TryHackMe - SmagGrotto
Challenge Link : https://tryhackme.com/room/smaggrotto
Difficulty : Easy
Full walkthrough video : https://www.youtube.com/watch?v=_ApM5-XD2wE (includes also the flag)
Today I am going to show you how I solved SmagGrotto challenge from TryHackMe. There are 2 flags to find, user and root. In this article, I will explain how to get them.
As usual, the first step was to scan the IP I received for that machine. The scan was performed using nmap and 2 ports were found opened: 22 and 80, with ssh and http services running on them.
When I accessed the site, there wasn’t too much to work with, since it looked like a page under construction. So, I continued with web scan, using gobuster, to see if there were any useful subdomains. I used the small.txt word list for this scan and a result popped up.
When I checked the new page, I noticed there was a .pcap file which could be downloaded.
Once I downloaded that file, I opened it in Wireshark and managed to find a request to a subdomain, along with a set of credentials.
I launched the page I just found and logged in using the available credentials. As a note, I had to add an entry with the IP received and this subdomain in /etc/hosts from my local machine, otherwise it didn’t work.
There, I found a sort of portal, which allowed to execute remote commands, even though it wasn’t outputting anything. Based on this, I used a bash-based reverse shell, after previously starting netcat on a separate window.
In this way, I acquired a reverse shell with www-data.
I checked what users were available on the machine and I found one. Next, I verified if there were any cron jobs running. I found one, set to execute as root. It was adding a backup of a public key into authorized_keys for that user. When I listed the permissions for that backup, I saw it was editable by everyone. Based on this, I added my public key inside this backup.
I waited a bit, since the script was set to run every minute. After this, I attempted to connect directly from my machine via ssh and I gained a shell as that user. Since the user flag was in home directory, I just had to read it and the first part was completed.
As a final step, I verified if the user had sudo permissions; it was able to run apt-get as root. Since I knew this executable was a tricky one, I went to GTFOBins and took the command for exploit from there. I ran it and got a root shell. In this way, I was able to obtain the second flag and complete the challenge.
Thanks for reading! I hope you enjoyed this walkthrough!
