Cat Pictures is a boot2root room on TryHackMe. It has Easy difficulty. Initial access on the machine has been done over a custom shell and port. Later an SSH key could be acquired. After the SSH connection, we have root rights inside a Docker container. Escaping from that container was possible due to a writeable script inside the container, which was run in a cronjob outside the container.
Starting with a full port scan shows that an HTTP Server is running on port 8080.
sudo nmap 10.10.16.67 -p- -oN nmap/all_ports
# Nmap 7.91 scan initiated Sun Jun 20 13:15:28 2021 as: nmap -p- -oN nmap/all_ports 10.10.16.67
Nmap scan report for localhost (10.10.16.67)
Host is up (0.044s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp open ssh
2375/tcp filtered docker
4420/tcp open nvm-express
8080/tcp open http-proxy
# Nmap done at Sun Jun 20 13:16:01 2021 -- 1 IP address (1 host up) scanned in 33.38 seconds
The web server on port 8080 is serving phpBB. It contains one forum with one post.
The post reveals that we probably have to do some port knocking.
With the following command I have knocked on these four ports:
knock -d 1000 10.10.16.67 1111 2222 3333 4444
After port 21 was not filtered anymore:
It was possible to connect to the FTP server with anonymous login credentials.
I have downloaded
note.txt and it revealed a possible username and a password.
I was able to connect to port 4420. With the password from
note.txt I was able to login.
Inside the home folder of
catlover there was an interesting file.
But I was not able to run it through this shell.
So I have spawned a reverse shell to my attacker machine.
Now I could run the executable. It asked for a password. The password from previous note did not work.
I have transfered the file to the attacker machine to inspect it. Inside the strings I’ve found a possible password.
The password worked and I have received an SSH key.
With that key I was able to login via SSH.
Because of the hostname I assumed that this is a Docker container. With
capsh --print I tried to find a vector to escape from the container. But the container was not started in privileged mode. After running LinPeas I was able to spot an interesting directory.
Inside that directory there was a file called
clean.sh . It cleaned the tmp directory. The tmp directory was empty inside the container. So I assumed that this may be running inside a cronjob.
After starting a listener and adding a reverse shell into that file, I received a connection. This time I was outside the container as root.
Passwords should not be stored in a text file. Also passwords should not be hard coded into a binary. It is recommended to use hashes or a backend web service to validate the password. Additionaly port knocking is not a good security practice. Also anonymous login for FTP should be disabled if not needed. Furthermore scripts of cronjobs, like
clean.sh should not be writeable from inside the container.