## 📄 **Hacklet 1: Privilege Escalation via File Upload**
### 🖥️ **Overview**
This hacklet demonstrates a **file upload vulnerability** in a containerized environment that can be exploited to achieve **remote code execution (RCE)**. If the container runs as **root**, attackers can escalate their privileges and gain unauthorized access to the host system.
---
### 🔴 **Vulnerability: Privilege Escalation via File Upload**
The vulnerability arises from the following issues:
1.**Insecure File Upload Implementation:** The app allows users to upload files without any file type validation.
2.**Root User Execution:** The Docker container runs as **root**, allowing uploaded scripts to be executed with elevated privileges.
---
### ⚔️ **Exploit Steps**
1.**Create a malicious script** named `malicious.sh` with the following content:
```bash
#!/bin/bash
echo"You've been hacked!"
whoami
```
2.**Upload the script** via the Flask app's file upload page at **http://localhost:5000**.
3.**Execute the uploaded script** by visiting the following URL:
```
http://localhost:5000/execute/malicious.sh
```
4.**Expected Output:**
```text
You've been hacked!
root
```
---
### 🔍 **Root Cause Analysis**
The vulnerability exists because:
- The app does not validate the type of uploaded files.
- The Docker container is running as **root**, allowing uploaded files to be executed with **root privileges**.
---
### 🛡️ **Fixes Applied**
1.**Run the Container as a Non-Root User:**
- Updated the **Dockerfile** to create a non-root user and run the app under that user.
**Updated Dockerfile:**
```Dockerfile
# Use a minimal Python image
FROM python:3.9-slim
# Create a non-root user
RUN useradd -m appuser
# Set the working directory
WORKDIR /app
# Copy the necessary files
COPY ./app /app
COPY requirements.txt /app
# Install dependencies
RUN pip install -r requirements.txt
# Change ownership of the working directory
RUN chown -R appuser /app
# Switch to the non-root user
USER appuser
# Expose the port the app runs on
EXPOSE 5000
# Start the Flask app
CMD ["python", "app.py"]
```
2.**Restrict File Types for Upload:**
- Updated the **`upload_file()`** function to allow only specific file types (e.g., images).
| Privilege Escalation via File Upload | Users can upload and execute malicious scripts with root privileges | Run container as non-root user, restrict file types |
---
Would you like me to generate the `.md` file now? 😊