Mustacchio — TryHackMe

Easy boot2root Machine

0xsanz

--

https://tryhackme.com/room/mustacchio

Summary

Another easy boot2root room. We first needed to enumerate a bit to find out what is running and then doing directory Brute forcing to find a sqlite3 db dump, which gave us the admin password.Then using that password we logged in to the admin portal where there was a XXE vulnerability which was exploited to give us the user’s SSH encrypted key which was cracked with ssh2john. Privesc involved exploiting a suid binary.

This room is available here: https://tryhackme.com/room/mustacchio

So as usual let’s start enumerating the machine with nmap:

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.202.187

PORT     STATE SERVICE
22/tcp open ssh
80/tcp open http
8765/tcp open ultraseek-https

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,80,8765 10.10.202.187

PORT     STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 58:1b:0c:0f:fa:cf:05:be:4c:c0:7a:f1:f1:88:61:1c (RSA)
| 256…

--

--

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900,AZ204,AZ500