finding a backdoor on a compromised wordpress docker container.

This machine is from pentester academy’s attack defense labs.

Machine name: System Backdoor


after accessing the machine, now let’s try to check the containers running on the target host

> docker ps

Now observer the container….. it’s a lamp-wordpress container.

Now we’ll run a command to check for changes made to the container after starting.

> docker diff wordpress

Look closely, noticed that the /etc/shadow file is changed. now let’s grep out the result

> docker diff wordpress | grep -i /etc/shadow

Copy the file from the container to the present working directory on the host machine.

> docker cp container id:/etc/shadow <new filename>

let’s view the content of the file we just copied to our host machine

> cat /etc/shadow

Now from here we will have to start a new container with the docker image lamp-wordpress and also copy the /etc/shadow file. This will allow us compare both files and also notice the changes that has been made and also see the backdoor the attack created to gain persistence to the docker container.

let’s start by starting a new container

> docker run -d lamp-wordpress

Now let’s copy the shadow file from the newly started container

> docker cp <container id>:/etc/shadow <newfile name>

After copying the file, now it’s time to check the modification made by the attacker by using a tool called diff

> diff shadowfile shadow

Now we know that the attacker created a new account on the compromised docker container, which acts as a backdoor for the attacker to access the container.

Courtesy of Attack Defense labs.