Practice
  • 🛤️TryHackMe Rooms
    • HackersVsHackers
    • Vulnnet - The End Game
    • Surfer
    • Corridor
    • Mustacchio
    • Wordpress: CVE-2021-29447
    • Bounty Hacker
    • Simple CTF
    • Agent Sudo
    • Lazy Admin
    • Ignite
    • Brooklynn 99
    • c4ptur3th3fl4g
    • Lian_Yu
    • Rabbit
    • Gallery
    • Overpass
    • Team
    • Easy Peasy
    • CmesS
    • Ultratech
    • Wonderland
    • Anonymous
    • GamingServer
    • Tomghost
    • ConvertMyVideo
    • DogCat
    • Blog
    • Git Happens
    • 0day
    • Road
    • Inferno
    • Opacity
    • Market Place
    • Valley CTF
    • Weasel
    • SafeZone
    • Blueprint
    • Fusion Corp
    • Quotient
    • Unbaked Pie
    • Kenobi
    • Steel Mountain
    • Alfred
    • Hack Park
    • Game Zone
    • Daily Bugle
    • Retro
    • Corp
    • Attacktive Directory
    • Vulnnet - Roasted
    • Vulnnet - Active
    • Vulnnet - Internal
    • Enterprise - Hard
    • Iron Corp - Hard
    • Ra - Hard
    • For Business Reasons
  • 📦HackTheBox
    • Linux Boxes
      • Lame
      • Shocker
      • Nibbles
      • Beep
      • Cronos
      • Nineveh
      • Sense
      • Solidstate
      • Node
      • Valentine
      • Poison
      • Sunday
      • Irked
      • FriendZone
      • Networked
      • Jarvis
      • Tabby
      • Mirai
      • Popcorn
    • Windows Boxes
      • Active
      • Forest
      • ChatterBox
      • Resolute
      • Intelligence
  • 🤖CTF's
    • CloudSEK CTFs
    • ACM Cyber - UCLA
  • ¯\_(ツ)_/¯
    • Interview Topics
  • 🪣BOF - OSCP
    • Basics
    • Spiking
    • FUZZing
    • Finding the Offset
    • Overwriting the EIP
    • Finding BAD Characters
    • Finding RIGHT Module
    • Generating Shellcode
  • 📛Active Directory
    • Basics
      • Managing AD Users
      • Managing AD Computers
      • Group Policies
      • Authentication Methods
      • Trees, Forests and Trusts
    • Enumeration Techniques
    • Initial Attack Vectors
    • Post Compromise Enumeration
    • Post Compromise Attacks
      • Token Impersonation - LM
      • Kerberoasting
      • cPassword / GPP Attack
      • URL File Attacks
      • PrintNightmare
      • Golden Ticket Attacks
      • ZeroLogon Attacks
    • Lateral Movement and Pivoting
      • File Transfers
      • Spawning Processes Remotely
      • Moving Laterally with WMI
      • Alternate Authentication Material
      • Abusing User's Behaviour
      • Port Forwarding
      • Maintaing Access
      • Pivoting
      • Cleaning Up
    • Other Resources
  • 🛡️Powershell Basics
    • Getting Started
      • Functions
  • 😁Others
    • API Security
    • Cloud Security
  • Enumeration
    • Local PrivEsc
    • Remoting
    • Persistence
    • Kerberos
Powered by GitBook
On this page
  1. TryHackMe Rooms

Mustacchio

SQLite3 - Password Cracking - XXE - Dumping SSH keys - ssh2john.py - Strings - Abusing Tail command

Initial Access

  • Thw given IP - 10.10.74.246

  • We can observe the open ports - 22, 80, 8765

  • Eumerating the HTTP ports (80, 8765), we find a login panel on port 8765 and port 80 was just a normal template

  • Running a Gobuster scan on port 80 gives us /custom/ directory, enumerating it more leaks us a user.bak database file

  • We can use the SQLite3 command line tool to interact with the backup file and after some enumeration we find a potential encrypted password for the user admin

  • Using John we cracked the password - bulldog19

  • Now when we log in to the pannel and we find a Text field that is supposed to accept the comment for the website

  • Examining the source of port 8765, we find another interesting file called dontforget.bak in the /auth/ directory and there's also a comment saying Barry you can now SSH into the machine

  • So basically the text field present there accepts XML args

Exploitation

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE data [
   <!ELEMENT data ANY >
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<comment>
  <name>&xxe;</name>
  <author>Akash</author>
  <com>ssup</com>
</comment>

  • This confirms that there is an XML Entity Attack, so now we can trick the web page to display Barry's SSH Private Keys - home/barry/.ssh/id_rsa

  • Copying those keys can give us SSH access to the machine, but no it denies

  • Setting proper permissions - chmod 600 id_rsa , but still it denies and asks for a password

  • Since the key was encrypted and will ask for a password if tried to log in directly, we used the ssh2john.py file to convert the contents of the key into to crackable hash

  • Using John to crack the hash gives us the passphrase - urieljames

Privilege Escalation

  • Diggin around the box gives us the presence of another user - joe

  • His home directory displays a SUID file called live_log, executing the file displays us a firefox's event log - which is of no use to us - the interesting part is that it's an ELF not stripped binary which has the ownership of the root user

  • We used the strings command to take a closer look at this binary file

  • We found that this binary file runs the tail command without using its absolute path - /usr/bin/tail

  • This means that we will be able to exploit it by creating our version of the tail command

cd /dev/shm
echo "/bin/bash" > tail
chmod 777 tail
export PATH=/dev/shm:$PATH
/home/joe/live_log
cd /root
cat root.txt

We moved to the /dev/shm directory

We created our version of the tail command but made it in such a way that it invokes the /bin/bash

We changed the permissions so that we are allowed to execute the file - 777

Next, we need to export the path so that when executed by the live_log, our version of the tail gets executed instead of the original tail

We executed the live_log file as Barry and got the root access

PreviousCorridorNextWordpress: CVE-2021-29447

Last updated 2 years ago

🛤️
  • Initial Access
  • Exploitation
  • Privilege Escalation