diff --git a/TryHackMe/The_Great_Escape.md b/TryHackMe/The_Great_Escape.md new file mode 100644 index 0000000..125720a --- /dev/null +++ b/TryHackMe/The_Great_Escape.md @@ -0,0 +1,215 @@ +# TryHackMe-The Great Escape + +## NMAP + +``` +nmap -sC -sV 10.10.108.159 + +Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-15 16:17 PKT +Stats: 0:02:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan +Service scan Timing: About 50.00% done; ETC: 16:21 (0:02:05 remaining) +Stats: 0:02:13 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan +Service scan Timing: About 50.00% done; ETC: 16:22 (0:02:10 remaining) +Nmap scan report for 10.10.108.159 +Host is up (0.16s latency). +Not shown: 998 closed ports +PORT STATE SERVICE VERSION +22/tcp open ssh? +| fingerprint-strings: +| GenericLines: +|_ uT9UNaD!^xFWU'tGL'-@"d2gE"Xd +|_ssh-hostkey: ERROR: Script execution failed (use -d to debug) +80/tcp open http nginx 1.19.6 +| http-robots.txt: 3 disallowed entries +|_/api/ /exif-util /*.bak.txt$ +|_http-server-header: nginx/1.19.6 +|_http-title: docker-escape-nuxt +1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : +SF-Port22-TCP:V=7.80%I=7%D=2/15%Time=602A5867%P=x86_64-pc-linux-gnu%r(Gene +SF:ricLines,1F,"uT9UNaD!\^xFWU'tGL\\'-@\"d2gE\"Xd\r\n"); + +Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . +Nmap done: 1 IP address (1 host up) scanned in 195.11 seconds + +``` + +## PORT 80 (HTTP) + + +From the nmap scan we see 3 disallowed entries + + + +The first entry which is `/api/` gives 503 which we get when a server is currently unable to handle the request due to a temporary overloading or maintenance of the server. + + + +The second entry invloves uploading a image file + + + +And for the third I didn't know how to access `/\*.bak.txt$` + + + +## Dirsearch + +For fuzzing I used dirsearch but I was getting a lot of 503 status codes + + + +But I did saw `/api/` which was having 301 status code with a length of `169` bytes + + + +I also ran `nikto` and it found some cert and archive files but they were also giving 503 errors + + + +So there is some WAF (Web Application Firewall) that is implemented that we need to bypass so here automated tools may not work . + +For the web flag I looked at the hint which said about a "well-known file", I though about robots.txt , the javascript file but it was a dead end so started to guess it and eventually got there + + + +It says to make a request with a HEAD + + + +Going back to `robots.txt` I tried to combine two disallowed entries and got to somewhere + + + + + +If we focus on this part + + + +We can see that it's pointing at `/exif` and has a parameter `url` + + + + + +We can do LFI now , since it's a docker container you can tell as there aren't any usernames so we'll directly go `/root/` directory + + + +Reading the `dev-note.txt` + + + +So we got the password but not sure if it's for hydra. Visiting the `/root/.git/` folder + + + + +I used this command to search for files + +``` +http://10.10.176.126/api/exif?url=http://api-dev-backup:8080/exif?url=;cd%20/root/.git/;pwd;ls%20-la%20objects +``` + + + +And found objects which could be recovered using `git show ` + +``` +a3d30a7d0510dc6565ff9316e3fb84434916dee8 +3f5e51190a2c8e2a4ea226e7c004ff656148a168 +4530ff7f56b215fa9fe76c4d7cc1319960c4e539 +4b825dc642cb6eb9a060e54bf8d69288fbee4904 +5242825dfd6b96819f65d17a1c31a99fea4ffb6a +89dcd015496baca7521df9a07de050c37cb3d4ba +aae81292b0aeb73d28ce77dd3078470897151cd8 +efadf5b5aa6d0b3bd434c0437be8559edef2a52e +fc326ab9338571dfeb64c00f4b9d85c09d557828 +``` +These were the objects I gathered by going back and forth + + + +We get a flag but it was invalid also got some ports to knock .So I did a simple port knock through a tool we can install + +https://www.howtogeek.com/442733/how-to-use-port-knocking-on-linux-and-why-you-shouldnt/ + +But this method failed so I looked for scripts on github and found one and modified a little to add some more arguments for ports + + +``` +#!/usr/bin/python + +import sys +from socket import * +from itertools import permutations + +if len(sys.argv) < 5: + print "---------------------------------------------" + print " Port Knocker " + print "Usage: python knock.py " + print "Ex: python knock.py 192.168.209.130 1 2 3 " + print "---------------------------------------------" + sys.exit(0) + +host = sys.argv[1] +ports = permutations([int(sys.argv[2]), int(sys.argv[3]), int(sys.argv[4]),int(sys.argv[5]),int(sys.argv[6])]) + +def Knockports(ports): + for port in ports: + try: + s = socket(AF_INET, SOCK_STREAM) + s.settimeout(0.1) + s.connect_ex((host, port)) + s.close() + print "Knocked on port " + str(port) + except Exception, e: + print "Error: " + str(e) + +for combination in list(ports): + print "Testing permutation: " + str(combination) + Knockports(combination) +``` + +Then ran the python2 script + + + +Doing a nmap scan we can see that docker port is open now + + + +After that I visited the hacktricks tried to run some commands but wasn't able to do anything and kept failing. But this blog saved me from quiting on this room + +https://www.hackingarticles.in/docker-for-pentester-abusing-docker-api/ + + + +First I tried to view the images then tried connecting to them but since they were not running I used `ps -a` to see which images were running and saw conatiner ID `49fe455a9681` was running so I was able to connect with it + +But this container didn't had any intersting stuff so connected to another one which was running on port 8080 of that image + + + +Then switched to another container + + + + + +Gathering the objects from before I used git cat-file -p + + + + + +This was the second flag + +Now I tried to look for docker breakouts, exploits,capabilites but nothing seemed to work and I was getting the feeling that this is a huge rabbit hole. So going back to seeing docker images I saw alpine at the bottom and gave a shot to mount it + + + + + +This is box was a lot difficult because there was a prize for this box the one's who completed it within 3 days will be added to the raffle and I completed this box after 2 days so hopefully I'll win a prize with that we can all the flag. +