This is a write-up for TryHackMe’s room named Cat Pictures. We first needed to find out the port where the web-server is running, which while navigating gave us a hint to perform Port-Knocking.Then we needed to do a bit of binary reversing and then a nice privesc from a docker environment.
Let’s start with finding out what all services are running:
NMAP
# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.90.64
PORT STATE SERVICE
21/tcp filtered ftp
22/tcp open ssh
2375/tcp filtered docker
4420/tcp open nvm-express
8080/tcp open http-proxy# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p21,22,2375,4420,8080 10.10.90.64
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 37:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA)
| 256 53:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA)
|_ 256 ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (ED25519)
2375/tcp filtered docker
4420/tcp open nvm-express?
|…