This guide outlines the steps to set up Nginx UI using Docker Compose, create a user, run an exploit, and verify the results within the Docker container.
- Ensure you have Docker and Docker Compose installed on your machine.
- Familiarity with basic command-line operations.
- Download the docker-compose.yml
- Verify that your nginx.conf file has these lines.
Note: in linux (Ubuntu), this file is at /etc/nginx/nginx.conf
http { # ... include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; }
- Create a local directory www in your working directory. Copy its path and change the first half of line 13 in the docker compose yaml (Just the part before the
:).Line 13 ~/cve_session1/nginx/www - Create your container by:
docker compose up -d
- Wait a couple of minutes and check if the docker image is running:
You should see the nginx docker running.
sudo docker ps
- Login to the nginx UI at http://127.0.0.1:8080/#/login
- Create an admin user accounts. Username: admin , Password: admin.
- Then within the nginx UI create another user: Username: basic , Password: basic. Note: You can create the users with whatever names and password you want. Just make sure to update the python script
- Run the exploit. It is fairly self-explanatory.
- Login to docker and check that the command injection works.
# Get container id first docker ps # Access container shell docker exec -it <container-id> /bin/sh # Check the tmp directory ls -l /tmp