I made a forum where you can post cute cat pictures!
Easy rated. This is Cat Pictures from THM. Ratings are weird; I did Linux Server Forensics the other day which is Medium rated; I’m not going to bother writing it up because it was so straightforward. Anyway. This one sounds like it might be a file upload vulnerability or something? Turns out it’s not …
Ports
The description sounds like a web challenge; what do we get?
SSH, an unknown service on port 4420, and an HTTP proxy on 8080. Guess that last one is our target, but first let’s check 4420.
4420
I guess we can always bruteforce it if we have to.
8080
The homepage for the website is a bulletin board, and there is a link to one forum topic. If we go there, we get this in the post:
Post cat pictures here!
Post by user » Wed Mar 24, 2021 8:33 pm
POST ALL YOUR CAT PICTURES HERE
Knock knock! Magic numbers: 1111, 2222, 3333, 4444
Well, we should knock then:
It seems we now have FTP.
FTP
The FTP is anonymous login only and we cannot PUT. There is a single file we can download, which has a password in it. With that, it’s back to Port 4420.
4420, again
We have a limited shell. Enumerating finds a (binary) file called runme, but it won’t run in the limited shell. I get a reverse shell:
and I can run the binary; it wants a password. However, the password is not the one we already have. I exfil the file with nc:
And a listener:
Once I get the file, strings is all that’s required:
So let’s do that:
SSH
The key is written to /home/catlover/id_rsa and once we have it we can SSH in:
And at this point we are root in a Docker container and we can get Flag 1.
Root, but actually
The root part isn’t a traditional Docker container escape. There is a root script running on a cron job, and it runs in the host.
We can edit it, so I just add a bash reverse shell line and wait a minute:
This was pretty pure CTF but I still enjoyed it. THM haven’t had much interesting content lately so this was okay. I’ve been working on their Autopsy room which is also kind of interesting so I’ll have something to say about that soon.