Smag Grotto - TryHackMe Writeup

##TryHackMe Room - Smag Grotto

Follow the yellow brick road.

This room involves web enumeration, credential discovery from network captures, blind command execution, and privilege escalation via cron job abuse and sudo misconfiguration.

##Enumeration

###Nmap Scan

Starting with a full TCP port scan to identify exposed services:

Explanation:

• >-p- → Scan all 65,535 TCP ports
• >-vv → Very verbose output
• >-sV → Service version detection

Results:

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu
80/tcp open  http    Apache httpd 2.4.18

Conclusion: SSH is exposed but requires credentials. The HTTP service on port 80 is our primary attack surface.

###Web Application Discovery

Navigating to http://<TARGET_IP> returns a static landing page indicating the site is under development. With no visible input fields or functionality, we proceed to directory enumeration.

###Directory Fuzzing

Using ffuf with a wordlist and common extensions:

Results:

index.php
mail/

The /mail/ directory looks promising.

##Mail Portal & Credential Discovery

###Inspecting /mail/

Navigating to http://<TARGET_IP>/mail/:

We are presented with a web-based mail viewer displaying internal emails.

Key observations:

• >References to email2web software
• >Mentions of attachments
• >A downloadable file: dHJhY2Uy.pcap (the filename is Base64-encoded; decoding yields trace2)

###Downloading the PCAP File

The attachment is served from a path that appears Base64-encoded. Download it:

The file is small and likely contains sensitive traffic.

###Inspecting the PCAP

Using strings for quick triage:

Output (excerpt):

POST /login.php HTTP/1.1
Host: development.smag.thm
username=helpdesk&password=<REDACTED>

Credentials discovered:

• >Username: helpdesk
• >Password: <REDACTED>

This confirms plaintext credential leakage via PCAP—credentials were sent over unencrypted HTTP and captured.

##Virtual Host Enumeration

###Host Resolution

The PCAP references development.smag.thm. We add the target and virtual host to /etc/hosts:

###Accessing the Development Site

Navigating to http://development.smag.thm:

Directory listing reveals:

login.php
admin.php
materialize.min.css

##Initial Access

###Authentication

Accessing login.php and authenticating with the credentials from the PCAP:

• >Username: helpdesk
• >Password: <REDACTED>

We are redirected to admin.php.

###Blind Command Execution

The admin panel contains a command input form. Testing with pwd produces no visible output—indicating blind command execution: commands run server-side but output is suppressed. We can still achieve full compromise by triggering a reverse shell.

###Reverse Shell

Step 1: On the attacker machine, start a netcat listener:

Step 2: From the web command interface, execute:

Result:

www-data@smag:/var/www/development.smag.thm$

Initial foothold achieved as www-data.

Stabilize the shell:

##Local Enumeration (www-data)

###User Discovery

Output: jake

###Inspecting Jake's Home Directory

We find user.txt but get Permission denied when reading it. We must escalate to the jake user (or root) to read the user flag.

###Backup Directory Discovery

Enumerating /opt:

Output: .backups

Output:

-rw-rw-rw- jake_id_rsa.pub.backup

Key issue: The file is world-writable and owned by root. It contains what appears to be a public SSH key backup (e.g. ssh-rsa AAAA... kali@kali).

###Cron Job Analysis

Checking system cron:

Critical entry:

* * * * * root /bin/cat /opt/.backups/jake_id_rsa.pub.backup > /home/jake/.ssh/authorized_keys

Interpretation:

• >Runs every minute as root
• >Overwrites Jake's authorized_keys with the contents of the backup file
• >The source file is world-writable

This is a cron-based privilege escalation vector: we can inject our own public key into jake_id_rsa.pub.backup and wait for cron to copy it into Jake's authorized_keys.

##User Flag

###SSH Key Injection Attack

Step 1: On the attacker machine, generate an SSH key pair:

This produces chall (private key) and chall.pub (public key).

Step 2: From the www-data shell, overwrite the backup file with our public key:

Step 3: Wait up to one minute for the cron job to run. It will copy our public key into /home/jake/.ssh/authorized_keys.

Step 4: SSH as jake using the private key:

Result: jake@smag:~$

###Reading the User Flag

User Flag: <REDACTED>

##Privilege Escalation to Root

###Sudo Enumeration

Output:

(ALL) NOPASSWD: /usr/bin/apt-get

This is a critical misconfiguration: apt-get can be abused to gain a root shell. See GTFOBins - apt-get.

###Root via apt-get (GTFOBins)

Using the documented GTFOBins technique:

Result:

root@smag:/tmp#

Root shell achieved.

##Root Flag

Root Flag: <REDACTED>

Challenge solved!

##Summary

This challenge demonstrated:

1. >PCAP analysis: Credentials sent over HTTP can be recovered from packet captures.
2. >Virtual host discovery: Internal hostnames in traffic (e.g. development.smag.thm) extend the attack surface.
3. >Blind command execution: Lack of visible output does not prevent reverse shells or full compromise.
4. >Cron + world-writable files: Cron jobs that copy from writable files (e.g. into authorized_keys) enable privilege escalation.
5. >Sudo misconfiguration: Allowing apt-get (or similar) with NOPASSWD can lead to root via GTFOBins-style abuse.

##References

1. >GTFOBins - apt-get
2. >SSH authorized_keys and cron-based key injection

##Answers

###Task 1 - Smag Grotto

Follow the yellow brick road.

1. >

   What is the user flag?

   Ans. <REDACTED>

2. >

   What is the root flag?

   Ans. <REDACTED>