Description:
The Following Post is writeup of smag grotto room of tryhackme https://tryhackme.com/room/smaggrotto
Summary:
The machine have a webpage which is underdevelopment on dirbusting you will land on a page which contains pcap and password upon analysis you will get a subdomain and creds. The admin page have command injection. Then the next step is to get user there is cron job running which overwrites the ssh authorized_keys of jack user so generate a key and login as jack and then we can run apt-get as root without password.
Rating: Easy
Walkthrough:
Lets start with nmap scan
Start our enum for port 80 we can see a underdevelopment note.
http://10.10.247.8/mail/
Here are list of users netadmin@smag.thm Cc: uzi@smag.thm From: jake@smag.thm.
We will get a wireshark file. We got 2 info 1st is the subdomain which is development.smag.thm lets add it into /etc/hosts 2nd login creds.
we can see admin.php have blind command injection which is obviously not that blind
so i tried reverse shell payload
so got a blind command injection
Now start pwncat and let’s get a shell
Priv esc time we can see jack user
It took me a while to see this thing but the line was truly amazing
- root /bin/cat /opt/.backups/jake_id_rsa.pub.backup > /home/jake/.ssh/authorized_keys
we can write jake backup and hence we will make our id_rsa
- root /bin/cat /opt/.backups/jake_id_rsa.pub.backup > /home/jake/.ssh/authorized_keys
so i got user
Matching Defaults entries for jake on smag:
env_reset, mail_badpass, secure_path=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/snap/bin
User jake may run the following commands on smag:
(ALL : ALL) NOPASSWD: /usr/bin/apt-get
Here you go simple gtfo