Member-only story
Mustacchio — TryHackMe
Summary
Another easy boot2root room. We first needed to enumerate a bit to find out what is running and then doing directory Brute forcing to find a sqlite3 db dump, which gave us the admin password.Then using that password we logged in to the admin portal where there was a XXE vulnerability which was exploited to give us the user’s SSH encrypted key which was cracked with ssh2john. Privesc involved exploiting a suid binary.
This room is available here: https://tryhackme.com/room/mustacchio
So as usual let’s start enumerating the machine with nmap:
NMAP
# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.202.187
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8765/tcp open ultraseek-https# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,80,8765 10.10.202.187
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 58:1b:0c:0f:fa:cf:05:be:4c:c0:7a:f1:f1:88:61:1c (RSA)
| 256…
