Smag Grotto Walkthrough TryHackMe

8 min readJul 30, 2020

Hello guys back again with another walk-through this time am going to be tackling Smag Grotto from TryHackMe. Speaking truthfully I’ve just finished the box like few minutes ago and I’ve enjoyed all the hops one has to make to get root on the box. First we start off doing some directory bruteforcing using gobuster on a website and find a packet capture file. We load the file using wireshark and find a credential and a new hostname. Navigating to the new hostname we get a web application that is vulnerable to blind command injection. If you were expecting some output sorry!!!. But using that web application we get a shell on the box as the Apache user (www-data). Doing some more enumeration on the box we get that there is a cronjob running that’s copying ssh public keys to a user .ssh directory. We edit the source file and add our very own generated public key and thereby getting a shell as that user. User Done!!!!. For root you find that the same user can run apt-get as root without knowing the root’s password do some magic with GTFOBins and get root. I found the box really interesting and a good startup box for beginners learning cyber security all thanks to the creator of the box. Without much say let’s jump in

As always we’ll start off with a nmap scan of the box and as i always say we always get a good idea of services that are running on the box and if we are lucky we might find one service that has a one day exploit

Looking at the result of the nmap scan we see that two ports are open SSH and HTTP

We might start off by brute forcing SSH but we don’t even have a valid username so i opted against doing that. The next best thing we can do is enumerate HTTP

Opening the website

We get a standard webpage that is still under development

Looking at the source code we see that there is nothing interesting

Next thing i decided to see if robots.txt existed on the web server (robots.txt contains a list of URL which a web spider should not crawl)

But got nothing

I had hit a dead end and so i decided to do directory brute forcing with gobuster. Gobuster is a tool used to brute-force URIs including directories and files as well as DNS subdomains

Looking at the output of gobuster we found some interesting directories including /mail

Navigating to /mail we get a bunch of emails and some attachment and also a couple of usernames like:

1. Netadmin
2. Jake
3. Uzi

And we also get a pcap file. Let’s download the pcap file to our local box using wget as we’ve been instructed from the mails

Next thing i thought was that the packets might be encrypted so i tried to first open it using aircrack-ng but got an error. If at all the packets were encrypted we could crack the key with aircrack-ng and add the same key to wireshark to decrypt the packets

The next thing i did was to open it with wireshark which is a network “sniffer” a tool that captures and analyzes packets off the wire. Wireshark can decode as many protocols as you can think off examples include HTTP, ldap, ssh, MySQL etc

On opening the packet capture file we get some few packets

Let’s begin analyzing them. The packet that looked really interesting was the one of /login.php

Following the tcp stream of that request gives us a bunch of really useful information

1. First we get some credentials
2. Second we get a new hostname or you can say subdomain

I added the hostname to my hosts file

Navigating to the URL using Mozilla we get a login page

Let’s try those credentials that we had found on that pcap file. After clicking the login button we get access to admin.php

The page says enter a command so let’s try ifconfig a common Linux command

Clicking on send we don’t get an output

This is a blind type command injection vulnerability meaning no output (stdout) is printed on the screen. To test if it work I’ll try to ping myself and set up a tcpdump and see if i get a callback

First i do set up a tcpdump listener

Then send the ping command

Looking back at our tcpdump listener we got a call back

Sweet the next step is getting a reverse shell on the box using pentest monkey reverse shell cheat sheet

I intercepted the request with burpsuite since it makes my life easier because it doesn’t erase my input meaning i don’t have to type the entire command all over again

Next i did set up a netcat listener

Then i did send the reverse shell payload to the server

Looking back at my netcat listener i got a callback

Navigating to /home we see that their is only one user in the box called Jake

Looking at his home directory we a user.txt flag but we don’t have read permissions on it

Next i uploaded linpeas to the box. This script automatically finds privilege escalation vectors which might be exploitable and the likely exploitation paths are highlighted in awesome colors in the output

Looking at the linpeas output we find an interesting cronjob running

The cronjob appears to be copying public ssh keys from /opt/.backup/ to the user jake .ssh directory. If by any chance we can edit this file we can add our own generated public key and gain a shell as the user Jake on the box.

Navigating to that backup directory we see that we have write access to that jake_id_rsa.pub.backup

Let’s generate some SSH keypairs

Now we’ve generated a ssh public key and a private keys

Let’s copy our public key to that backup directory

Save the file and wait for the cronjob to run again

After about 2 minutes i tried to login to the box using the ssh private key that i generated and voila i got into the box as the user jake

Now we can read the user.txt flag submit it and earn the points

Now we have to escalate our privileges to the root user. I ran linpeas again and i found that we could run apt-get as the root user without supplying the root’s password