Hello everyone, Today's CTF is very special made by Jammy a user in Tryhackme. Trust me even if this box is rated medium difficulty, You'll need to think a lot and be very patient. I guarantee you if you try hard in this challenge you'll learn a lot about LFI (local-file-inclusion), log poising, and containers escaping.
visiting the frontend we can see those pictures from the folders being called randomly every time you click cat or dog.
we can see that ?view= is taking care of calling the php files to execute the function that will show us at the end the doggies or kitties, what if we like dogs and cats. Nope!, doesn't like it and we get nothing. well technically not nothing, we get an error that tells us that it fails d to open the file because it doesn't exist. anything we add to view it adds to it .php at the end and if it does exist in the folder /var/www/html/ it will call it if not, it will show the error again.
the next thing we can do some log poisoning, If you are not familiar with log poisoning, I suggest visiting this link and read the article before moving forward.
root@kali:~# nc -lvnp 7263
listening on [any] 7263 ...
connect to [10.10.179.59] from (UNKNOWN) [10.10.67.111] 53868
bash: cannot set terminal process group (4298): Inappropriate ioctl for device
bash: no job control in this shell
uid=0(root) gid=0(root) groups=0(root)
And we are root user at the host dogcat. Honestly, I learned a lot from this challenge I hope you found this write-up useful, feel free to leave a comment.