# Smag Grotto ![](/files/-MdNr9Zra4YUR6aP-42j) ## Scanning Lets run nmap scans to find open ports and services ![](/files/-MdNrscq3XY8fVHf_A1O) ## Enumeration Lets visit the website ![](/files/-MdNsP4_CRofOqveFNpQ) Lets run a gobuster scan ![](/files/-MdNtT-zTrLa7pLm7zi7) Lets visit this directory ![](/files/-MdNtdkHCT299hTXaWA5) Lets look at the source code ![](/files/-MdNttCrcY5uiy0sXbxQ) We have a email, and a link that will download a pcap file onto our machine. Lets open the file with Wireshark. ![](/files/-MdNufmnTOpZjFdSwl98) Lets look at the packet details by *`Right clicking and Follow > TCP Stream`.* ![](/files/-MdNvmSsQdjRG4S45w1F) Looks like we have a username and a password, we also have a host, lets add this to our `/etc/hosts` file. ![](/files/-MdNwlGFddj-5LyJJABE) Lets visit this site ![](/files/-MdNx6t9lDp8tNYWsfFv) Ok so we have a login page for users and a login page for admins, we have credentials for a helpdesk users, so lets login in the `admin.php` site. ![](/files/-MdNxWJ06Tb7nRyuiDK9) We are logged in. Looks like we can run commands, lets try running a reverse shell command to get a reverse shell on the machine. ## Exploitation Lets first start a netcat listener ![](/files/-MdNyFhOQPEMGWiLcDSg) Now lets run the command ![](/files/-MdNyR3ChV-rQuOd4_Ob) ![](/files/-MdNySe1k3LEuLZ4BEaO) We have a reverse shell, lets stabilize the shell ![](/files/-MdNycnERlmcRAM2XAWE) ## Privilege Escalation Looking around the machine, I found a interesting `cronjob` in the crontab file ![](/files/-MdO4nbn2tZqD1NXSvNM) So the cronjob is taking Jake's backup ssh key and adding it to the authorized keys, we can create our own key and modify the backup file , then we would we get access to the ssh server with the user privileges of Jake. Lets first generate our own SSH public key ![](/files/-MdO5d3JzxkWAaRP5brQ) Lets now copy it and replace it with the backup one in the machine. ![](/files/-MdO5qOO5Y5v99reiMvx) ![](/files/-MdO6Ma5N65atxYePVoR) Now lets wait for a few minutes and then login with the Jake username. ![](/files/-MdO73uBZsC2AChQOyp0) We can read the user flag ![](/files/-MdO7AK7UaFNgaZ67f2v) Lets run `sudo -l` to see what we can run as other users. ![](/files/-MdO7JGo060SmyHCRabE) Lets go to [GTFOBins](https://gtfobins.github.io/gtfobins/apt-get/#sudo). ![](/files/-MdO7UAzVMdy8USs0Kh9) Lets use the 3rd command ![](/files/-MdO7ZXjYtz-5TMe0FU2) We are now root, we can read the root flag ![](/files/-MdO7gkNEOJhoPR9u-oM) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://writeups.adityadindi.com/tryhackme/untitled/smag-grotto.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.