Cat Pictures Write-Up

Cat Pictures is a boot2root room on TryHackMe. It has Easy difficulty. Initial access on the machine has been done over a custom shell and port. Later an SSH key could be acquired. After the SSH connection, we have root rights inside a Docker container. Escaping from that container was possible due to a writeable script inside the container, which was run in a cronjob outside the container.

Enumeration

Starting with a full port scan shows that an HTTP Server is running on port 8080.

The web server on port 8080 is serving phpBB. It contains one forum with one post.

The post reveals that we probably have to do some port knocking.

With the following command I have knocked on these four ports: knock -d 1000 10.10.16.67 1111 2222 3333 4444

After port 21 was not filtered anymore:

It was possible to connect to the FTP server with anonymous login credentials.

I have downloaded note.txt and it revealed a possible username and a password.

I was able to connect to port 4420. With the password from note.txt I was able to login.

Inside the home folder of catlover there was an interesting file.

But I was not able to run it through this shell.

So I have spawned a reverse shell to my attacker machine.

Now I could run the executable. It asked for a password. The password from previous note did not work.

I have transfered the file to the attacker machine to inspect it. Inside the strings I’ve found a possible password.

The password worked and I have received an SSH key.

With that key I was able to login via SSH.

Because of the hostname I assumed that this is a Docker container. With capsh --print I tried to find a vector to escape from the container. But the container was not started in privileged mode. After running LinPeas I was able to spot an interesting directory.

Inside that directory there was a file called clean.sh . It cleaned the tmp directory. The tmp directory was empty inside the container. So I assumed that this may be running inside a cronjob.

After starting a listener and adding a reverse shell into that file, I received a connection. This time I was outside the container as root.

Mitigation

Passwords should not be stored in a text file. Also passwords should not be hard coded into a binary. It is recommended to use hashes or a backend web service to validate the password. Additionaly port knocking is not a good security practice. Also anonymous login for FTP should be disabled if not needed. Furthermore scripts of cronjobs, like clean.sh should not be writeable from inside the container.