⬆️ ⬇️

Vulnerable Docker VM - Virtual Docker and Pentesting Puzzle





The British company NotSoSecure , which specializes in penetration testing and IT security in general, presented a puzzle for Docker specialists called Vulnerable Docker VM.



The image of a virtual machine prepared by the authors is intended for those who “dreamed of playing with incorrect Docker configurations, privilege escalation, etc. in a container. " An image based on the Linux distribution Ubuntu 14.04 is available for download in OVA format (run, for example, in VirtualBox) on the project page and licensed under the GPL (i.e., allows modifications and further distribution under the same conditions).

')

The puzzle has two modes (or levels):





The level is selected at the stage of loading the operating system into GRUB:







The essence of the task is to detect 3 file-flags placed “among the various machines / systems available to you” (all flags are present in both task modes) and get root access to the host machine. The security issues presented in the image can be contained both in the wrong configuration of services and in traditional vulnerabilities. According to one of the authors of Vulnerable Docker VM, these problems were found in real environments during pen testing by his company.



There is no prize for completing this quest. So ... try just for fun!



A little help ...
The authors of the image promise to soon publish details on its creation and assembly (including Dockerfiles), but for now they are answering questions trying to complete the quest in the comments on Reddit . There can also be tips from the participants themselves.


PS I also liked the idea of ​​this puzzle for the reason that we have been practicing something similar as a test task for selecting candidates for many years ... and the experience has shown that they really get the fun.

Source: https://habr.com/ru/post/337154/



All Articles