TryHackMe - Mustacchio
Here is Strupo_'s write-up for an "Easy boot2root Machine" called Mustacchio , by zyeinn , on TryHackMe.com . The challenge was solved by conducting some basic enumeration, exploiting an XXE injection vulnerability, cracking a password, and leveraging an SUID binary to root the system. Enumeration To begin, nmap was used to determine open ports: $ nmap -p- --open -sV -v -Pn -oA nmap-mustacchio 10.10.81.167 <snip> PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0) 80/tcp open http Apache httpd 2.4.18 ((Ubuntu)) 8765/tcp open http nginx 1.10.3 (Ubuntu) <snip> Manually browsing to the web servers revealed a mustache based blog on 80/tcp and an admin login prompt hosted on 8765/tcp as seen below: Admin Panel Login Next, ffuf was used to enumerate content on the web server: $ ffuf -u http://10.10.81.167/FUZZ -w /usr/share/wordlists/dirb/big.txt <snip> .htaccess [Statu