull bkimminich/juice-shop Using default tag: latest latest: Pulling from bkimminich/juice-shop Digest: sha256:35fce029db378b200a92dbdb1587100d562458637fc776ff85e713e0ef793000 Status: Image is up to date for bkimminich/juice-shop:latest docker.io/bkimminich/juice-shop:latest ``` #### 12.1. Leave in background running the Container_Juice_Shop: ```bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$ docker run -d -p 3000:3000 --name Container_Juice_Shop bkimminich/juice-shop 09c91a7efcaab6b973dda8c56015bf34c121fe2ad2b6132e37e1a2b109240db5 ``` #### 12.2. Install the other vulnerable image (Security-Ninja): ```bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$ docker pull opendns/security-ninjas Using default tag: latest latest: Pulling from opendns/security-ninjas Image docker.io/opendns/security-ninjas:latest uses outdated schema1 manifest format. Please upgrade to a schema2 image for better future compatibility. More information at https://docs.docker.com/registry/spec/deprecated-schema-v1/ e190868d63f8: Pull complete 909cd34c6fd7: Pull complete 0b9bfabab7c1: Pull complete a3ed95caeb02: Pull complete f0df993c3aef: Pull complete 09358b20e8bc: Pull complete 5b0e1b98c45e: Pull complete 9c00e77d73a9: Pull complete fe8e16791cf6: Pull complete ac8b0ffa2b98: Pull complete 94051df6e066: Pull complete Digest: sha256:aae15b7ca2827f1d4fcc5b38a238e8a207f1ebc1bd5eef921cef97f5f6262994 Status: Downloaded newer image for opendns/security-ninjas:latest docker.io/opendns/security-ninjas:latest ``` #### 12.3. Leave in background running the Container_Security_Ninjas: ```bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$ docker run -d -p 8899:80 --name Container_Security_Ninjas opendns/security-ninjas f93fa3070c578e41153e064e3f9479cd94ab4ba9b92e0674b87e9765f1e9b0e7 ``` #### 13. To see the IP address of a container, we can view it from Docker with the command "docker inspect" and the container name ```bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$ docker inspect Container_Juice_Shop [ { "Id": "09c91a7efcaab6b973dda8c56015bf34c121fe2ad2b6132e37e1a2b109240db5", "Created": "2022-08-02T00:34:41.972916867Z", "Path": "/nodejs/bin/node", "Args": [ "/juice-shop/build/app.js" ], "State": { "Status": "running", "Running": true, "Paused": false, "Restarting": false, "OOMKilled": false, "Dead": false, "Pid": 20254, "ExitCode": 0, "Error": "", "StartedAt": "2022-08-02T00:34:42.270421195Z", "FinishedAt": "0001-01-01T00:00:00Z" }, "Image": "sha256:0df4899ababb02713f97f72bcc4d514fac0badae3190f4bb231d30628fd0a9a9", "ResolvConfPath": "/var/lib/docker/containers/09c91a7efcaab6b973dda8c56015bf34c121fe2ad2b6132e37e1a2b109240db5/resolv.conf", "HostnamePath": "/var/lib/docker/containers/09c91a7efcaab6b973dda8c56015bf34c121fe2ad2b6132e37e1a2b109240db5/hostname", "HostsPath": "/var/lib/docker/containers/09c91a7efcaab6b973dda8c56015bf34c121fe2ad2b6132e37e1a2b109240db5/hosts", "LogPath": "/var/lib/docker/containers/09c91a7efcaab6b973dda8c56015bf34c121fe2ad2b6132e37e1a2b109240db5/09c91a7efcaab6b973dda8c56015bf34c121fe2ad2b6132e37e1a2b109240db5-json.log", "Name": "/Container_Juice_Shop", "RestartCount": 0, "Driver": "overlay2", "Platform": "linux", "MountLabel": "", "ProcessLabel": "", "AppArmorProfile": "docker-default", "ExecIDs": null, "HostConfig": { "Binds": null, "ContainerIDFile": "", "LogConfig": { "Type": "json-file", "Config": {} }, "NetworkMode": "default", "PortBindings": { "3000/tcp": [ { "HostIp": "", "HostPort": "3000" } ] }, "RestartPolicy": { "Name": "no", "MaximumRetryCount": 0 }, "AutoRemove": false, "VolumeDriver": "", "VolumesFrom": null, "CapAdd": null, "CapDrop": null, "CgroupnsMode": "private", "Dns": [], "DnsOptions": [], "DnsSearch": [], "ExtraHosts": null, "GroupAdd": null, "IpcMode": "private", "Cgroup": "", "Links": null, "OomScoreAdj": 0, "PidMode": "", "Privileged": false, "PublishAllPorts": false, "ReadonlyRootfs": false, "SecurityOpt": null, "UTSMode": "", "UsernsMode": "", "ShmSize": 67108864, "Runtime": "runc", "ConsoleSize": [ 0, 0 ], "Isolation": "", "CpuShares": 0, "Memory": 0, "NanoCpus": 0, "CgroupParent": "", "BlkioWeight": 0, "BlkioWeightDevice": [], "BlkioDeviceReadBps": null, "BlkioDeviceWriteBps": null, "BlkioDeviceReadIOps": null, "BlkioDeviceWriteIOps": null, "CpuPeriod": 0, "CpuQuota": 0, "CpuRealtimePeriod": 0, "CpuRealtimeRuntime": 0, "CpusetCpus": "", "CpusetMems": "", "Devices": [], "DeviceCgroupRules": null, "DeviceRequests": null, "KernelMemory": 0, "KernelMemoryTCP": 0, "MemoryReservation": 0, "MemorySwap": 0, "MemorySwappiness": null, "OomKillDisable": null, "PidsLimit": null, "Ulimits": null, "CpuCount": 0, "CpuPercent": 0, "IOMaximumIOps": 0, "IOMaximumBandwidth": 0, "MaskedPaths": [ "/proc/asound", "/proc/acpi", "/proc/kcore", "/proc/keys", "/proc/latency_stats", "/proc/timer_list", "/proc/timer_stats", "/proc/sched_debug", "/proc/scsi", "/sys/firmware" ], "ReadonlyPaths": [ "/proc/bus", "/proc/fs", "/proc/irq", "/proc/sys", "/proc/sysrq-trigger" ] }, "GraphDriver": { "Data": { "LowerDir": "/var/lib/docker/overlay2/0de7ef0f2b227660610eba873bfca7c1f338845c50dd12c25850c1eb0063f844-init/diff:/var/lib/docker/overlay2/76f2ed7fc1b5dd5da8f8c9a870387bfb514f95ba2309b7b212cac678cdba70aa/diff:/var/lib/docker/overlay2/e8eedff361cc53e25c4dcadf12a0153a637c53efcc29c7343e940d000c8565f6/diff:/var/lib/docker/overlay2/44c2c153ca59bc425c35aed5f821b0f2f48c05a051fca05e29a99f4cb5628091/diff:/var/lib/docker/overlay2/3722edb6374c5b9b4c17dbdae97c2d8e83a320d98eb82686c29bc7763f66b9ad/diff:/var/lib/docker/overlay2/3abdfdf1a7a613cbf79d54a5531e90a764f411ec98db02783dcb43de7ef51714/diff:/var/lib/docker/overlay2/712f15ff03b276935de9e4254e0c446df539b58549eedd67e0d444e77c1feb0b/diff", "MergedDir": "/var/lib/docker/overlay2/0de7ef0f2b227660610eba873bfca7c1f338845c50dd12c25850c1eb0063f844/merged", "UpperDir": "/var/lib/docker/overlay2/0de7ef0f2b227660610eba873bfca7c1f338845c50dd12c25850c1eb0063f844/diff", "WorkDir": "/var/lib/docker/overlay2/0de7ef0f2b227660610eba873bfca7c1f338845c50dd12c25850c1eb0063f844/work" }, "Name": "overlay2" }, "Mounts": [], "Config": { "Hostname": "09c91a7efcaa", "Domainname": "", "User": "65532", "AttachStdin": false, "AttachStdout": false, "AttachStderr": false, "ExposedPorts": { "3000/tcp": {} }, "Tty": false, "OpenStdin": false, "StdinOnce": false, "Env": [ "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", "SSL_CERT_FILE=/etc/ssl/certs/ca-certificates.crt" ], "Cmd": [ "/juice-shop/build/app.js" ], "Image": "bkimminich/juice-shop", "Volumes": null, "WorkingDir": "/juice-shop", "Entrypoint": [ "/nodejs/bin/node" ], "OnBuild": null, "Labels": { "maintainer": "Bjoern Kimminich <bjoern.kimminich@owasp.org>", "org.opencontainers.image.authors": "Bjoern Kimminich <bjoern.kimminich@owasp.org>", "org.opencontainers.image.created": "”2022-07-04T15:18:30Z”", "org.opencontainers.image.description": "Probably the most modern and sophisticated insecure web application", "org.opencontainers.image.documentation": "https://help.owasp-juice.shop", "org.opencontainers.image.licenses": "MIT", "org.opencontainers.image.revision": "2ed18c9", "org.opencontainers.image.source": "https://github.com/juice-shop/juice-shop", "org.opencontainers.image.title": "OWASP Juice Shop", "org.opencontainers.image.url": "https://owasp-juice.shop", "org.opencontainers.image.vendor": "Open Web Application Security Project", "org.opencontainers.image.version": "14.1.1" } }, "NetworkSettings": { "Bridge": "", "SandboxID": "1211398d0e279d63c31e8c8484494ded8067efd8de3408934764d59faf15f2bd", "HairpinMode": false, "LinkLocalIPv6Address": "", "LinkLocalIPv6PrefixLen": 0, "Ports": { "3000/tcp": [ { "HostIp": "0.0.0.0", "HostPort": "3000" }, { "HostIp": "::", "HostPort": "3000" } ] }, "SandboxKey": "/var/run/docker/netns/1211398d0e27", "SecondaryIPAddresses": null, "SecondaryIPv6Addresses": null, "EndpointID": "c990c4b40e1a42c7d3df47087ae16800d9305102b12f73f8d7ab6b44aa671dae", "Gateway": "172.17.0.1", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "IPAddress": "172.17.0.3", "IPPrefixLen": 16, "IPv6Gateway": "", "MacAddress": "02:42:ac:11:00:03", "Networks": { "bridge": { "IPAMConfig": null, "Links": null, "Aliases": null, "NetworkID": "f9b24ce955067fa526360e91951674d9cc16de73917d079470587272c6f0127c", "EndpointID": "c990c4b40e1a42c7d3df47087ae16800d9305102b12f73f8d7ab6b44aa671dae", "Gateway": "172.17.0.1", "IPAddress": "172.17.0.3", "IPPrefixLen": 16, "IPv6Gateway": "", "GlobalIPv6Address": "", "GlobalIPv6PrefixLen": 0, "MacAddress": "02:42:ac:11:00:03", "DriverOpts": null } } } } ] ``` #### 14. by filtering the response to the above command we can search according to what we need. e.g. dir IP ```bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' Container_Juice_Shop 172.17.0.3 ``` #### 15. if we want to start over and delete all images and containers, use the following commands ```bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$docker container stop $(docker container ls -a -q) ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$docker system prune -a ``` #### 16. With this information we can now begin to find and exploit vulnerabilities. ```bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$ docker ps -a CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES f93fa3070c57 opendns/security-ninjas "/bin/sh -c '/usr/sb…" 8 minutes ago Up 8 minutes 0.0.0.0:8899->80/tcp, :::8899->80/tcp Container_Security_Ninjas 09c91a7efcaa bkimminich/juice-shop "/nodejs/bin/node /j…" 34 minutes ago Up 34 minutes 0.0.0.0:3000->3000/tcp, :::3000->3000/tcp Container_Juice_Shop ba54ccb86aeb kalilinux/kali-rolling "/bin/bash" 4 hours ago Up 4 hours Container_Kali ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$ docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' Container_Kali 172.17.0.2 ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$ docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' Container_Juice_Shop 172.17.0.3 ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$ docker inspect -f '{{range .NetworkSettings.Networks}}{{.IPAddress}}{{end}}' Container_Security_Ninjas 172.17.0.4 ``` ```bash ┌──(leonuz㉿sniperhack)-[~/Pentest-Lab] └─$ ip a #OUTPUT REDACTED 1: lo: <LOOPBACK,UP,LOWER_UP> inet 127.0.0.1/8 scope host lo 2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> inet 192.168.27.154/24 brd 192.168.27.255 3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0 7: vetheb3c3c4@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> 39: vethbc1a24d@if38: <BROADCAST,MULTICAST,UP,LOWER_UP> 41: veth892cd45@if40: <BROADCAST,MULTICAST,UP,LOWER_UP> ``` --- ### Network Diagram ```plantuml nwdiag { internet [ shape = cloud]; internet -- router ; network local-lan { router [address = "192.168.27.1" ]; docker_host [address = "192.168.27.154" ]; } network docker-lan { docker_host [address = "172.17.0.1" ]; } group { color = "pink"; Container_Kali [address = "172.17.0.2" ]; Container1_Juice_Shop [address = "172.17.0.3:3000" ]; Container2_Security_Ninjas [address = "172.17.0.4:80" ]; } } ``` --- ### DockerCheatsheet ![](https://i.imgur.com/dcZNXxT.png) :::info :information_source: More Info: - [kali-linux-cheatsheet](https://github.com/NoorQureshi/kali-linux-cheatsheet) - [The Ultimate Docker Cheat Sheet](https://dockerlabs.collabnix.com/docker/cheatsheet/) ::: :::info :information_source: Docker Forensic: - [Docker Forensics & Why You Shouldn’t Overlook Misconfigurations In Your Containers](https://www.compuquip.com/blog/docker-forensics-and-misconfigurations-in-containers) - [Docker Forensics](https://book.hacktricks.xyz/generic-methodologies-and-resources/basic-forensic-methodology/docker-forensics) ::: :::success :bulb: **[leonuz](https://leonuz.github.io)** :::