Mustacchio — TryHackMe
Summary
Another easy boot2root room. We first needed to enumerate a bit to find out what is running and then doing directory Brute forcing to find a sqlite3 db dump, which gave us the admin password.Then using that password we logged in to the admin portal where there was a XXE vulnerability which was exploited to give us the user’s SSH encrypted key which was cracked with ssh2john. Privesc involved exploiting a suid binary.
This room is available here: https://tryhackme.com/room/mustacchio
So as usual let’s start enumerating the machine with nmap:
NMAP
# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.202.187
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8765/tcp open ultraseek-https# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,80,8765 10.10.202.187
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 58:1b:0c:0f:fa:cf:05:be:4c:c0:7a:f1:f1:88:61:1c (RSA)
| 256 3c:fc:e8:a3:7e:03:9a:30:2c:77:e0:0a:1c:e4:52:e6 (ECDSA)
|_ 256 9d:59:c6:c7:79:c5:54:c4:1d:aa:e4:d1:84:71:01:92 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Mustacchio | Home
8765/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | LoginSo, we have SSH port open and 2 web server ports open. Let’s use FFUF to check if any useful directory is exposed:
FFUF
# Perform directory brute forcing using ffuf
⇒ ffuf -u http://10.10.202.187/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -c
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \…
![Dav Tryhackme Writeup [Detailed]](https://miro.medium.com/v2/resize:fit:1358/1*iIpvyAnKbUs4XFlv9mK0Rg.png)
