RainyDay
RainyDay
RainyDay 502
RainyDay
RETIRED MACHINE

RainyDay

RainyDay - Linux Linux
RainyDay - Hard Hard

2

MACHINE RATING

643

USER OWNS

544

SYSTEM OWNS

15/10/2022

RELEASED
Created by InfoSecJack

Machine Synopsis

RainyDay is a hard Linux machine that starts with a web application that allows registered users to create and run containers on the remote machine. Enumerating the application it is discovered that registrations are closed. Further enumeration, reveals a REST API endpoint that suffers from an IDOR vulnerability, which leaks sensitive information such as usernames and password hashes. One of these hashes belonging to user `gary` can be cracked, which allows a potential attacker access to the web application. Once logged in, an attacker is able to create Docker containers and execute any command he wants on them. It turns out that the network that the containers are connected to is treated as an `internal` network and can be used to tunnel traffic to the `dev` vhost and the `/api/healthcheck` endpoint. The `healthcheck` endpoint can be used to read the secret token that's used to sign Flask session cookies. With this token, an attacker is able to forge a cookie for the user `jack` and access the container `secrets`. Once inside the container a very peculiar running process is discovered to be sharing its PID with the host system. The `cwd` of the process is linked to the `/home/jack` folder on the host machine. With the SSH key of `jack` in hand, the attacker is able to authenticate to the host machine. There, they discover that they are able to execute Python scripts as the user `jack_adm` but with heavy safety restrictions. These restrictions can be bypassed using a Use-After-Free vulnerability and execute arbitrary commands. The user `jack_adm` is able to execute a hashing script as the user `root`. The script uses the algorithm `bcrypt` which has a maximum length restriction. Due to bad design, an attacker is able to bruteforce the secret `salt` and crack the `root` password that was acquired from the web application. Finally, a password re-use scenario comes in to play and the cracked password works for the `root` user on the remote machine.

Machine Matrix

Ready to start your
hacking journey?