The Cod Caper TryHackme Walkthrough

In this article we are going to solve another boot2root challenege The cod caper from tryhackme , we can deploy the machine by visitng the URL https://tryhackme.com/room/thecodcaper


walkthrough

IP address : 10.10.47.170

First step is to scan the target using nmap to find open ports and services.

command used : nmap -sC -sV -Pn 10.10.47.170

okay we have two ports open 80 and 22 , so we start enumerating the port 80 and we have Apache2 Ubuntu Default Page and source code doesn't revealed any useful information . So we decided to do directory bruteforce attack and for that I have used wfuzz tool because I like its clean interface (you can use any tool you want) .


command used : wfuzz -c -z file,/usr/share/wordlists/dirb/big.txt --hc 404 http://10.10.47.170/FUZZ.php

umm we have got something interesting , we open up the webpage by visting the URL and we have login form .

here we tried SQL injection using the tool sqlmap .


command used : sqlmap --url http://10.10.47.170/administrator.php --dbs --forms

with the help of this we can easily find the name of the databases and then we

have to select one of them to find the tables present in it.

users database looks interesting for us , now we will try to find the name of tables inside the DB user using the command


sqlmap --url http://10.10.47.170/administrator.php --forms -D users --tables

now we have everything we want and in next command we just have to specify the database and table name and using the command we can extract all the data in table users


sqlmap --url http://10.10.47.170/administrator.php --forms -D users -T users --dump-all

okay we have the password of user pingudad , lets use these credentials and login into the admin panel.

okay we can run commands here , it is clearly a OS Command injection vulnerability we execute the command id and we got the right result as www-data , now we used a simple python reverse shell code and after executing that command we got a reverse shell

as we can see that there are two users and we need to find the password of user pingu and for that we can search it manually and we can also use find utility as


find / -user "www-data" -name "*" 2>/dev/null

after executing this command we found that password is located in /var/hidden/pass

now by using these credentials we are in as user pingu.

now we decided to check for user privileges and we have nothing , lets check for SUID binary using the command

this looks interesting and now we used gdb to analyze this binary more carefully and found that it is vulnerable to buffer overflow attack

using the command r < <(cyclic 50) we are able to overwrite the EIP address .

after that we need to find the exact byte where the program has crashed


we are almost done , now we have to find the memory address of the shell so that we can use that address and can execute the command we want.


readelf -s /opt/secret/root | grep shell

okay now we just have to make our payload and send it to the binary and after that we got the hashes of two users root and papa

we tried to crack these hashes using john and got the password for both the users .


we have used little endian format while creating our payload.

we are root now and this completes our challenge :)


NOTE : the use of command cyclic is described in the tryhackme website , you can read about the command from there.

Recent Posts

See All

Website change notice

As you all know that our website is providing walkthrough of different challenges from different platforms and without any advertisement but due to some funds issue we can't continue this website :( S

Subscribe to HacLabs newsletter

Get priority notification on the release of the latest articles.

  • YouTube
  • Twitter
  • Instagram
  • Linkedin

© 2020 by HacLabs.