This is my write-up for TryHackMe’s Smag Grotto Room.
Using nmap, I saw that this box is running SSH and HTTP.
I then checked the webpage using my browser.
Running gobuster, I found an interesting folder.
Checking the /mail directory, I found what looks to be an email thread.
Downloading the pcap, I found a set of credentials in the traffic.
I then checked if I can use the credentials with SSH:
I then checked the /login.php URI:
Checking the pcap again, I see that the Host field for the HTTP request is actually development.smag.thm. Modifying my /etc/hosts file and trying again with my browser, I get:
Trying the credentials from the pcap, I get what looks like command page.
I then tried whoami, id, pwd, and other commands that would output anything to the webpage. However, this did not work. Maybe because the php was not designed to output anything?
Finally I tried pinging my IP address:
ping -c 3 <IP>
I found that my machine was getting pinged using tcpdump. Given that, I then tried to make a reverse shell as follows:
Checking my netcat listener, I get a shell.
Checking /etc/crontab, I found that root writes an ssh public key to jake’s authorized_keys file:
Checking the public key file’s properties, I found it is world-writeable:
I then decided to generate my own SSH keypairs:
I then overwrite jake’s public key using my newly generated public key:
Using the private key, I was able to login to the target via SSH.
Checking for sudo privileges, I found that the user is able to run apt-get under sudo with no passwords.
Checking GTFOBins, I found that apt-get can be used to escalate privileges.
Following the instructions in GTFOBins, i was able to gain root access.