TryHackMe write-up: Smag Grotto

Introduction

This is my write-up for TryHackMe’s Smag Grotto Room.

Enumeration

Using nmap, I saw that this box is running SSH and HTTP.

I then checked the webpage using my browser.

Running gobuster, I found an interesting folder.

Checking the /mail directory, I found what looks to be an email thread.

Downloading the pcap, I found a set of credentials in the traffic.

I then checked if I can use the credentials with SSH:

I then checked the /login.php URI:

Exploitation

Checking the pcap again, I see that the Host field for the HTTP request is actually development.smag.thm. Modifying my /etc/hosts file and trying again with my browser, I get:

Trying the credentials from the pcap, I get what looks like command page.

I then tried whoami, id, pwd, and other commands that would output anything to the webpage. However, this did not work. Maybe because the php was not designed to output anything?

Finally I tried pinging my IP address:

ping -c 3 <IP>

I found that my machine was getting pinged using tcpdump. Given that, I then tried to make a reverse shell as follows:

Checking my netcat listener, I get a shell.

Checking /etc/crontab, I found that root writes an ssh public key to jake’s authorized_keys file:

Checking the public key file’s properties, I found it is world-writeable:

I then decided to generate my own SSH keypairs:

I then overwrite jake’s public key using my newly generated public key:

Using the private key, I was able to login to the target via SSH.

Privilege Escalation

Checking for sudo privileges, I found that the user is able to run apt-get under sudo with no passwords.

Checking GTFOBins, I found that apt-get can be used to escalate privileges.

Following the instructions in GTFOBins, i was able to gain root access.

--

--

--

I like breaking stuff.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Cyborg TryHackMe Walkthrough

DogData’s transformational data management

Why did the German health insurer get 1.24M Euro fine?

CoinEx DEX: Overview and How to Register a Wallet to CoinEx DEX

Introduction to Differential Privacy

SIM Swap Scams & How to Prevent Them

The Need For A FOSS Academic Search Engine That Does Not Track You

What is a Honeypot?

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
m0ndzon3

m0ndzon3

I like breaking stuff.

More from Medium

TryHackMe - Kenobi Walkthrough

Network Services — Tryhackme

Tryhackme | Nmap

[EN] TryHackMe 25 Days of Cyber Security: Day 3 Walkthrough