CatPictures (Port Knocking and Docker Escape)

Hello everyone! Long time no see, but I am back with another walkthrough for Cat Pictures CTF on TryHackMe. At this point, I must confess that, as a cat person, I was super intrigued by the CTF (you know hoping for some cute cat pictures while trying to get my way through the machine, although at the end I didn’t get any xD) So, without any further ado, let’s jump into it, shall we?

Proposed soundtrack: https://www.youtube.com/watch?v=Z9GbGO7CKdQ Cat Pictures. Enumeration

As always, we will trigger a basic Nmap enumeration in order to check out with what we are dealing with.

nmap -sC -sV 10.10.24.249

Starting Nmap 7.60 ( https://nmap.org ) at 2021–06–27 12:37 BST
Nmap scan report for ip-10–10–24–249.eu-west-1.compute.internal (10.10.24.249)
Host is up (0.0011s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp filtered ftp
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 37:43:64:80:d3:5a:74:62:81:b7:80:6b:1a:23:d8:4a (RSA)
| 256 53:c6:82:ef:d2:77:33:ef:c1:3d:9c:15:13:54:0e:b2 (ECDSA)
|_ 256 ba:97:c3:23:d4:f2:cc:08:2c:e1:2b:30:06:18:95:41 (EdDSA)
8080/tcp open http Apache httpd 2.4.46 ((Unix) OpenSSL/1.1.1d PHP/7.3.27)
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:CONNECTION
|_http-server-header: Apache/2.4.46 (Unix) OpenSSL/1.1.1d PHP/7.3.27
|_http-title: Cat Pictures — Index page
MAC Address: 02:66:F4:39:B0:41 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Well, I guess not much going on. Unfortunately, FTP port 21 is filtered and do not expect any findings there (spoiler alert: at least for the time being), so let’s quickly move on to port 8080.

The site on the port 8080 seems to be some kind of forum for hosting cat pictures and it is built with phpBB framework. Cat Pictures Main Page.

Let’s get gobuster do some work for us while we are checking if we can find any exploits for this framework.

Unfortunately, while enumerating the site /docs/CHANGELOG.html revealed that phpBB version was 3.3.x, which was not suspected for any vulnerabilities. I kept checking the rest of the directories and /feed revealed something very interesting that gave me an ‘AHA’ moment.

As soon as we access it, a XML file is downloaded that gives us a clue: “Knock knock! Magic numbers: 1111, 2222, 3333, 4444”. Knock knock, who is?

The XML is a straight reference to a technique named port knocking (an interesting article in regards to it, can be found here: https://www.howtogeek.com/442733/how-to-use-port-knocking-on-linux-and-why-you-shouldnt/)

There are many ways that you can perform the port knocking. In my case, I choose a tool named knockd.

Now, that we have knocked all the right doors… I mean ports, it is a good idea to perform a new port scan. This time, I will get a little help from Masscan to perform a quick scan to all the machine’s port and after that perform a more focused scan with Nmap, in order to get further details for the discovered ports.

The reason why I have chose to work with Masscan first, is the fact that Nmap can take hours for scanning all the ports (after all we are talking for 65535 ports) and we do not have all the time in the world for this. Masscan has revealed that ports 21, 22, 4420 and 8080 are now open. So, after the port knocking it seems that we have “unlocked” FTP port 21 (remember? it used to be filtered at the very beginning) and we now have a new port, 4420, which I wonder what it might be holding for us. Let’s go for a third scan, with Nmap.

BINGO!! I will skip the Nmap output this time as it is quite lengthy, however the key points from the scan is the fact that we can access FTP through anonymous login and that port 4420 is running a nvm-express. First things first, let’s check the FTP.

On the FTP server, find a note.txt file which gives away the password for connecting to the nvm-express port. Something seems fishy, isn’t it? Escalation

We can connect now to the 4420 port using the following NetCat command. As soon as we will try to connect, we will be asked to provide the password and after that it seems that we are getting some kind of shell. Connect to port 4420.

After enumerating the machine a little bit, we can try to get a reverse shell, in order to have a more stable shell. Continuing with the enumeration, on the reverse shell this time, we come across a binary on /home/catlover directory, however we are unable to execute it without the correct password. Unfortunately, the machine does not have strings installed in order to check if we can find something interesting that would help us running it, therefore we should download it locally to continue with the investigation. NetCat will help us with this task once more. Runme…locally!

I ran strings on the file and redirected its output on a file, in order to be able to check it more easily. Along with too many gibberish, we can find a rather revealing part that might give us a hint for the password. Look what we’ve got here!

Upon running the binary on the victim machine, after a couple of seconds reveals a private SSH key, that we could use it to get further privilege escalation on the system. We should copy the id_rsa to our local machine, change permissions to 600 and use catlover user to ssh to the victim. Fake root!

Wow! It seems that we are root now! Welp, not quite yet! Not quite sure just yet (as neither Nmap or Masscan revealed something related), but the hostname indicates that we have landed on a container. At this moment, in order to get sure, I will run a final Nmap scan to the standard Docker port 2375. I guess I was not disappointed! Docker Nmap Scan.

So, now we will have to find a way to escape the container and get full and real control over our victim. After searching for some time, we came across /opt/clean/clean.sh that can be ran by root. We can take advantage of it, by adding the following command for spawning a new reverse shell. Finally… root!

Et voila!!We are finally root (for real this time)!