Monday, November 6, 2017

Docker with WolfCMS and MySQL Images Setup

In preparation for an ethical hacking class that I will be teaching, I wanted to work through a few of the Vulnhub images to refresh my knowledge on the tools that can be used.  Also to provide step-by-step walk-through exercises that students can follow.

This walk through assumes you worked through the previous posts on  Billu_b0x, Seattle and Zico2.  Some items will not be explained that were explained in the previous posts.

The idea of using WolfCMS comes from a vulnhub image called SickOS 1.1.  However, I found the SickOS 1.1 image to be unstable so I am going to run WolfCMS through docker.  The vulnhub image can be found here.

With using docker it makes it really quick to load and unload images that you would like to load for security testing.  Docker is amazing...

Tools Used:
VMware Workstation 12 Player
PuTTY or SSH client on host computer
Kali Linux Distro VM (Downloaded the VM edition from kali.org)

1 - docker
2 - docker image called wolfcms/wolfcms
3 - docker image called mysql
4 - Create a MySQL user and Set a password for MySQL user


Lab

1.  To setup Docker on the Kali Linux VM I followed the following instructions at this link.   I have also recorded in a post some helpful information that you will need to know as we interact with docker, located here.  I am utilizing about 4GB of memory for my Kali VM with 2 processors.

2. Remember that the images that you can pull down from "Docker Hub" are as is and should not be trusted.

3. Alright, to begin let's start the service for docker on Kali.  I am also going to do this through an SSH session from my host to the Kali VM.

Command: service docker start

4. With docker running successfully, I am going to search "Docker Hub" for a wolfcms image.

Command: docker search wolfcms



5. Next we are going to pull down the image from docker hub by running the following command with the full name of the image found.  (The screenshot is not exactly what you will see but will be similar.)

Command: docker pull wolfcms/wolfcms



6.  Now that the image has been pulled, let's run the image in interactive mode, you will be at a console as if you connected to it through SSH.

(Optional Command): docker images (You can view if the image was pulled.)
Command: docker run -it wolfcms/wolfcms bash


*Notice that the docker image for wolfcms/wolfcms was created almost 3 years ago. 

7.  Now that you are at the command line of the image, we need to check and see if the apache2 web server is running and serving the pages.  Then start the web server if it is not running and identify the IP Address of the configuration.

Command: service apache2 status
Command: service apache2 start
Command: ifconfig



8.  The IP Address will be unique to your configuration and if you assign the IP Address, which you can.  With the IP Address of 172.17.0.2 I am going to launch Firefox through X11 forwarding and visit that page as if I was on 172.17.0.2.  If you successfully did this you should see the below screenshot:




9.  Notice that the 2 items we need to take care of at this time are: first, make the config file writeable and then make the public directory writeable.  After we run the below command, then I will click on test again and it should change to "Continue to Install".

Command: cd /var/www/html/wolfcms
Command: chmod 777 config.php (Dangerous to do for any file)
Command: chmod 777 public        (Also dangerous to do for any directory)



10. After you continue to the next step of the installation, you will notice that it is asking for the connection information for a MySQL server.  In the below steps we are going to use docker to pull down a MySQL server image. 

11.  However, prior to moving on, if you were to type "exit" on the connection you have to wolfcms you would loose that we started the apache2 server and the changes to the configuration file.  Remember to use Ctrl <p> <q> to leave the interactive console with leaving the image running.

Command: Ctrl <p> <q>

12.  Now let's search for the officially supported MySQL docker image, pull it and run it.

Command: docker search mysql
Command: docker pull mysql
Command: docker run -it mysql bash


13. To setup the mysql server we need to start the service and login as the root account.  The password for the root account is <blank>.

Command: service mysql status
Command: service mysql start
Command: mysql -u root -p


14.  Let's setup a password for the root account.  Then query the root account and explain more of what we are seeing.

Command: Update mysql.user SET authentication_string = PASSWORD('class555!'), password_expired='N' WHERE user='root' and host='localhost';

Command: SELECT user, authentication_string, host FROM user; (Verify the password was setup.)

Command: flush privileges;



15. Notice after you set the password you need to flush privileges.  You can google why that is necessary!  Notice also that the host states that the account is good for the localhost.  The IP Address of the WolfCMS for my image is 172.17.0.2.  I need to create an account that can connect to the MySQL database from that host IP Address.

16.  First, let's create the database wolfcms on the MySQL server.  Create the connect user with the source host being 172.17.0.2 with a password.  Then, grant privileges of the new connect user to have full access to the wolfcms database. 

Command: create database wolfcms;
Command: CREATE USER 'connect'@'172.17.0.2' IDENTIFIED BY 'class555@';
Command: GRANT ALL PRIVILEGES ON wolfcms.* TO 'connect'@'172.17.0.2';



17.  After this is setup, go back and input the database settings in the WolfCMS configuration page.  Input the IP Address assigned to the MySQL docker image.  (You may need to from the command-line update the repository and install net-tools.  apt-get update; apt-get install net-tools; ifconfig).  Then click "Install Now!".


18. If the installation was successful you should see the below screen.  Notice that the admin password is randomly created.  Remember it, until you change it.  Then follow the install actions listed below.

19.  To complete the "Post install actions", you need to disconnect with Ctrl <p> <q> from the mysql image, unless you have a console open for each. Then reattach to the wolfcms image, you can do this by calling the Nick Name of "elastic_hopper" or whatever is assigned.

Command: Ctrl <p> <q>
Command: docker ps (Verifies both images are running and displays name)
Command: docker attach elastic_hopper


20.  Now that we are reconnected we can remove the install folder, remove the write privileges on the config.php file and remove the docs/ folder and readme.txt.

Command: rm -rf wolf/install
Command: chmod 444 config.php
Command: rm -rf docs
Command: rm README.md


21.  Then navigate to the login page of the wolfcms at http://172.17.0.2/?/admin.  Input admin for the username and the provided random password.  If you did everything correctly you should see the following screenshot, with a warning that a newer version is available.


22.  Wow! That took some work, but honestly it is easier than building a VM.  However, let's save our work and commit the docker images so we do not loose the configuration.  Also, if we do this, if we break the running instances of the images by running security testing on it, we can close the running instances and spin up new ones.



We will use these docker images in a future post walking through some vulnerabilities found.  I am not able to release the post yet due to responsibly re-disclosing vulnerabilities to the authors of the software.

I wanted to go through the detail of setting up images with docker for security testing.  This can be used to setup and configure multiple images.  Here are a few images you can use for security testing and there are many more:

Command: docker search <keyword>

Keywords:
bwapp - Broken Web Applications
metasploitable - Metasploitable - Many tutorials exist for this image
OWASP - Tools that are created by OWASP including Zap, etc.
...and many more...

No comments:

Post a Comment

Test Authentication from Linux Console using python3 pexpect

Working with the IT420 lab, you will discover that we need to discover a vulnerable user account.  The following python3 script uses the pex...