CTF-Writeups/TryHackMe/Smag.md
2020-11-15 22:32:56 +05:00

2.6 KiB

TryHackMe- Smag Grotto

NMAP

Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-15 20:09 PKT
Nmap scan report for 10.10.56.250
Host is up (0.15s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 74:e0:e1:b4:05:85:6a:15:68:7e:16:da:f2:c7:6b:ee (RSA)
|   256 bd:43:62:b9:a1:86:51:36:f8:c7:df:f9:0f:63:8f:a3 (ECDSA)
|_  256 f9:e7:da:07:8f:10:af:97:0b:32:87:c9:32:d7:1b:76 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Smag
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.81 seconds

PORT 80

There was nothing on the page so I ran gobuster

Download the pcap file

See the 4th packet and follow HTTP stream

username=helpdesk&password=cH4nG3M3_n0w

We can see Host : development.smag.thm edit this in our /etc/hosts and the box's IP

We can then see admin and login page

Login with the credentials found above , now we can see that we can enter commmands but normal commands weren't working so I typed a php reverse shell

Once we are in we can see a cronjob running

Here we can replace it with our local machine's public key so that when we try to connect with ssh with our private key we can get access to the box with jake user

In order to do that we must generate public and private key

Now I copied my id_rsa.pub and pasted in their

We can see that this user can apt-get as sudo

Search on google for privesc via apt-get , GTFOBIN is a great resource for escalating as root with binaries

https://gtfobins.github.io/gtfobins/apt-get/