Smag Grotto

Scanning
Lets run nmap scans to find open ports and services

Enumeration
Lets visit the website

Lets run a gobuster scan

Lets visit this directory

Lets look at the source code

We have a email, and a link that will download a pcap file onto our machine. Lets open the file with Wireshark.

Lets look at the packet details by Right clicking and Follow > TCP Stream
.

Looks like we have a username and a password, we also have a host, lets add this to our /etc/hosts
file.

Lets visit this site

Ok so we have a login page for users and a login page for admins, we have credentials for a helpdesk users, so lets login in the admin.php
site.

We are logged in. Looks like we can run commands, lets try running a reverse shell command to get a reverse shell on the machine.
Exploitation
Lets first start a netcat listener

Now lets run the command


We have a reverse shell, lets stabilize the shell

Privilege Escalation
Looking around the machine, I found a interesting cronjob
in the crontab file

So the cronjob is taking Jake's backup ssh key and adding it to the authorized keys, we can create our own key and modify the backup file , then we would we get access to the ssh server with the user privileges of Jake.
Lets first generate our own SSH public key

Lets now copy it and replace it with the backup one in the machine.


Now lets wait for a few minutes and then login with the Jake username.

We can read the user flag

Lets run sudo -l
to see what we can run as other users.

Lets go to GTFOBins.

Lets use the 3rd command

We are now root, we can read the root flag

Last updated
Was this helpful?