Smag Grotto

Scanning

Lets run nmap scans to find open ports and services

Enumeration

Lets visit the website

Lets run a gobuster scan

Lets visit this directory

Lets look at the source code

We have a email, and a link that will download a pcap file onto our machine. Lets open the file with Wireshark.

Lets look at the packet details by Right clicking and Follow > TCP Stream.

Looks like we have a username and a password, we also have a host, lets add this to our /etc/hosts file.

Lets visit this site

Ok so we have a login page for users and a login page for admins, we have credentials for a helpdesk users, so lets login in the admin.php site.

We are logged in. Looks like we can run commands, lets try running a reverse shell command to get a reverse shell on the machine.

Exploitation

Lets first start a netcat listener

Now lets run the command

We have a reverse shell, lets stabilize the shell

Privilege Escalation

Looking around the machine, I found a interesting cronjob in the crontab file

So the cronjob is taking Jake's backup ssh key and adding it to the authorized keys, we can create our own key and modify the backup file , then we would we get access to the ssh server with the user privileges of Jake.

Lets first generate our own SSH public key

Lets now copy it and replace it with the backup one in the machine.

Now lets wait for a few minutes and then login with the Jake username.

We can read the user flag

Lets run sudo -l to see what we can run as other users.

Lets go to GTFOBins.

Lets use the 3rd command

We are now root, we can read the root flag