THM - Dogcat
I made this website for viewing cat and dog images with PHP. If you’re feeling down, come look at some dogs/cats!
This is a medium rated box, and right up front I’ll say that I had to look up some hints for it. Let’s begin.
The page description says that it’s a website for viewing pictures of cats and dogs, so that’s obviously a good place to start. I did run an nmap scan anyway but it’s not really relevant.
The website begins with a query of the form:
Where the view parameter is either dog or cat. Entering anything else provokes a warning about the query needing to be a dog or cat.
I figured this was an LFI challenge (which it is), but I had some trouble getting it to work.
Null bytes? Nope.
Basic path traversal wasn’t working, and I found that entering a query like
satisfied the dog/cat filter requirement, but only provoked errors about not being able to include the file - so null bytes actually didn’t work.
After some trial and error, googling and failing, I consulted a guide and it turned out that the required query is something like:
which returns a base64 encoded string - useable, but annoying. We can also get the apache2 access log, which I tried to poison. I was able to insert PHP code into the log file using netcat, but didn’t manage to get it to execute.
Actually the first file I looked at was the source code for the webpage - index.php. This showed the code used to add the .php extension and from there I figured out how to bypass it (by putting &ext= in the URL).
I had done a little LFI before, but this was a little more complex than the simpler types I had previously seen.
So now I had my LFI - but I could only read a single file at a time, and only a limited set of them at that (as www-data). I had to go back to the guide again to learn that using Burp Suite we can put the payload
into the User-Agent, and from then on we can execute commands as follows:
So then I had RCE, which was a big step forward. I hadn’t seen this User-Agent technique before either.
Once we’ve got RCE we can then send this command to get a shell:
On the box - or rather, IN the box
On the box we can run linpeas, which shows that:
- we’re in a docker container, and
- we can run env as root without a password
That means we can do:
$ sudo env /bin/sh -p
And become root (in the container.) From there, the first 3 flags are easy to obtain (although I think at this point I had two already? I don’t recall).
The last one
The final flag was on the box, and not in the container. Some enumeration revealed a backup folder in /opt along with a shell script running on a frequent schedule. We could replace the contents of the backup.sh as follows:
And then it was just a matter of waiting a little for the schedule to run.
This box was a little tougher than I thought it would be and I didn’t do it all on my own. I did give it a pretty good go though, and I definitely learned some things.