Before we proceed with how to setup cloud/self hosted services securely, let’s go over some of the things that would be needed for this tutorial.Also the installations command is given keeping Debian like systems in mind, but can easily be found for other systems with a simple web search.

Docker : Install docker and docker-compose
- sudo apt install docker.io
- sudo apt install docker-compose-plugin
- sudo usermod -aG docker $USER
- newgrp docker
In firewall configurations, open port 443 to internet, can be done either of given ways:
- sudo ufw allow https (for homeserver)
- Open port 443 in cloud firewall/network (for cloud setup)
Also open port 80 in cloud firewall/network if using http for domain validation.
Either buy a domain through domain providers or visit Duckdns to get free dynamic dns.

Setting up SWAG container

SWAG sets up an Nginx webserver and reverse proxy with php support and a built-in certbot client that automates free SSL server certificate generation and renewal processes (Let’s Encrypt and ZeroSSL). It also contains fail2ban for intrusion prevention.

Here, I will be giving two swag.yml docker-compose files, which can be used alternatively depending upon whether you use some domain providers or duckdns.

Using Domain Providers

version: "2.1"
services:
  swag:
    image: lscr.io/linuxserver/swag
    container_name: swag
    cap_add:
      - NET_ADMIN
    environment:
      - PUID=1000 # your user and group ids
      - PGID=1000 # get it with typing `id` in terminal
      - TZ=Asia/Kolkata # Docker available time zone regions
      - URL=your-domain.com  # the domain name that you bought
      - SUBDOMAINS=www,jellyfin,code-server # the subdomains which serves the specific services
      - VALIDATION=http
    volumes:
      - ./swag:/config
    ports:
      - 443:443
      - 80:80
    restart: unless-stopped

We will be using http validation to validate domain ownership. Visit your domain providers console’s manage dns section and follow the given steps to configure it correctly:

configure A records, add:
- www . your-domain.com
- your-domain.com
configure CNAME for each service you want to run, for each CNAME we need to configure hostname and value as:
- CNAME (for service 1 : let’s say code-server)
  - Hostname : code-server.your-domain.com
  - Value : www . your-domain.com
- CNAME (for service 2 : let’s say jellyfin)
  - Hostname : jellyfin.your-domain.com
  - Value : www . your-domain.com
- In similar way, we can add as many as CNAMEs as number of services.

Using Dynamic DNS(DuckDns)

---                                                 
version: "2.1"                                      
services:                                           
  swag:                                             
    image: lscr.io/linuxserver/swag                 
    container_name: swag                            
    cap_add:                                        
      - NET_ADMIN                                   
    environment:                                    
      - PUID=1000                                   
      - PGID=1000                                   
      - TZ=Asia/Kolkata                             
      - URL=your-domain.duckdns.org                 
      - SUBDOMAINS=wildcard                         
      - VALIDATION=duckdns                          
      - DUCKDNSTOKEN=97654867496t4657382648659765854
    volumes:                                        
      - ./swag:/config                              
    ports:                                          
      - 443:443                                     
      - 80:80                                       
    restart: unless-stopped

Here, we won’t need to do anything if we are following default container names, so visit following subdomain after setup for:

code-server : code-server.your-domain.duckdns.org
jellyfin : jellyfin.your-domain.duckdns.org

Now, following either one of the way from above , we are ready to fire up our swag container, we can do so by running:

docker compose -f swag.yml up -d

Only if the domain name configurations are done properly the nginx server on swag container will start.

Check docker logs swag -f to verify if swag is successfully running without errors, it should have printed `server ready` otherwise reconfigure swag yaml file and domain name and recreate the swag container.

Before moving ahead, we need to create a user defined network and add swag container to that network, also we would add all subsequent docker containers to this network for inter-network connectivity. To do this:

docker network create -d bridge my_network
docker network connect my_network containerId

Setting up Individual Apps

Setting up Jellyfin media server along with transmission torrent(transmission won’t be open to internet in this example), create a jellyfin.yml file with following content:

---                                                      
version: "2.1"                                           
services:                                                
  transmission:                                          
    image: lscr.io/linuxserver/transmission:latest       
    container_name: transmission                         
    environment:                                         
      - PUID=1000                                        
      - PGID=1000                                        
      - TZ=Asia/Kolkata                                  
      - TRANSMISSION_WEB_HOME= #optional                 
      - USER=admin #optional                             
      - PASS=password #optional                          
      - PEERPORT=51413                                   
    volumes:                                             
      - ./transmission/data:/config                      
      - ./shared/downloads:/downloads                    
    ports:                                               
      - 9091:9091                                        
      - 51413:51413                                      
      - 51413:51413/udp                                  
    restart: unless-stopped                              
  jellyfin:                                              
    image: lscr.io/linuxserver/jellyfin:latest           
    container_name: jellyfin                             
    environment:                                         
      - PUID=1000                                        
      - PGID=1000                                        
      - TZ=Asia/Kolkata                                  
      - JELLYFIN_PublishedServerUrl=192.168.0.5 #optional
    volumes:                                             
      - ./jellyfin/config:/config                        
      - ./shared/downloads:/data/to_watch                
    ports:                                               
      - 8096:8096                                        
      - 8920:8920 #optional                              
      - 7359:7359/udp #optional                          
      - 1900:1900/udp #optional                          
    restart: unless-stopped

now enter inside swag container using command ,

docker exec -it swag_container_id bash

and do following mentioned things:

cd /config/nginx/proxy-confs/
mv jellyfin.subdomain.conf.sample jellyfin.subdomain.conf
restart the swag container

Also add this container to user defined bridge network:

docker network connect my_network jellyfin_containerId

2. Setting up code-server with password authentication, create a code-server.yml with below content:

---
version: "2.1"
services:
  code-server:
    image: lscr.io/linuxserver/code-server:latest
    container_name: code-server
    environment:
      - PUID=1000
      - PGID=1000
      - TZ=Asia/Kolkata
      - PASSWORD=password1
      - SUDO_PASSWORD=password2
      - DEFAULT_WORKSPACE=/config/workspace #optional
    volumes:
      - ./code-server/config:/config
    ports:
      - 8443:8443
    restart: unless-stopped

Do again same as above as entering in swag container and moving files and restarting it along with adding code-server container to the user defined bridge network.

Now, we are done, we can access our containers now and they will look something like this:

Jellyfin: visit https://jellyfin.your-domain.com

Code Server: visit https://code-server.your-domain.com

In similar ways, we can host numerous services securely with very minimal attack surface available to exploit by malicious entities.

IMPORTANT – As you keep on adding more services, keep in mind to append them to swag container’s SUBDOMAINS environment variable and recreate the swag container.

Please refer linuxserver.io for even more awesome services and more detailed explanation for swag .

Happy hacking !

TryHackMe Room : https://tryhackme.com/room/easyctf

Aim : To get to the root of the machine and read the flag file.

Difficulty Level : Easy

Connect to the TryHackMe network using openvpn:

sudo openvpn /path/to/username.ovpn

Scanning and Enumeration

1. How many services are running under port 1000?

sudo nmap -sV --script vuln -p1-10000 -vv "Target Ip"

we have 3 services running on ports 21, 80 , 2222 . we also have a page “/robots.txt” , though it gives us no useful results .

2 .What is running on the higher port?

From above nmap scan , the service running on highest port(2222) is ssh .

3 . What’s the CVE you’re using against the application?

To answer the above question we need to do some more enumeration. I will use tools such as “nikto” and “gobuster” for this purpose .

nikto -h "Target IP:

we just get the same “robots.txt” here too

We can enumerate the entire domain and can use directory busting to see if there is any thing of interest .Using “gobuster” :

gobuster dir -u "target_ip" -w wordlists/small.txt -t 200 -x .php -q

we got “/simple”,we should check what is there.

upon visiting the url , “/simple” is a CMS system .we also get a version at the very bottom left hand corner of the page:

To know about the exploits in this version of CMS Made Simple, let’s see exploit-db .

The answer to our 3rd question, we will use: ***CVE-2019-9053***

4. To what kind of vulnerability is the application vulnerable?

It’s already given in above image, SQL Injection.

Exploitation

5. What’s the password?

Now to crack the password , I should at least have a username to bruteforce against. Since on the target machine ftp port 21 is open, it is wise to see if anonymous login is available or not:

we can use any password in most cases of anonymous login

ftp "target IP"

upon doing successful anonymous login , we have a text file and an Idea of username for the target machine.

Now on trying hydra to crack the password for username “mitch”:

hydra -l mitch -P rockyou.txt ssh://10.10.246.98:2222

woah , we have a password . So this will be the answer for this question.

6. Where can you login with the details obtained?

7. What’s the user flag?

we also have an ssh port at 2222 open , doing ssh using credentials for “mitch“:

ssh mitch@10.10.246.98 -p 2222

The output of last command give us the user flag (ques7), answer to question 6 will be **ssh**.

8. Is there any other user in the home directory? What’s its name?

ls /home

we have one more user ,this will be the answer .

9 . What can you leverage to spawn a privileged shell?

Now , this question is interesting , we need to check the system privilege for user “mitch” :

sudo -l

so , vim will be used to spawn a privileged shell

10. What’s the root flag?

we have permission to run vim as root , with no password required. Doing a little bit of googling , I got this :

Running this command as root :

sudo vim -c ':!/bin/sh'

we can now find the root flag by :

ls /root -la

The output of last command give us the root flag!

The Machine has been conquered .

Tag: ssh

TryHackMe : Simple CTF

Scanning and Enumeration

Exploitation