tryhackme : dogcat

In this article we are going to solve another boot2root challenge tryhackme : dogcat . This is a intermediate level machine .

walkthrough

our first step is to find the open ports and services running in the target system using nmap

nmap -sc -sV -Pn 10.10.146.133

so lets start with the port 80 :)

Okay on the webpage we have a choice to select dog or cat . I like dogs so I selected "A dog" option and after that URL looks like

http://10.10.146.133/?view=dog

clearly it is a LFI vulnerability , so we started with the basic check using /?view=/etc/passwd but failed and /?view=../etc/passwd also failed and /?view=../../etc/passwd didn't go well :(

After a lot of tries we figured out that the word cat or dog is necessary here , lets include the word dog and check again for the LFI.

the error suggest that the script has added .php at the end of the file , now what?? Now one of my friend told me to check for the index.php so we changed our URL to

/?view=dog../../index

means index.php file exist but we have to use some other LFI payload , so after searching on the internet about LFI we found this payload php://filter/convert.base64-encode/resource= and we changed our URL to

http://10.10.146.133/?view=php://filter/convert.base64-encode/resource=dog../../index

and this time we got some base64 encoded data , using the base64 -d command we decoded the data and redirect the output to a file.

it looks like a code , lets check the whole code.

if we look carefully at the code then it is very clear that it is adding .php at the end of the file name and it is also using a GET parameter "ext" . okay what if we use

this as

http://10.10.146.133/?view=php://filter/convert.base64-encode/resource=dog../../index&ext=.php

yes now we know how this thing is working :)

Now to get a shell we can think of Log poisoning attack and for that we intercept the request packet using burp suite and modify the user-agent with a php code..

(log poisoning attack works on /var/log/apache2/access.log) so we access the file using the LFI vulnerability and then using the repeater in burp suite lets analyze the request again and again and try to pop a shell.

first of all we run a basic command as

we got the correct output as www-data and after that we used a php reverse shell code in url encoded form to get a shell

after sending the request we got a shell.

Now we checked for the user privileges and found this.

by using gtfobins we can get the root as :-

sudo -u root /usr/bin/env /bin/bash -i

we are root now but challenge is not completed yet because we have to read the final flag and I searched in all the directories but couldn't find the final flag.

Now after sometime I searched on the internet about how to check if we are inside a container or docker , we executed the command hostname and cat/proc/1/cgroup to check that.

This means we are inside a container or docker and we have to find some other way to get the root on host and after enumerating we found that /opt/backups/backup.sh is running every minute by root on host and we can edit this file.

and 2000 years later we goot root on host

and this completes our challenge :)

NOTE : lets check if we run the command cat /proc/1/cgroup on a normal system what is the output

by comparing this output with the output in the target machine I got to know we are inside a container.