Overview

Kobold is a Medium-difficulty Linux machine featuring Docker escape vulnerabilities and web application exploitation. This machine teaches:

  • Web application reconnaissance
  • CVE exploitation for modern frameworks
  • Docker container breakout techniques
  • Privilege escalation via container permissions

Enumeration

Port Scanning

Initial reconnaissance reveals standard web services and potential custom applications.

Key Services:

  • HTTP web application
  • Possible custom service ports
  • Container management interfaces

Web Application Analysis

The target hosts a web application that appears to be:

  • Built with modern frameworks
  • Potentially vulnerable to known CVEs
  • Running containerized services

Initial Foothold

Vulnerability Discovery

The path to initial access involves:

  1. CVE-2026-23744 - MCPJam Inspector RCE
  2. Exploiting web framework vulnerabilities
  3. Gaining shell access through unsafe deserialization or code execution

Exploitation Hints

Key areas to investigate:

  • Application version disclosure
  • User input handling
  • File upload functionality
  • API endpoints

User Access: Once inside, you'll find yourself in a containerized environment.

→ For the complete writeup with all commands, CLICK HERE

→ For every script used in this writeup, CLICK HERE

Privilege Escalation

Container Analysis

After gaining initial access, examine:

  • Container runtime and permissions
  • Available Docker sockets
  • Group memberships
  • Mounted volumes

Docker Escape

The privilege escalation involves:

  1. Identifying operator group membership
  2. Exploiting Docker socket access
  3. Container breakout to host system
  4. Root access on the underlying host

Key Concepts

  • Understanding Docker socket exploitation
  • Container vs host filesystem access
  • Privilege abuse in containerized environments

Root Flag Location: /root/root.txt (on host system)

Key Takeaways

  • Container security is critical
  • Docker socket exposure is dangerous
  • Group memberships matter
  • Version disclosure aids exploitation

→ For the complete writeup with all commands, CLICK HERE

→ For every script used in this writeup, CLICK HERE

Tools Used

  • nmap - Port scanning
  • gobuster / ffuf - Web enumeration
  • CVE-specific exploits
  • docker commands for escape
  • Standard Linux privilege escalation tools

Want the complete exploitation chain? Get the PAID version on Buy Me a Coffee with all CVE details, docker escape commands, and step-by-step exploitation.