TryHackMe write-up: Smag Grotto

Introduction

This is my write-up for TryHackMe’s Smag Grotto Room.

Enumeration

Using nmap, I saw that this box is running SSH and HTTP.

I then checked the webpage using my browser.

Running gobuster, I found an interesting folder.

Checking the /mail directory, I found what looks to be an email thread.

Downloading the pcap, I found a set of credentials in the traffic.

I then checked if I can use the credentials with SSH:

I then checked the /login.php URI:

Exploitation

Checking the pcap again, I see that the Host field for the HTTP request is actually development.smag.thm. Modifying my /etc/hosts file and trying again with my browser, I get:

Trying the credentials from the pcap, I get what looks like command page.

I then tried whoami, id, pwd, and other commands that would output anything to the webpage. However, this did not work. Maybe because the php was not designed to output anything?

Finally I tried pinging my IP address:

ping -c 3 <IP>

I found that my machine was getting pinged using tcpdump. Given that, I then tried to make a reverse shell as follows:

Checking my netcat listener, I get a shell.

Checking /etc/crontab, I found that root writes an ssh public key to jake’s authorized_keys file:

Checking the public key file’s properties, I found it is world-writeable:

I then decided to generate my own SSH keypairs:

I then overwrite jake’s public key using my newly generated public key:

Using the private key, I was able to login to the target via SSH.

Privilege Escalation

Checking for sudo privileges, I found that the user is able to run apt-get under sudo with no passwords.

Checking GTFOBins, I found that apt-get can be used to escalate privileges.

Following the instructions in GTFOBins, i was able to gain root access.

--

--

--

I like breaking stuff.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

ICT for WEB 3.0

{UPDATE} Reel King™ Slot Hack Free Resources Generator

How To Be SAFE On The INTERNET?

{UPDATE} Okay? Hack Free Resources Generator

JAWS is in Trade Mining & Farm & Pool with BabySwap!

Decoding TLS 1.3 handshake with wireshark

Q1 2022 Update on Store Chain

Old school stuff … but still very handy ;-)

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
m0ndzon3

m0ndzon3

I like breaking stuff.

More from Medium

Nibbles | HackTheBox writeup

TryHackme: Overpass by NinjaJc01

TryHackMe: Common Attacks Writeup