Cat Pictures Write-Up

Cat Pictures is a boot2root room on TryHackMe. It has Easy difficulty. Initial access on the machine has been done over a custom shell and port. Later an SSH key could be acquired. After the SSH connection, we have root rights inside a Docker container. Escaping from that container was possible due to a writeable script inside the container, which was run in a cronjob outside the container.

Enumeration

sudo nmap 10.10.16.67 -p- -oN nmap/all_ports

# Nmap 7.91 scan initiated Sun Jun 20 13:15:28 2021 as: nmap -p- -oN nmap/all_ports 10.10.16.67
Nmap scan report for localhost (10.10.16.67)
Host is up (0.044s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp open ssh
2375/tcp filtered docker
4420/tcp open nvm-express
8080/tcp open http-proxy

# Nmap done at Sun Jun 20 13:16:01 2021 -- 1 IP address (1 host up) scanned in 33.38 seconds

The web server on port 8080 is serving phpBB. It contains one forum with one post.

The post reveals that we probably have to do some port knocking.

With the following command I have knocked on these four ports: knock -d 1000 10.10.16.67 1111 2222 3333 4444

After port 21 was not filtered anymore:

It was possible to connect to the FTP server with anonymous login credentials.

I have downloaded note.txt and it revealed a possible username and a password.

I was able to connect to port 4420. With the password from note.txt I was able to login.

Inside the home folder of catlover there was an interesting file.

But I was not able to run it through this shell.

So I have spawned a reverse shell to my attacker machine.

Now I could run the executable. It asked for a password. The password from previous note did not work.

I have transfered the file to the attacker machine to inspect it. Inside the strings I’ve found a possible password.

The password worked and I have received an SSH key.

With that key I was able to login via SSH.

Because of the hostname I assumed that this is a Docker container. With capsh --print I tried to find a vector to escape from the container. But the container was not started in privileged mode. After running LinPeas I was able to spot an interesting directory.

Inside that directory there was a file called clean.sh . It cleaned the tmp directory. The tmp directory was empty inside the container. So I assumed that this may be running inside a cronjob.

After starting a listener and adding a reverse shell into that file, I received a connection. This time I was outside the container as root.

Mitigation

Passionate about Cyber Security. I am publishing CTF writeups and Cybersec content!