Description
Obtain RCE on the host wp.edu.stf (10.124.1.234) via Docker Escape.
To get the flag, run the script /home/rceflag.
<aside> 💡
Fav challenge in the bootcamp so far, chaining multiple exploits, pivoting, and lastly escaping Docker.
</aside>
First, I ran an Nmap scan, and discovered that the target was running a WordPress website.
[sudo] password for kali:
Starting Nmap 7.95 ( <https://nmap.org> ) at 2025-09-07 13:58 EDT
Nmap scan report for wp.edu.stf (10.124.1.234)
Host is up (0.26s latency).
Not shown: 998 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.13 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 a0:a6:bf:46:80:cb:e0:d6:0c:b1:95:e4:23:27:db:9e (RSA)
| 256 3b:98:06:f7:83:27:49:1e:d0:ba:b8:7b:05:86:32:c8 (ECDSA)
|_ 256 29:9c:93:55:8c:fd:09:83:cd:33:14:45:bc:46:51:e0 (ED25519)
80/tcp open http Apache httpd 2.4.51 ((Debian))
|_http-generator: WordPress 5.8.3
|_http-title: site – Just another WordPress site
| http-robots.txt: 1 disallowed entry
|_/wp-admin/
|_http-server-header: Apache/2.4.51 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at <https://nmap.org/submit/> .
Nmap done: 1 IP address (1 host up) scanned in 17.26 seconds
Since it was a WordPress site, I ran WPScan and discovered a vulnerable WordPress plugin called Simple File List
┌──(kali㉿kali)-[~/Desktop]
└─$ wpscan --url <http://wp.edu.stf> --enumerate u,ap,at,tt,cb,dbe --api-token xxxxxxxxxx
_______________________________________________________________
__ _______ _____
\\ \\ / / __ \\ / ____|
\\ \\ /\\ / /| |__) | (___ ___ __ _ _ __ ®
\\ \\/ \\/ / | ___/ \\___ \\ / __|/ _` | '_ \\
\\ /\\ / | | ____) | (__| (_| | | | |
\\/ \\/ |_| |_____/ \\___|\\__,_|_| |_|
WordPress Security Scanner by the WPScan Team
Version 3.8.28
Sponsored by Automattic - <https://automattic.com/>
@_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________
[i] It seems like you have not updated the database for some time.
[+] URL: <http://wp.edu.stf/> [10.124.1.234]
[+] Started: Sun Sep 7 14:01:31 2025
Interesting Finding(s):
[+] Headers
| Interesting Entries:
| - Server: Apache/2.4.51 (Debian)
| - X-Powered-By: PHP/7.4.27
| Found By: Headers (Passive Detection)
| Confidence: 100%
[+] robots.txt found: <http://wp.edu.stf/robots.txt>
| Interesting Entries:
| - /wp-admin/
| - /wp-admin/admin-ajax.php
| Found By: Robots Txt (Aggressive Detection)
| Confidence: 100%
.
.
.
.
.
.
[i] Plugin(s) Identified:
[+] simple-file-list
| Location: <http://wp.edu.stf/wp-content/plugins/simple-file-list/>
| Last Updated: 2025-07-03T17:02:00.000Z
| [!] The version is out of date, the latest version is 6.1.15
|
| Found By: Urls In Homepage (Passive Detection)
| Confirmed By: Urls In 404 Page (Passive Detection)
|
| [!] 11 vulnerabilities identified:
|
| [!] Title: Simple File List < 4.2.3 - Unauthenticated Arbitrary File Upload RCE
| Fixed in: 4.2.3
| References:
| - <https://wpscan.com/vulnerability/365da9c5-a8d0-45f6-863c-1b1926ffd574>
| - <https://simplefilelist.com/>
| - <https://plugins.trac.wordpress.org/changeset/2286920/simple-file-list>
| - <https://packetstormsecurity.com/files/160221/>
|
| [!] Title: Simple File List < 4.2.8 - Authenticated Arbitrary File Deletion
| Fixed in: 4.2.8
| References:
| - <https://wpscan.com/vulnerability/422360b9-4c70-4fd9-9833-375f1294bd7a>
| - <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-12832>
| - <https://ctulhu.me/2020/05/16/cve-2020-12832/>
|
| [!] Title: Simple File List < 4.4.12 - Reflected Cross-Site Scripting
| Fixed in: 4.4.12
| References:
| - <https://wpscan.com/vulnerability/2e829bbe-1843-496d-a852-4150fa6d1f7a>
| - <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3062>
Checkout
WordPress Plugin Simple File List 4.2.2 - Arbitrary File Upload
Then, as usual, whenever I discover an exploit, I first search for it in Metasploit.