Cat Pictures Write-Up

Cat Pictures is a boot2root room on TryHackMe. It has Easy difficulty. Initial access on the machine has been done over a custom shell and port. Later an SSH key could be acquired. After the SSH connection, we have root rights inside a Docker container. Escaping from that container was possible due to a writeable script inside the container, which was run in a cronjob outside the container.

Enumeration

Starting with a full port scan shows that an HTTP Server is running on port 8080.

sudo nmap 10.10.16.67 -p- -oN nmap/all_ports

# Nmap 7.91 scan initiated Sun Jun 20 13:15:28 2021 as: nmap -p- -oN nmap/all_ports 10.10.16.67
Nmap scan report for localhost (10.10.16.67)
Host is up (0.044s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp open ssh
2375/tcp filtered docker
4420/tcp open nvm-express
8080/tcp open http-proxy

# Nmap done at Sun Jun 20 13:16:01 2021 -- 1 IP address (1 host up) scanned in 33.38 seconds

The web server on port 8080 is serving phpBB. It contains one forum with one post.

The post reveals that we probably have to do some port knocking.

With the following command I have knocked on these four ports: knock -d 1000 10.10.16.67 1111 2222 3333 4444

After port 21 was not filtered anymore:

It was possible to connect to the FTP server with anonymous login credentials.

I have downloaded note.txt and it revealed a possible username and a password.

I was able to connect to port 4420. With the password from note.txt I was able to login.

Inside the home folder of catlover there was an interesting file.

But I was not able to run it through this shell.

So I have spawned a reverse shell to my attacker machine.

Now I could run the executable. It asked for a password. The password from previous note did not work.

I have transfered the file to the attacker machine to inspect it. Inside the strings I’ve found a possible password.

The password worked and I have received an SSH key.

With that key I was able to login via SSH.

Because of the hostname I assumed that this is a Docker container. With capsh --print I tried to find a vector to escape from the container. But the container was not started in privileged mode. After running LinPeas I was able to spot an interesting directory.

Inside that directory there was a file called clean.sh . It cleaned the tmp directory. The tmp directory was empty inside the container. So I assumed that this may be running inside a cronjob.

After starting a listener and adding a reverse shell into that file, I received a connection. This time I was outside the container as root.

Mitigation

Passwords should not be stored in a text file. Also passwords should not be hard coded into a binary. It is recommended to use hashes or a backend web service to validate the password. Additionaly port knocking is not a good security practice. Also anonymous login for FTP should be disabled if not needed. Furthermore scripts of cronjobs, like clean.sh should not be writeable from inside the container.

--

--

--

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

The Amber Network Launch Details

Humans trust, even if they shouldn’t. Why cyber criminals target humans rather than technology.

How to Know Your Association Has Been Hacked

{UPDATE} ケモノの従者と王子の花嫁 Hack Free Resources Generator

Why security is imperative for Crypto Exchanges?

MetaCraft GIVEAWAY 2,500 $MCT To H2O DAO Community

IOEX Biweekly Report: Dec 23rd — Jan 5th

Deep Dive Deep Dive into High-Profile Crypto Exploits — Part III: Fei Protocol

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Rabbit

Rabbit

Passionate about Cyber Security. I am publishing CTF writeups and Cybersecurity content!

More from Medium

TRYHACKME: VULNVERSITY WALKTHROUGH

Tryhackme | Nmap

THM — Steel Mountain

HTB Previse writeup