3

I am running a metasploitable2 docker container on a server. Here is the docker command to create this docker container:

docker run --name victumb-it tleemcjr/metasploitable2:latest sh -c "/bin/services.sh && bash" --security-opt apparmor=unconfined -privileged true --network host

I then ran an exploit on Kali linux container on a different server targeting the docker image, however it failed.

use exploit/unix/ftp/vsftpd_234_backdoor
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > set RHOST 134.122.105.88
RHOST => 134.122.105.88
msf5 exploit(unix/ftp/vsftpd_234_backdoor) > run

[-] 134.122.105.88:21 - Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (134.122.105.88:21).

I am confused as to why this exploit failed. Due to the --network host i thought that the traffic would be mirrored into the container. Is their anyway to fix this networking error, so that the hack is successful?

Here is the tutorial I was loosely following: https://medium.com/cyberdefendersprogram/kali-linux-metasploit-getting-started-with-pen-testing-89d28944097b

Mickael B.
  • 4,755
  • 4
  • 24
  • 48
Lyra Orwell
  • 1,048
  • 4
  • 17
  • 46

1 Answers1

2

Because the option --network host should be placed before the image

Usage: docker run [OPTIONS] IMAGE [COMMAND] [ARG...]

This should work:

docker run --name victumb-it --network host --security-opt apparmor=unconfined --privileged tleemcjr/metasploitable2:latest sh -c "/bin/services.sh && bash"

Here sh is the command, and everything after that is arguments passed to sh command.

The docker run options like --network, --security-opt and --privileged are placed before the image.

If you run docker inspect container_id you'll see at the Args key the arguments passed to the command. It means they are not arguments to docker run.

Mickael B.
  • 4,755
  • 4
  • 24
  • 48
  • Sorry, I get an error with your solution: Unable to find image 'true:latest' locally docker: Error response from daemon: pull access denied for true, repository does not exist or may require 'docker login': denied: requested access to the resource is denied. – Lyra Orwell Apr 30 '20 at 15:17
  • That's because the `--privileged` flag doesn't take any argument so the `true` is considered as the image name. I'll edit, you just need to remove the `true` after `--privileged` – Mickael B. Apr 30 '20 at 15:22
  • B I tried your solution again, but the attack does not work. I believe the issue is that the attack arrives at the server(host) and fails. It never reaches the container. – Lyra Orwell May 02 '20 at 11:45
  • I don't know about the image being used. But you asked about how to connect to the host from the container and that's what my solution does. Now maybe you want to connect to the container from the host, in that case you might want to [expose or publish](https://docs.docker.com/engine/reference/commandline/run/#publish-or-expose-port--p---expose) the container ports using the flags `-p` or `-P`. – Mickael B. May 02 '20 at 12:21