Smag Grotto
Scanning
Lets run nmap scans to find open ports and services
Enumeration
Lets visit the website
Lets run a gobuster scan
Lets visit this directory
Lets look at the source code
We have a email, and a link that will download a pcap file onto our machine. Lets open the file with Wireshark.
Lets look at the packet details by Right clicking and Follow > TCP Stream
.
Looks like we have a username and a password, we also have a host, lets add this to our /etc/hosts
file.
Lets visit this site
Ok so we have a login page for users and a login page for admins, we have credentials for a helpdesk users, so lets login in the admin.php
site.
We are logged in. Looks like we can run commands, lets try running a reverse shell command to get a reverse shell on the machine.
Exploitation
Lets first start a netcat listener
Now lets run the command
We have a reverse shell, lets stabilize the shell
Privilege Escalation
Looking around the machine, I found a interesting cronjob
in the crontab file
So the cronjob is taking Jake's backup ssh key and adding it to the authorized keys, we can create our own key and modify the backup file , then we would we get access to the ssh server with the user privileges of Jake.
Lets first generate our own SSH public key
Lets now copy it and replace it with the backup one in the machine.
Now lets wait for a few minutes and then login with the Jake username.
We can read the user flag
Lets run sudo -l
to see what we can run as other users.
Lets go to GTFOBins.
Lets use the 3rd command
We are now root, we can read the root flag
Last updated