Cat Pictures - Writeup (TryHackMe)
Well, i am not a big fan of cats, but sure im a big fan of ctf cats. This Challenge is an easy one which i think ment for beginners/advanced. This room made by GamerCat.
OK, Lets deploy our machine and be ready to start. After getting the IP of the target machine, first thing i did was to enter it to the url, but nothing came up. at this point, i made nmap on the target machine and here are the results.
OK, port 21 is filtered, port 22 is open and there is a port 8080 which run on Apache/2.4.46 (Unix) OpenSSL/1.1.1d PHP/7.3.27. After heading to it, the next page apears.
A forum which powered by phpBB. After exploring it from the source code of the page untill all of it, nothing seems to come up, but then i noticed there is only 1 post, and after i went into it and examined it, i managed to understood the hint.
Using the command "Knock" with the magic numbers, ends with ports 21 open. In short, Port knockingis when you want ppl to have access to services on your computer, but don’t really want to open your firewall to the internet, so you can use port knocking. It gives you to close the ports on your firewall that allow incoming connections and have them open automatically when a prearranged pattern of connection attempts is made.
So, As we can see, port 21 is now open and even allows anonymous login. After i managed to lo into it, a file was waiting for me over there.
"In case I forget my password, I'm leaving a pointer to the internal shell service on the server. Connect to port 4420, the password is *********** - catlover"
Well, we have a password! and it says to connect to port 4420, using this password. lets use nc on this spesific port with this password, and see if we managed to get in.
领英推荐
Yes! i'm in. now look what is says:"please note: cd commands do not work at the moment, the developers are fixing it at the moment." The cd won't work for me, so i used ls -la command and started to navigate inside using it.
looks like some exe file. running it is impossible on this shell, and "strings" command doesn't exist. even using nc to download it to my local server did not help.
nc -l -p 4420 > runm
THIS EXECUTABLE DOES NOT WORK UNDER THE INTERNAL SHELL, YOU NEED A REGULAR SHELL.
nc -l -p 4420 > /home/catlover/runme
THIS EXECUTABLE DOES NOT WORK UNDER THE INTERNAL SHELL, YOU NEED A REGULAR SHELL.e
Went to pentestmonkey and copied the reverse shell into the target machine, opened a listener on my local machine, which opened for me a normal shell on the victim machine. tried strings on the "runme" file, but still not working. run "cat" on it, and from all the strange symbols on the screen, i faced to this line
Seems like ****** is the password? I made ./runme on the file, enter the password, and it gave me a ssh private key of the some username (catlover mybe?). i copied the private key content into my local machine, and managed to log in to the target machine using ssh with it ( private key).
Unfortunately, we are in a container. Yes, first flag and has been revealed. now, after playing around a litle bit, i found in the /opt directory, another directory called "clean", and inside of it, there is a bash script called "clean.sh" with command rm -rf /tmp/*. seems like this script is running as a cron job and cleans the /tmp directory. for testing this, i opened a listener on my local machine, and put inside the "clean.sh" the riverse shell and Walla! i managed to access into the root on the host!
NOTE: there are tools like linpeas and LinEum which can tell you about Local Linux Enumeration & Privilege Escalation, find Misconfiguration and more. i just got luck not using them at this challenge
So basically, this room aimed for Beginners+, and it was enjoyable rooom. Hope you managed to finish the challenge, and if not - you will, i am sure.